linux_wiki:firewall_firewall-cmd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:firewall_firewall-cmd [2016/03/18 23:16]
billdozor [Firewall: Firewall-Cmd] 		linux_wiki:firewall_firewall-cmd [2019/05/25 23:50]
Line 1: Line 1:
-====== Firewall: Firewall-Cmd ====== 
  
-**General Information** 
- 
-firewall-cmd is the command line client for the firewalld daemon. It is default on Enterprise Linux 7.x. This is a zone based firewall. 
- 
-**Checklist** 
-  * Distro(s): Enterprise Linux 7 
- 
----- 
- 
-====== Firewalld Components ====== 
- 
-  * firewall-config => GUI Frontend for firewalld 
-  * firewall-cmd => Cmd line frontend for firewalld 
-  * firewalld => Daemon that interacts with the Linux kernel's packet filter, Netfilter 
-    * cannot be used at the same time as iptables 
-  * iptables => Interacts with the Linux kernel's packet filter, Netfilter 
-    * cannot be used at the same time as firewalld 
- 
----- 
- 
-===== Install Firewalld ===== 
- 
-Install and start firewall packages (included by default on base, not minimum install) 
-<code bash> 
-yum install firewalld firewall-config 
-systemctl start firewalld 
-systemctl enable firewalld 
-</code> 
- 
----- 
- 
-===== Firewall-Cmd Commands ===== 
- 
-==== Status ==== 
- 
-  * firewall-cmd method<code bash>firewall-cmd --state</code> 
-  * systemctl methods 
-    * check status<code bash>systemctl status firewalld</code> 
-    * is active?<code bash>systemctl is-active firewalld</code> 
-    * is enabled?<code bash>systemctl is-enabled firewalld</code> 
- 
----- 
- 
-==== Zones ==== 
- 
-View zone names 
-<code bash> 
-firewall-cmd --get-zones 
-</code> 
- 
-View default zone 
-<code bash> 
-firewall-cmd --get-default-zone 
-</code> 
-  * Zone "public" applies to all interfaces (the catch all) by default. 
- 
-View only active zones and what interfaces are assigned to them 
-<code bash> 
-firewall-cmd --get-active-zones 
-</code> 
- 
-Change default zone that is used when no zone is specified 
-<code bash> 
-firewall-cmd --set-default-zone=home 
-</code> 
- 
----- 
- 
-==== Interfaces ==== 
- 
-**An interface can only be bound to 1 zone at a time.** 
- 
-List interfaces that are bound to the default zone 
-<code bash> 
-firewall-cmd --list-interfaces 
-</code> 
- 
-Bind an interface to the specified zone 
-<code bash> 
-firewall-cmd --add-interface=eth0 --zone=home 
-</code> 
-  * There will be zone conflict error if the interface is already bound to a different zone. In this case, you will want to change interfaces instead. 
- 
-Change the zone that an interface is bound to the specified zone 
-<code bash> 
-firewall-cmd --change-interface=eth0 --zone=home 
-</code> 
-  * If you are changing an interfaces zone, chances are, you might also want to change the default zone displayed. See the Zones section above to do this. 
- 
----- 
- 
-==== List Rules ==== 
- 
-List all rules of the default zone (since no zone is specified) 
-<code bash> 
-firewall-cmd --list-all 
-</code> 
- 
-List rules, specify zone 
-<code bash> 
-firewall-cmd --zone=home --list-all 
-</code> 
- 
-List all zone's rules 
-<code bash> 
-firewall-cmd --list-all-zones 
-</code> 
-  * By default: Only the public zone will show as active and have an interface assigned to it. 
- 
----- 
- 
-==== Add Rules ==== 
- 
-=== Types of Rule Changes === 
- 
-  * Runtime changes: Firewall-cmd commands in which "--permanent" is omitted. These changes take effect immediately, but don't survive a 'firewall-cmd --reload' command or system reboot. 
-  * Permanent changes: Firewall-cmd commands in which "--permanent" is included. 
-    * These changes do not take effect until a 'firewall-cmd --reload' command is issued. 
-    * Runtime changes are lost 
-    * Upon '--reload', active connections will not be interrupted, unless they are being allowed via a runtime rule. 
- 
-=== Source IPs/Networks === 
- 
-Allow source IP network for home zone (Runtime change) 
-<code bash> 
-firewall-cmd --zone=home --add-source=192.168.1.0/24 
-</code> 
- 
-Allow source IP network for home zone (Permanent change) 
-<code bash> 
-firewall-cmd --zone=home --permanent --add-source=192.168.1.0/24 
-firewall-cmd --reload 
-</code> 
- 
-=== Ports === 
- 
-Allow port on default zone 
-<code bash> 
-firewall-cmd --permanent --add-port=80/tcp 
-firewall-cmd --reload 
-</code> 
- 
-=== Services === 
- 
-List predefined services 
-<code bash> 
-firewall-cmd --get-services 
-</code> 
- 
-Add HTTPS service to default zone 
-<code bash> 
-firewall-cmd --add-service=https --permanent 
-firewall-cmd --reload 
-</code> 
- 
----- 
- 
-==== Remove Rules ==== 
- 
-=== Source IPs/Networks === 
-Remove source IP network on "home" zone 
-<code bash> 
-firewall-cmd --zone=home --permanent --remove-source=192.168.1.0/24 
-firewall-cmd --reload 
-</code> 
- 
-=== Ports === 
- 
-Remove port on default zone 
-<code bash> 
-firewall-cmd --permanent --remove-port=80/tcp 
-firewall-cmd --reload 
-</code> 
- 
-=== Services === 
- 
-Remove a service on default zone 
-<code bash> 
-firewall-cmd --permanent --remove-service=https 
-firewall-cmd --reload 
-</code> 
- 
----- 
- 
-==== GUI: firewall-config ==== 
- 
-Launch GUI, firewall-config 
-<code bash> 
-firewall-config 
-</code> 
- 
----- 
- 
-====== iptables notes ====== 
- 
-You can use iptables, but it is recommended to use firewall-cmd instead. Using iptables instead of firewall-cmd requires disabling firewalld, installing iptables-services, and then enabling the iptables service. 
- 
----- 
  • linux_wiki/firewall_firewall-cmd.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)