Differences
This shows you the differences between two versions of the page.
linux_wiki:firewall_firewall-cmd [2016/03/18 23:16] billdozor [Firewall: Firewall-Cmd] |
linux_wiki:firewall_firewall-cmd [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Firewall: Firewall-Cmd ====== | ||
- | **General Information** | ||
- | |||
- | firewall-cmd is the command line client for the firewalld daemon. It is default on Enterprise Linux 7.x. This is a zone based firewall. | ||
- | |||
- | **Checklist** | ||
- | * Distro(s): Enterprise Linux 7 | ||
- | |||
- | ---- | ||
- | |||
- | ====== Firewalld Components ====== | ||
- | |||
- | * firewall-config => GUI Frontend for firewalld | ||
- | * firewall-cmd => Cmd line frontend for firewalld | ||
- | * firewalld => Daemon that interacts with the Linux kernel' | ||
- | * cannot be used at the same time as iptables | ||
- | * iptables => Interacts with the Linux kernel' | ||
- | * cannot be used at the same time as firewalld | ||
- | |||
- | ---- | ||
- | |||
- | ===== Install Firewalld ===== | ||
- | |||
- | Install and start firewall packages (included by default on base, not minimum install) | ||
- | <code bash> | ||
- | yum install firewalld firewall-config | ||
- | systemctl start firewalld | ||
- | systemctl enable firewalld | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Firewall-Cmd Commands ===== | ||
- | |||
- | ==== Status ==== | ||
- | |||
- | * firewall-cmd method< | ||
- | * systemctl methods | ||
- | * check status< | ||
- | * is active?< | ||
- | * is enabled?< | ||
- | |||
- | ---- | ||
- | |||
- | ==== Zones ==== | ||
- | |||
- | View zone names | ||
- | <code bash> | ||
- | firewall-cmd --get-zones | ||
- | </ | ||
- | |||
- | View default zone | ||
- | <code bash> | ||
- | firewall-cmd --get-default-zone | ||
- | </ | ||
- | * Zone " | ||
- | |||
- | View only active zones and what interfaces are assigned to them | ||
- | <code bash> | ||
- | firewall-cmd --get-active-zones | ||
- | </ | ||
- | |||
- | Change default zone that is used when no zone is specified | ||
- | <code bash> | ||
- | firewall-cmd --set-default-zone=home | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ==== Interfaces ==== | ||
- | |||
- | **An interface can only be bound to 1 zone at a time.** | ||
- | |||
- | List interfaces that are bound to the default zone | ||
- | <code bash> | ||
- | firewall-cmd --list-interfaces | ||
- | </ | ||
- | |||
- | Bind an interface to the specified zone | ||
- | <code bash> | ||
- | firewall-cmd --add-interface=eth0 --zone=home | ||
- | </ | ||
- | * There will be zone conflict error if the interface is already bound to a different zone. In this case, you will want to change interfaces instead. | ||
- | |||
- | Change the zone that an interface is bound to the specified zone | ||
- | <code bash> | ||
- | firewall-cmd --change-interface=eth0 --zone=home | ||
- | </ | ||
- | * If you are changing an interfaces zone, chances are, you might also want to change the default zone displayed. See the Zones section above to do this. | ||
- | |||
- | ---- | ||
- | |||
- | ==== List Rules ==== | ||
- | |||
- | List all rules of the default zone (since no zone is specified) | ||
- | <code bash> | ||
- | firewall-cmd --list-all | ||
- | </ | ||
- | |||
- | List rules, specify zone | ||
- | <code bash> | ||
- | firewall-cmd --zone=home --list-all | ||
- | </ | ||
- | |||
- | List all zone's rules | ||
- | <code bash> | ||
- | firewall-cmd --list-all-zones | ||
- | </ | ||
- | * By default: Only the public zone will show as active and have an interface assigned to it. | ||
- | |||
- | ---- | ||
- | |||
- | ==== Add Rules ==== | ||
- | |||
- | === Types of Rule Changes === | ||
- | |||
- | * Runtime changes: Firewall-cmd commands in which " | ||
- | * Permanent changes: Firewall-cmd commands in which " | ||
- | * These changes do not take effect until a ' | ||
- | * Runtime changes are lost | ||
- | * Upon ' | ||
- | |||
- | === Source IPs/ | ||
- | |||
- | Allow source IP network for home zone (Runtime change) | ||
- | <code bash> | ||
- | firewall-cmd --zone=home --add-source=192.168.1.0/ | ||
- | </ | ||
- | |||
- | Allow source IP network for home zone (Permanent change) | ||
- | <code bash> | ||
- | firewall-cmd --zone=home --permanent --add-source=192.168.1.0/ | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | === Ports === | ||
- | |||
- | Allow port on default zone | ||
- | <code bash> | ||
- | firewall-cmd --permanent --add-port=80/ | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | === Services === | ||
- | |||
- | List predefined services | ||
- | <code bash> | ||
- | firewall-cmd --get-services | ||
- | </ | ||
- | |||
- | Add HTTPS service to default zone | ||
- | <code bash> | ||
- | firewall-cmd --add-service=https --permanent | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ==== Remove Rules ==== | ||
- | |||
- | === Source IPs/ | ||
- | Remove source IP network on " | ||
- | <code bash> | ||
- | firewall-cmd --zone=home --permanent --remove-source=192.168.1.0/ | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | === Ports === | ||
- | |||
- | Remove port on default zone | ||
- | <code bash> | ||
- | firewall-cmd --permanent --remove-port=80/ | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | === Services === | ||
- | |||
- | Remove a service on default zone | ||
- | <code bash> | ||
- | firewall-cmd --permanent --remove-service=https | ||
- | firewall-cmd --reload | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ==== GUI: firewall-config ==== | ||
- | |||
- | Launch GUI, firewall-config | ||
- | <code bash> | ||
- | firewall-config | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== iptables notes ====== | ||
- | |||
- | You can use iptables, but it is recommended to use firewall-cmd instead. Using iptables instead of firewall-cmd requires disabling firewalld, installing iptables-services, | ||
- | |||
- | ---- |