This is an old revision of the document!
Firewall: Firewall-Cmd
General Information
firewall-cmd is the command line client for the firewalld daemon. It is default on Enterprise Linux 7.x. This is a zone based firewall.
Checklist
- Distro: Enterprise Linux 7.x
Firewalld Components
- firewall-config ⇒ GUI Frontend for firewalld
- firewall-cmd ⇒ Cmd line frontend for firewalld
- firewalld ⇒ Daemon that interacts with the Linux kernel's packet filter, Netfilter
- cannot be used at the same time as iptables
- iptables ⇒ Interacts with the Linux kernel's packet filter, Netfilter
- cannot be used at the same time as firewalld
Install Firewalld
Install and start firewall packages (included by default on base, not minimum install)
yum install firewalld firewall-config systemctl start firewalld systemctl enable firewalld
Firewall-Cmd Commands
Status
- firewall-cmd method
firewall-cmd --state
- systemctl methods
- check status
systemctl status firewalld
- is active?
systemctl is-active firewalld
- is enabled?
systemctl is-enabled firewalld
Zones
View zone names
firewall-cmd --get-zones
View default zone
firewall-cmd --get-default-zone
- Zone “public” applies to all interfaces (the catch all) by default.
View only active zones and what interfaces are assigned to them
firewall-cmd --get-active-zones
Change default zone that is used when no zone is specified
firewall-cmd --set-default-zone=home
Interfaces
An interface can only be bound to 1 zone at a time.
List interfaces that are bound to the default zone
firewall-cmd --list-interfaces
Bind an interface to the specified zone
firewall-cmd --add-interface=eth0 --zone=home
- There will be zone conflict error if the interface is already bound to a different zone. In this case, you will want to change interfaces instead.
Change the zone that an interface is bound to the specified zone
firewall-cmd --change-interface=eth0 --zone=home
List Rules
List all rules of the default zone (since no zone is specified)
firewall-cmd --list-all
List rules, specify zone
firewall-cmd --zone=home --list-all
List all zone's rules
firewall-cmd --list-all-zones
- By default: Only the public zone will show as active and have an interface assigned to it.
Add Rules
Types of Rule Changes
- Runtime changes: Firewall-cmd commands in which “–permanent” is omitted. These changes take effect immediately, but don't survive a 'firewall-cmd –reload' command or system reboot.
- Permanent changes: Firewall-cmd commands in which “–permanent” is included.
- These changes do not take effect until a 'firewall-cmd –reload' command is issued.
- Runtime changes are lost
- Upon '–reload', active connections will not be interrupted, unless they are being allowed via a runtime rule.
Source IPs/Networks
Allow source IP network for home zone (Runtime change)
firewall-cmd --zone=home --add-source=192.168.1.0/24
Allow source IP network for home zone (Permanent change)
firewall-cmd --zone=home --permanent --add-source=192.168.1.0/24 firewall-cmd --reload
Ports
Allow port on default zone
firewall-cmd --permanent --add-port=80/tcp firewall-cmd --reload
Services
List predefined services
firewall-cmd --get-services
Add HTTPS service to default zone
firewall-cmd --add-service=https --permanent firewall-cmd --reload
Remove Rules
Source IPs/Networks
Remove source IP network on “home” zone
firewall-cmd --zone=home --permanent --remove-source=192.168.1.0/24 firewall-cmd --reload
Ports
Remove port on default zone
firewall-cmd --permanent --remove-port=80/tcp firewall-cmd --reload
Services
Remove a service on default zone
firewall-cmd --permanent --remove-service=https firewall-cmd --reload
GUI: firewall-config
Launch GUI, firewall-config
firewall-config
iptables notes
You can use iptables, but it is recommended to use firewall-cmd instead. Using iptables instead of firewall-cmd requires disabling firewalld, installing iptables-services, and then enabling the iptables service.