General Information

firewall-cmd is the command line client for the firewalld daemon. It is default on Enterprise Linux 7.x. This is a zone based firewall.

Checklist

• Distro: Enterprise Linux 7.x

• firewall-config ⇒ GUI Frontend for firewalld
• firewall-cmd ⇒ Cmd line frontend for firewalld
• firewalld ⇒ Daemon that interacts with the Linux kernel's packet filter, Netfilter
  • cannot be used at the same time as iptables
• iptables ⇒ Interacts with the Linux kernel's packet filter, Netfilter
  • cannot be used at the same time as firewalld

Install and start firewall packages (included by default on base, not minimum install)

yum install firewalld firewall-config
systemctl start firewalld
systemctl enable firewalld

• firewall-cmd method

  firewall-cmd --state

• systemctl methods
  • check status

    systemctl status firewalld

  • is active?

    systemctl is-active firewalld

  • is enabled?

    systemctl is-enabled firewalld

View zone names

firewall-cmd --get-zones

View default zone

firewall-cmd --get-default-zone

• Zone “public” applies to all interfaces (the catch all) by default.

View only active zones and what interfaces are assigned to them

firewall-cmd --get-active-zones

Change default zone that is used when no zone is specified

firewall-cmd --set-default-zone=home

An interface can only be bound to 1 zone at a time.

List interfaces that are bound to the default zone

firewall-cmd --list-interfaces

Bind an interface to the specified zone

firewall-cmd --add-interface=eth0 --zone=home

• There will be zone conflict error if the interface is already bound to a different zone. In this case, you will want to change interfaces instead.

Change the zone that an interface is bound to the specified zone

firewall-cmd --change-interface=eth0 --zone=home

List all rules of the default zone (since no zone is specified)

firewall-cmd --list-all

List rules, specify zone

firewall-cmd --zone=home --list-all

List all zone's rules

firewall-cmd --list-all-zones

• By default: Only the public zone will show as active and have an interface assigned to it.

• Runtime changes: Firewall-cmd commands in which “–permanent” is omitted. These changes take effect immediately, but don't survive a 'firewall-cmd –reload' command or system reboot.
• Permanent changes: Firewall-cmd commands in which “–permanent” is included.
  • These changes do not take effect until a 'firewall-cmd –reload' command is issued.
  • Runtime changes are lost
  • Upon '–reload', active connections will not be interrupted, unless they are being allowed via a runtime rule.

Allow source IP network for home zone (Runtime change)

firewall-cmd --zone=home --add-source=192.168.1.0/24

Allow source IP network for home zone (Permanent change)

firewall-cmd --zone=home --permanent --add-source=192.168.1.0/24
firewall-cmd --reload

Allow port on default zone

firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --reload

List predefined services

firewall-cmd --get-services

Add HTTPS service to default zone

firewall-cmd --add-service=https --permanent
firewall-cmd --reload

Remove source IP network on “home” zone

firewall-cmd --zone=home --permanent --remove-source=192.168.1.0/24
firewall-cmd --reload

Remove port on default zone

firewall-cmd --permanent --remove-port=80/tcp
firewall-cmd --reload

Remove a service on default zone

firewall-cmd --permanent --remove-service=https
firewall-cmd --reload

Launch GUI, firewall-config

firewall-config

You can use iptables, but it is recommended to use firewall-cmd instead. Using iptables instead of firewall-cmd requires disabling firewalld, installing iptables-services, and then enabling the iptables service.