This page contains a summary of the commands presented in the firewall tutorial videos.
Installing firewall package
yum install firewalld
systemctl enable firewalld
Checking current status and settings
Checking whether firewalld is running
systemctl status firewalld
firewall-cmd --state
Zones
Displaying all available zones
firewall-cmd --get-zones
By default, firewalld comes with the following zones:
- public: This is default zone, and it should be used for public environments where you do not trust other computers on the network. Only predefined connections (i.e. ports / services) are accepted.
- work: For work environments. Usually, other computers are trusted on the same network. Only predefined connections are accepted.
- home: For home use. The same applies as in the ‘work’ zone. Depending on your situation, the connections at work may be more secure than on your home network.
- internal: For use with private networks. Computers on this network are usually trusted. Only predefined connections are accepted.
- trusted: All connections are accepted.
- drop: All incoming connections are rejected however outgoing connections are possible.
- block: Like drop except incoming connections are denied with a message. This message varies by the type of incoming connection. For IPv4, the message is
icmp-host-prohibitedand for IPv6icmp6-adm-prohibited. Outgoing connections are possible. - external: This is used when your firewall is external to your DMZ or internal network, and works as a gateway with NAT masquerading. In this case you don’t trust other computers on the external network and only preconfigured connections are accepted.
- dmz: The computer is in the demilitarized zone. It should be isolated from the internal network so only specific connections should be accepted.
Displaying the default zone (probably public)
Default zone versus Active zone. The default zone will be active when system boots. The Active zone is the currently active zone for interface. This will be the default zone unless you explicitly change it.
firewall-cmd --get-default-zone
Displaying active zone (probably public)
This displays which zone is currently assigned an interface or NIC. There might be more than one NIC so the command can be either --get-active-zone or --get-active-zones
firewall-cmd --get-active-zone
Services
Displaying all available services
firewall-cmd --get-services
Listing services currently allowed on default zone
firewall-cmd --list-services
To check a different zone use:
firewall-cmd --zone=zoneName --list-services
Displaying All firewall settings
Displaying everything currently configured on default zone
firewall-cmd --list-all
To check a different zone use:
firewall-cmd --zone=zoneName --list-all
Listing everything currently configured on all zones
firewall-cmd --list-all-zones
This will produce a very long listing, so you probably want to pipe it to more or less
Changing Default and Active zones
Changing default zone
firewall-cmd --set-default-zone=newZone
Changing active zone
The active zone is the one that is currently assigned an interface or NIC. There’s not a --set-active-zone command, instead this is done using something like the following:
firewall-cmd --zone=zoneName --change-interface=eth1
or on the VM
firewall-cmd --zone=zoneName --change-interface=enp0s3
Changing Configuration – Current Configuration or Permanent Change
With firewalld you can make changes to the rules currently in use or you can change the firewalld configuration files used at start time which makes the changes permanent. However, you can’t do both in the same command. The instructions for making changes the current runtime configuration, or making changes to the configuration files used at startup are provided below.
Adding and Removing a service
If the zone isn’t specified, the service will be added to the default zone
Adding a service – simplest form,
firewall-cmd --add-service=serviceName
This will allow incoming packets through the firewall on service port, and outbound packets to a data port that originated from the service port. This doesn’t make the change permanent, so it’s good for testing.
To verify that the firewall is now allowing the service use:
firewall-cmd --get-services
Runtime changes vs. permanent changes
By default, adding (or removing) are service will affect firewalld’s runtime configuration, or the settings in memory for the currently running firewalld process. This means the change will only remain in effect until the firewall is restarted or system is rebooted. To change the configuration file that firewalld reads when it starts or reloads, and effectively make the change permanent you must add the –permanent option.
firewall-cmd --add-service=serviceName --permanent
But, while adding the –permanent option changes firewalld’s configuration file, it doesn’t change the runtime configuration. In fact, there’s no way to do this with a single command. If you want to change both the runtime configuration and make the change permanent it’s suggested that you use the following two commands. The first changes firewalld’s configuration file, and the second tells firewalld to reload its configuration from the file, essentially changing the runtime configuration.
firewall-cmd --permanent --add-service=serviceName
firewall-cmd --reload
Note – you could reboot the system or restart the firewalld with systemctl, but rebooting is obviously overkill and will impact all services. Restarting firewalld with systemctl will drop all current network connections, with a possible negative impact. Using the reload command allows firewalld to read the new settings but maintain its current connections eliminating the possibility of cutting off or interrupting any current network connections or network sessions.
Removing a service – simplest form,
firewall-cmd --remove-service=serviceName
This will stop packets through the firewall on service port, and outbound packets to a data port. This doesn’t make the change permanent, so it’s good for testing.
To verify that the firewall is now allowing the service use:
firewall-cmd --get-services
Just like adding a service, the --permanent option must be used to make the change permanent, and the --reload command must be used to get the firewalld to reread its configuration file.
Adding or removing a service in another zone
firewall-cmd --zone=zoneName --add-service=serviceName
Behind the scenes – what files are involved
The Service XML files are in the directory – /usr/lib/firewalld/services
The default Zone XML files are in the directory – /usr/lib/firewalld/zones
The Zone configuration files that are read when firewalld starts or reloads are in the directory – /etc/firewalld/zones
You can make changes to the firewall configuration by editing the file in /etc/firewalld/zones directly, and then using the --reload command
Advanced Operations
Opening a port.
This can be done when a service doesn’t have an XML file, or for testing with different ports.
firewall-cmd --add-port=portNumber/tcp
For example, to open port 8000
firewall-cmd --add-port=8000/tcp
And to make this permanent, as well as changing the runtime settings use:
firewall-cmd --add-port=portNumber/tcp --permanent
firewall-cmd --reload
To open a range of ports
firewall-cmd --add-port=startPortNumber- endPortNumber /tcp
For example, to open ports 8000 – 8100
firewall-cmd --add-port=8000-8100/tcp
Checking open ports.
firewall-cmd --list-ports
Closing ports
firewall-cmd --remove-port=portNumber/tcp
firewall-cmd --remove-port=startPortNumber- endPortNumber/tcp
Allowing a specific IP address
firewall-cmd --add-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.xxx" accept'
Where xxx.xxx.xxx.xxx is the IP Address that will be allowed to access the port (from the outside). Note that this should be entered on a single line. It’s wrapped here for readability only. Also note the use of nested quotes. There are single quotes around the outside of the entire rich rule, and double quotes around the values being set inside the rich rule.
To verify that the rule is set use:
firewall-cmd --list-all
Allowing An Entire Network
Entire networks can be allowed with rich rules. To do this, you must use the IP address with the associated network mask. The following example shows a class C network.
firewall-cmd --add-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.0/24" accept'
Blocking specific IP addresses
firewall-cmd --add-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.xxx" reject'
You can also block an entire network using
firewall-cmd --add-rich-rule="rule family='ipv4' source address='xxx.xxx.xxx.0/24' reject"
Removing Rich Rules for IP addresses
firewall-cmd --remove-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.xxx" accept'
Opening ports for a specific IP address
firewall-cmd --add-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.xxx" port protocol="tcp" port="portNumber" accept'
Where xxx.xxx.xxx.xxx is the IP Address that will be allowed to access the port (from the outside). Note the use of nested quotes. There are single quotes around the outside of the entire rich rule, and double quotes around the values being set inside the rich rule.