firewall-cmd

Managing firewalld with firewall-cmd

What is firewall-cmd


In addition to the graphical tool firewall-config rules can also be managed with the command line utility "firewall-cmd". Below is a quick overview of some of the basic commands. For a full list of all functionality, please refer to the relevant man pages or documentation listed below.



"firewall-cmd" comes as part of the firewalld application and is installed by default. You can verify your installation by issuing the following command from the command line:



[root@centos07b ~]# firewall-cmd --version
0.3.9

From the above output taken from a CentOS 7 server, we can see that the version is "0.3.9".

If you need help at any time, you can issue the command: firewall-cmd --help
An overview of the commands and options will be displayed to your console/terminal session.


Permanent and Temporary Changes to rules and settings


Before we look at some of the options available to the firewall-cmd tool, we need to understand the following:

To make a command permanent or persistent the option --permanent needs to be added to the command.

It is important to note that this means the change will be permanent but the change will only take effect after the firewall has been re-loaded or after a system restart.

Commands issued without the --permanent option take effect immediately. These changes are only valid until the next firewall re-load, system re-boot. When you reload the firewall you are discarding any temporary changes you have made.


View the current state of the firewall


To view the current state of the firewall, issue the following command: firewall-cmd --state



[root@centos07b ~]# firewall-cmd --state
running

View Active Zones and interfaces


To view a list of active zones along with a list of interfaces that are currently assigned to that zone, issue the following command: firewall-cmd --get-active-zones



[root@centos07b ~]# firewall-cmd --get-active-zones
public
  interfaces: enp0s3

Zone lookup for an interface


If you need to find out which zone a particular interface is currently assigned to, then issue the following command:

firewall-cmd --get-zone-of-interface=interface_name



[root@centos07b ~]# firewall-cmd --get-zone-of-interface=enp0s3
public

If you are unsure of your interface name, you may issue the following command to identify the name: nmcli d



[root@centos07b ~]# nmcli d
DEVICE  TYPE      STATE      CONNECTION 
enp0s3  ethernet  connected  enp0s3     
lo      loopback  unmanaged  --  

Find out all the interfaces assigned to a zone


To display all the interfaces that are assigned to a zone, for example the public zone, issue the following command:

firewall-cmd --zone=public --list-interfaces

The information is retrieved from the NetworkManager and Only shows interfaces and Not connections.



[root@centos07b ~]# firewall-cmd --zone=public --list-interfaces
enp0s3

View all settings of a zone


To view all the settings for a specified zone, issue the following command: firewall-cmd --zone=public --list-all



[root@centos07b ~]# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: enp0s3
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

View currently Active Services


To view the currently active services, issue the following command: firewall-cmd --get-service



[root@centos07b ~]# firewall-cmd --get-service
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

View Services that will be active after a reload


To view services that will be active after the next firewall reload or system reboot, issue the following command:

firewall-cmd --get-service --permanent



[root@centos07b ~]# firewall-cmd --get-service --permanent
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https


Activate Panic Mode - Drop All Packets


To start dropping all incoming and outgoing packets, issue the following command: firewall-cmd --panic-on



[root@centos07b ~]# firewall-cmd --panic-on
success

Note: Be careful if you issue this command from a remote terminal as you will loose the ability to enter a command! Active connections will be terminated after a period of inactivity. This length of time is dependant on the the individual session time out values that are set.


Deactivate Panic Mode - Allow traffic again


To allow traffic again to pass, issue the following command to disable panic mode:firewall-cmd --panic-off



[root@centos07b ~]# firewall-cmd --panic-off
success

After switching panic mode off, connections may be restored depending on the length of time that panic mode was enabled for.


Display current status of Panic Mode


To check if you have panic mode set to "on" or "off", issue the following command: firewall-cmd --query-panic



[root@centos07b ~]# firewall-cmd --query-panic
no

The answer "yes" or "no" will be returned.


Reload the Firewall without Disruption


You can reload the firewall without interrupting the connections of users by issuing the following command: firewall-cmd --reload



[root@centos07b ~]# firewall-cmd --reload
success

Reload the Firewall and discard state


The following command should only be run when you are encountering severe problems with your firewall:

firewall-cmd --complete-reload



[root@centos07b ~]# firewall-cmd --complete-reload
success

Adding an Interface to a Zone


To add an interface to a specified zone using the firewall-cmd command, issue the following command:

firewall-cmd --zone=public --add-interface=interface_name

The following adds the interface "enp0s3" to the public zone.



[root@centos07b ~]# firewall-cmd --zone=public --add-interface=enp0s3

To make this setting permanent, add the --permanent option and reload the firewall.


Setting the Default Zone


To set the default zone to "public", issue the following command: firewall-cmd --set-default-zone=public



[root@centos07b ~]# firewall-cmd --set-default-zone=public

Displaying Open Ports


To list all open ports on a specified zone, issue the following command: firewall-cmd --zone=zone --list-ports

The example below is issued against the public zone.



[root@centos07b ~]# firewall-cmd --zone=public --list-ports

Add a port to a Zone


To add a port to a specified zone, issue the following command:

Example: Allow TCP traffic through port 3181 to the public zone:



[root@centos07b ~]# firewall-cmd --zone=public --add-port=3181/tcp
success

[root@centos07b ~]# firewall-cmd --zone=public --list-ports
3181/tcp

By using the list port command, we can verify our change was successful.

To make this change Permanent, add the "--permanent" option and reload the firewall.


Adding a range of ports


To add a range of ports to a specified zone from the command line, you can issue the following command:

Example: Allow TCP traffic through ports 3182-3185 in the public zone:



[root@centos07b ~]# firewall-cmd --zone=public --add-port=3182-3185/tcp
success
[root@centos07b ~]# firewall-cmd --zone=public --list-ports
3181/tcp 3182-3185/tcp

By using the list port command, we can verify our change was successful.

To make this change Permanent, add the "--permanent" option and reload the firewall.


Add a Service to a Zone


To add a service to a zone, issue the following command: firewall-cmd --zone=zone --add-service=service

Example: Adding the service smtp into the work zone:



[root@centos07b ~]# firewall-cmd --zone=work --add-service=smtp
success

For this to be a permanent change, you need to specify the option --permanent and then reload the firewall.


Remove a Service from a Zone


To remove a specified service from a specified zone, issue the following command:

firewall-cmd --zone=zone --remove-service=smtp

Example: Remove the service smtp from the zone work:



[root@centos07b ~]# firewall-cmd --zone=work --remove-service=smtp
success

For this to be a permanent change, you need to specify the option --permanent and then reload the firewall.


Configure IP Address Masquerading


To check as to whether IP masquerading has been enabled, the following command can be issued:

firewall-cmd --zone=external --query-masquerade



[root@centos07b ~]# firewall-cmd --zone=external --query-masquerade
yes

If IP Masquerading is enabled, the reply "yes" will be displayed, otherwise the reply "no" will be displayed. If no zone is specified, then the default zone is used.



[root@centos07b ~]# firewall-cmd --query-masquerade
no

Enabling IP Masquerading for a Specified Zone


To enable IP Masquerading for a zone, issue the following command: firewall-cmd --zone=zone --add-masquerade



[root@centos07b ~]# firewall-cmd --zone=external --add-masquerade
success

To make the above setting permanent, add the --permanent option and reload the firewall.


Disable IP Masquerading for a Specified Zone


To disable IP Masquerading for a zone, issue the following command: firewall-cmd --zone=zone --remove-masquerade



[root@centos07b ~]# firewall-cmd --zone=external --remove-masquerade
success

To make the above setting permanent, add the --permanent option and reload the firewall.


Configuring Port Forwarding from the command line


To forward inbound network traffic packets from one port to an alternative port or address, first enable IP address masquerading for a zone.



# firewall-cmd --zone=zone --add-masquerade

To forward locally (to a port on the same system), issue the following command:



[root@centos07b ~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2468
success

In the above example, packets that are intended for port 22 are now forwarded to port 2468. The original destination port is specified with the port option. This option can be a port, or a range of ports together with a specified protocol.

The protocol if specified must be either "tcp" or "udp". The new local port or the range of ports to which the traffic is being forwarded to is specified with the toport option. To make these setting permanent, add the --permanent option and reload the firewall.

To forward packets to an internal address, without changing the destination port, issue the following command:



# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.168.0.88

In the above example, the packets that are intended for port 22 are now forwarded to the same port at the specified IP address (192.168.0.88) that is passed to the toaddr parameter. The original destination port is specified with the port parameter. This option can be a port, or a range of ports, together with a protocol. The protocol, if specified, must be either "tcp" or "udp".

To make the above setting permanent, add the --permanent option and reload the firewall.

To forward packets to another port at another IPv4 address, usually an internal address, issue the following command:



# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3579:toaddr=192.168.0.88

In the above example, the packets that were intended for port 22 are now being sent to port 3579 at IP address 192.168.0.88

To make the above setting permanent, add the --permanent option and reload the firewall.


Sources


For a full list of all options and parameters that are available for "Firewalld", please consult the relevant official documentation sites.

FirewallD

Red Hat Enterprise Linux 7.0 Security Guide