Managing firewalld with firewall-cmd

What is firewall-cmd?

In addition to the graphical tool firewall-config rules can also be managed with the command line utility "firewall-cmd". Below is a quick overview of some of the basic commands. For a full list of all functionality, please refer to the relevant man pages or documentation listed below.

"firewall-cmd" comes as part of the firewalld application and is installed by default. You can verify your installation by issuing the following command from the command line:


# firewall-cmd --version
0.8.2

Permanent and Temporary Changes to rules and settings

Before we look at some of the options available to the firewall-cmd tool, we need to understand the following:

To make a command permanent or persistent the option --permanent needs to be added to the command.

It is important to note that this means the change will be permanent but the change will only take effect after the firewall has been re-loaded or after a system restart.

Commands issued without the --permanent option take effect immediately. These changes are only valid until the next firewall re-load, system re-boot. When you reload the firewall you are discarding any temporary changes you have made.

View the current state of the firewall

To view the current state of the firewall, issue the following command: firewall-cmd --state


# firewall-cmd --state
running

View Active Zones and interfaces

To view a list of active zones along with a list of interfaces that are currently assigned to that zone, issue the following command: firewall-cmd --get-active-zones


# firewall-cmd --get-active-zones
public
  interfaces: enp1s0

Zone lookup for an interface

If you need to find out which zone a particular interface is currently assigned to, then issue the following command:

firewall-cmd --get-zone-of-interface=interface_name


# firewall-cmd --get-zone-of-interface=enp1s0
public

If you are unsure of your interface name, you may issue the following command to identify the name: nmcli d


# nmcli d
DEVICE      TYPE      STATE                   CONNECTION 
enp1s0      ethernet  connected               enp1s0     
virbr0      bridge    connected (externally)  virbr0     
lo          loopback  unmanaged               --         
virbr0-nic  tun       unmanaged               --   

Find out all the interfaces assigned to a zone

To display all the interfaces that are assigned to a zone, for example the public zone, issue the following command:

firewall-cmd --zone=public --list-interfaces

The information is retrieved from the NetworkManager and Only shows interfaces and Not connections.


# firewall-cmd --zone=public --list-interfaces
enp1s0

View all settings of a zone

To view all the settings for a specified zone, issue the following command: firewall-cmd --zone=public --list-all


# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

View currently Active Services

To view the currently active services, issue the following command: firewall-cmd --get-services


# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

Activate Panic Mode - Drop All Packets

To start dropping all incoming and outgoing packets, issue the following command: firewall-cmd --panic-on


# firewall-cmd --panic-on
success

Note: Be careful if you issue this command from a remote terminal as you will loose the ability to enter a command! Active connections will be terminated after a period of inactivity. This length of time is dependant on the the individual session time out values that are set.

Deactivate Panic Mode - Allow traffic again

To allow traffic again to pass, issue the following command to disable panic mode: firewall-cmd --panic-off


# firewall-cmd --panic-off
success

After switching panic mode off, connections may be restored depending on the length of time that panic mode was enabled for.

Display current status of Panic Mode

To check if you have panic mode set to "on" or "off", issue the following command: firewall-cmd --query-panic


# firewall-cmd --query-panic
no

The answer "yes" or "no" will be returned.

Reload the Firewall without Disruption

You can reload the firewall without interrupting the connections of users by issuing the following command: firewall-cmd --reload


# firewall-cmd --reload
success

Reload the Firewall and discard state

The following command should only be run when you are encountering severe problems with your firewall:

firewall-cmd --complete-reload


# firewall-cmd --complete-reload
success

Adding an Interface to a Zone

To add an interface to a specified zone using the firewall-cmd command, issue the following command:

firewall-cmd --zone=public --add-interface=interface_name

The following adds the interface "enp1s0" to the public zone. Amend the interface name to match your system. If you are unsure, then issue the "nmcli d" to display available connected interfaces.


# firewall-cmd --zone=public --add-interface=enp1s0
success

If you see a warning like the one below, then this means, the interface is already bound to the zone specified.

Warning: ZONE_ALREADY_SET: 'enp1s0' already bound to 'public'

To make this setting permanent, add the --permanent option and reload the firewall.

Setting the Default Zone

To set the default zone to "public", issue the following command: firewall-cmd --set-default-zone=public


# firewall-cmd --set-default-zone=public
success

Displaying Open Ports

To list all open ports on a specified zone, issue the following command: firewall-cmd --zone=zone --list-ports

The example below is issued against the public zone.


# firewall-cmd --zone=public --list-ports

Add a port to a Zone

To add a port to a specified zone, issue the following command:

Example: Allow TCP traffic through port 3181 to the public zone:


# firewall-cmd --zone=public --add-port=3181/tcp
success

# firewall-cmd --zone=public --list-ports
3181/tcp

By using the list port command, we can verify our change was successful.

To make this change Permanent, add the "--permanent" option and reload the firewall.

Adding a range of ports

To add a range of ports to a specified zone from the command line, you can issue the following command:

Example: Allow TCP traffic through ports 3182-3185 in the public zone:


# firewall-cmd --zone=public --add-port=3182-3185/tcp
success

# firewall-cmd --zone=public --list-ports
3181/tcp 3182-3185/tcp

By using the list port command, we can verify our change was successful.

To make this change Permanent, add the "--permanent" option and reload the firewall.

Add a Service to a Zone

To add a service to a zone, issue the following command: firewall-cmd --zone=zone --add-service=service

Example: Adding the service smtp into the work zone:


# firewall-cmd --zone=work --add-service=smtp
success

For this to be a permanent change, you need to specify the option --permanent and then reload the firewall.

Remove a Service from a Zone

To remove a specified service from a specified zone, issue the following command:

firewall-cmd --zone=zone --remove-service=smtp

Example: Remove the service smtp from the zone work:


# firewall-cmd --zone=work --remove-service=smtp
success

For this to be a permanent change, you need to specify the option --permanent and then reload the firewall.

Configure IP Address Masquerading

To check as to whether IP masquerading has been enabled, the following command can be issued:

firewall-cmd --zone=external --query-masquerade


# firewall-cmd --zone=external --query-masquerade
yes

If IP Masquerading is enabled, the reply "yes" will be displayed, otherwise the reply "no" will be displayed. If no zone is specified, then the default zone is used.


# firewall-cmd --query-masquerade
no

Enabling IP Masquerading for a Specified Zone

To enable IP Masquerading for a zone, issue the following command: firewall-cmd --zone=zone --add-masquerade


# firewall-cmd --zone=external --add-masquerade
success

To make the above setting permanent, add the --permanent option and reload the firewall.

Disable IP Masquerading for a Specified Zone

To disable IP Masquerading for a zone, issue the following command: firewall-cmd --zone=zone --remove-masquerade


# firewall-cmd --zone=external --remove-masquerade
success

To make the above setting permanent, add the --permanent option and reload the firewall.

Configuring Port Forwarding

To forward inbound network traffic packets from one port to an alternative port or address, first enable IP address masquerading for a zone.


# firewall-cmd --zone=zone --add-masquerade

To forward locally (to a port on the same system), issue the following command:


# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2468
success

In the above example, packets that are intended for port 22 are now forwarded to port 2468. The original destination port is specified with the port option. This option can be a port, or a range of ports together with a specified protocol.

The protocol if specified must be either "tcp" or "udp". The new local port or the range of ports to which the traffic is being forwarded to is specified with the toport option. To make these setting permanent, add the --permanent option and reload the firewall.

To forward packets to an internal address, without changing the destination port, issue the following command:


# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.168.0.88

In the above example, the packets that are intended for port 22 are now forwarded to the same port at the specified IP address (192.168.0.88) that is passed to the toaddr parameter. The original destination port is specified with the port parameter. This option can be a port, or a range of ports, together with a protocol. The protocol, if specified, must be either "tcp" or "udp".

To make the above setting permanent, add the --permanent option and reload the firewall.

To forward packets to another port at another IPv4 address, usually an internal address, issue the following command:


# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3579:toaddr=192.168.0.88

In the above example, the packets that were intended for port 22 are now being sent to port 3579 at IP address 192.168.0.88

To make the above setting permanent, add the --permanent option and reload the firewall.

Sources

For a full list of all options and parameters that are available for "Firewalld", please consult the relevant official documentation sites.

Firewalld Site