Firewalld Notes

From Bitbull Wiki
Jump to navigation Jump to search

1 General

Firewalld is the recommended Firewall in CentOS7, Red Hat Enterprise Linux 7, Scientific Linux 7, Unbreakable Linux 7, in fact RHEL7 and all of its clones.

1.1 Overview

Action Command
Firewall state firewall-cmd --state
Reload permanent rules firewall-cmd --reload
Currently enabled features firewall-cmd --list-all-zones
List supported zones firewall-cmd --get-zones
List preconfigured services firewall-cmd --get-services
Enabled features in current zone firewall-cmd --list-all
Enabled features in zone firewall-cmd [--permanent] [--zone=ZONE] --list-all
Enable a service in zone firewall-cmd [--permanent] [--zone=ZONE] --add-service=http
Remove service frome zone firewall-cmd [--permanent] [--zone=ZONE] --remove-service=http
Enable a port in zone firewall-cmd [--permanent] [--zone=ZONE] --add-port=80/tcp
Remove a port from zone firewall-cmd [--permanent] [--zone=ZONE] --remove-port=80/tcp
Forward a Port to remote IP firewall-cmd [--permanent] [--zone=external] --add-masquerade
firewall-cmd [--permanent] [--zone=external] --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55
Forward a Port on local Machine firewall-cmd [--permanent] [--zone=external] --add-masquerade
firewall-cmd [--permanent] [--zone=external] --add-forward-port=port=514:proto=udp:toport=1514
Enable tcp Port for source IP firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.88.101/32" port port="8100" protocol="tcp" accept'
Add direct rule example firewall-cmd --direct --add-rule ipv4 filter OUTPUT_direct 0 -m tcp -p tcp -d 112.2.2.8/32 --dport 443 -j REJECT
Query direct rule example firewall-cmd --direct --get-rules ipv4 filter OUTPUT_direct
Save Runtime Config firewall-cmd --runtime-to-permanent
Turn panic mode on firewall-cmd --panic-on
Turn panic mode off firewall-cmd --panic-off
Restart firewalld systemctl restart firewalld


  • Configuration is stored in /etc/firewalld and /usr/lib/firewalld
  • The default zone is public, which you don't have to specify on the command line when adding/removing rules
  • Adding permanent rules

1.2 Firewalld Zone Example

firewall-cmd --new-zone=rdp --permanent
firewall-cmd --reload
firewall-cmd --zone=rdp --add-source=10.113.128.81
firewall-cmd --zone=rdp --add-port=3389/tcp
firewall-cmd --runtime-to-permanent

1.3 Resources

Retrieved from "http://www.bitbull.ch/wiki/index.php?title=Firewalld_Notes&oldid=5624"