Firewalld Notes
Jump to navigation
Jump to search
1 General
Firewalld is the recommended Firewall in CentOS7, Red Hat Enterprise Linux 7, Scientific Linux 7, Unbreakable Linux 7, in fact RHEL7 and all of its clones.
1.1 Overview
Action | Command |
---|---|
Firewall state | firewall-cmd --state |
Reload permanent rules | firewall-cmd --reload |
Currently enabled features | firewall-cmd --list-all-zones |
List supported zones | firewall-cmd --get-zones |
List preconfigured services | firewall-cmd --get-services |
Enabled features in current zone | firewall-cmd --list-all |
Enabled features in zone | firewall-cmd [--permanent] [--zone=ZONE] --list-all |
Enable a service in zone | firewall-cmd [--permanent] [--zone=ZONE] --add-service=http |
Remove service frome zone | firewall-cmd [--permanent] [--zone=ZONE] --remove-service=http |
Enable a port in zone | firewall-cmd [--permanent] [--zone=ZONE] --add-port=80/tcp |
Remove a port from zone | firewall-cmd [--permanent] [--zone=ZONE] --remove-port=80/tcp |
Forward a Port to remote IP | firewall-cmd [--permanent] [--zone=external] --add-masquerade firewall-cmd [--permanent] [--zone=external] --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55 |
Forward a Port on local Machine | firewall-cmd [--permanent] [--zone=external] --add-masquerade firewall-cmd [--permanent] [--zone=external] --add-forward-port=port=514:proto=udp:toport=1514 |
Enable tcp Port for source IP | firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.88.101/32" port port="8100" protocol="tcp" accept' |
Add direct rule example | firewall-cmd --direct --add-rule ipv4 filter OUTPUT_direct 0 -m tcp -p tcp -d 112.2.2.8/32 --dport 443 -j REJECT |
Query direct rule example | firewall-cmd --direct --get-rules ipv4 filter OUTPUT_direct |
Save Runtime Config | firewall-cmd --runtime-to-permanent |
Turn panic mode on | firewall-cmd --panic-on |
Turn panic mode off | firewall-cmd --panic-off |
Restart firewalld | systemctl restart firewalld |
- Configuration is stored in /etc/firewalld and /usr/lib/firewalld
- The default zone is public, which you don't have to specify on the command line when adding/removing rules
- Adding permanent rules
1.2 Firewalld Zone Example
firewall-cmd --new-zone=rdp --permanent firewall-cmd --reload firewall-cmd --zone=rdp --add-source=10.113.128.81 firewall-cmd --zone=rdp --add-port=3389/tcp firewall-cmd --runtime-to-permanent