Firewalld is a new firewall management tool which is introduced in RHEL 7 and you will be happy to know that it covers IPv4, IPv6, and ebtables settings. Firewalld interacts with netfilter to inspect, analyze or modify the incoming, outgoing or forwarded network packets.
In this tutorial we will learn about some of the very useful firewalld commands which will make your life easy as a Linux System Administrator. Also this is very important from RHCE certification point of view and is one of the objectives.
Mainly “firewalld” can be configured in two ways i.e. first by using graphical interface which can be invoked by command “firewall-config” and secondly by using command line using “firewall-cmd” command.
In this tutorial, I will be discussing about “firewall-cmd” command and will tell you about some of the daily to use and important commands with example.
Useful Directory: /usr/lib/firewalld/ and /etc/firewalld/
firewalld config file: /etc/firewalld/firewalld.conf
Important and useful firewalld Commands for Administrators
1. firewall-cmd – -state
This is very basic firwalld command and is used to check state of this service. You can also check state by systemctl command.
[root@client10 ~]# firewall-cmd --state running [root@client10 ~]#
2. firewall-cmd – -reload
This command will reload firewall and keep the state information. Use it when you want server to re-read configuration files after making any changes. Best example would be after adding any service permanently.
[root@client10 ~]# firewall-cmd --reload success [root@client10 ~]#
Note: You can also use option “–complete-reload” to reload firewall and loose state information. So do note the difference between simple reload and complete reload.
3. firewall-cmd – -permanent
This command help in setting firewall rule for any service permanently and is only effective once the firewalld service is restarted or server is rebooted.
[root@client10 ~]# firewall-cmd --permanent --add-service=nfs success [root@client10 ~]# firewall-cmd --reload success
The above example shows NFS service being added to firewall rule permanently. Without it NFS sharing won’t work. I am not joking TRY IT!
4. firewall-cmd – -get-zones
This command helps in listing predefined zones. See below example.
[root@client10 ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work [root@client10 ~]#
5. firewall-cmd – -get-default-zone
If you want to see what will be the default zone for connections and interfaces, then this is the command you should use.
[root@client10 ~]# firewall-cmd --get-default-zone public [root@client10 ~]#
The above command print the default zone which is “public“.
6. firewall-cmd – -get-active-zones
This command give the currently active zone on your system along with the zone on which they are active.
[root@client10 ~]# firewall-cmd --get-active-zones public interfaces: eno16777736 eno33554960 team0 [root@client10 ~]#
If there are other interfaces which are active on some other zone, they will be also displayed in above command output.
7. firewall-cmd – -set-default-zone=zone
If you want to change the default zone then you can use this command. When connections and interfaces are added to firewall this will be there default zone.
[root@client10 ~]# firewall-cmd --set-default-zone=work success [root@client10 ~]# firewall-cmd --get-default-zone work [root@client10 ~]#
In above example, I have set “work” as a default zone. This can also be done by modifying firewalld configuration file.
8. firewall-cmd – -list-all-zones
This command helps in printing detailed report about all the zone available or enabled. Check below output for understanding more clearly.
[root@client10 ~]# firewall-cmd --list-all-zones block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: dmz interfaces: sources: services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: drop interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: external interfaces: sources: services: ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: home interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: internal interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: public interfaces: sources: services: dhcpv6-client http mysql nfs ssh ports: 3306/tcp 3260/tcp masquerade: no forward-ports: icmp-blocks: rich rules: trusted interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: work (default, active) interfaces: eno16777736 eno33554960 team0 sources: services: dhcpv6-client ipp-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: [root@client10 ~]#
If you gave a good look on above output you can see that “NFS” service is listed on public zone which we added earlier.
9. firewall-cmd – -add-service
This command is used to add service to zone. If no zone is mentioned service will be added to default zone.
[root@client10 ~]# firewall-cmd --permanent --add-service=nfs success
Above command will add “NFS” service to default zone.
[root@client10 ~]# firewall-cmd --zone=home --add-service=nfs success
Above command will add “NFS” service to zone “home”.
Do not forget to reload firewalld service after you make any changes. To make this setting permanent use “–permanent” with above command.
10. firewall-cmd – -remove-service
This command remove service from zone. If zone name is not given, default zone will be used.
[root@client10 ~]# firewall-cmd --remove-service=nfs success
Above command will remove “NFS” service from default zone.
[root@client10 ~]# firewall-cmd --zone=home --add-service=nfs success
Above command will remove “NFS” service from “home” zone.
11. firewall-cmd – -add-port
This command is used to add port to particular zone. If no zone is given then default zone is selected automatically.
Below command add port to default zone.
[root@client10 ~]# firewall-cmd --add-port=443/tcp success
Below command add port to work zone.
[root@client10 ~]# firewall-cmd - -add-port=443/tcp --zone=work success
12. firewall-cmd – -remove-port
This is just opposite of “add-port” and used to remove already added port to any particular zone. If no zone is given, default is taken.
Below command remove port from default zone.
[root@client10 ~]# firewall-cmd --remove-port=443/tcp success
Below command remove port from work zone.
[root@client10 ~]# firewall-cmd --remove-port=443/tcp --zone=work success
Note: Don’t forget to check man pages of firewalld
man firewalld
man firewall-cmd
man firewalld.richlanguage
man firewalld.direct
These were some of the very basic and useful “firewalld commands” which can be very helpful in daily system administration task.
There are many other variants of this command which are very complex and will be discussed later in my tutorials. Hope you have liked the article, if you have any issue do let us know through your comments. Do not forget to share this article on your social network and subscribe to our newsletter for more tutorials.
