Modify firewalld using the FIREWALL-CMD command in Linux

Home > Search > Linux commands
  by

Use apt-get or yum to install firewalld.

~]# apt-get install firewalld
~]# yum install firewalld

 

Start and enable firewalld, and ensure firewalld is active and running.

~]# systemctl enable firewalld
~]# systemctl start firewalld
~]# systemctl status firewalld

 


Zones

Firewalld uses zones, such as public, internal, and dmz. Each zone has its own unique set of rules. For example, public zone can be bound to eth0 and only allow HTTP, and internal zone can be bound to eth1 and allow both HTTP and SSH.

 

One of the most useful commands is firewall-cmd --list-all. If a zone is not specified, the default zone will be displayed. In this example, public is the default zone.

~]# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

 

The --zone=zone_name option can be used to display the settings for a specific zone.

~]# firewall-cmd --list-all --zone=internal
. . .

 

Information about each zone will be listed in an .xml file at /usr/lib/firewalld/zones/ or /etc/firewalld/zones/. The files in the /usr/lib/firewalld/zones/ should not be edited. When a change is made to a zone, the .xml file will be copied from /usr/lib/firewalld/zones/ to /etc/firewalld/zones/. The .xml files at /etc/firewalld/zones/ can be edited. If the /etc/firewalld/zones/ directory does not contain a file for a zone, this means no changes have been made to the zone.

The default zone can be changed using the --set-default-zone=zone_name option. In this example, the default zone is set to DMZ.

~]$ firewall-cmd --set-default-zone=dmz

 

Or, add DefaultZone=zone_name to /etc/firewalld/firewalld.conf.

DefaultZone=dmz

 

Or, you can add ZONE=zone_name to the /etc/sysconfig/network-scripts/ifcfg-xxxxxxx file.

ZONE=public

 

Instead of using --list-all, you can instead list a single item.

  • --list-ports
  • --list-protocols
  • --info-service=service_name
  • --query-masquerade

 


Interface

The --add-interface=interface_name option can be used to bind an interface to a zone. In this example, eth0 is bound to the public zone.

~]# firewall-cmd --zone=public --add-interface=eth0

 


Service

The --add-service=service_name option can be used to allow connections to a certain service, such as SMTP.

~]# firewall-cmd --zone=work --add-service=smtp --permanent

 

Each service has an XML file located at /usr/lib/firewalld/services which contains the port and protocol being used by the service. For example, the ssh.xml file is using port 22 and the TCP protocol.

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <port protocol="tcp" port="22"/>
</service>

 


Ports

The --add-port=port_number/protocol option can be used to allow connections on a port number. This is typically used when a protocol is not used the default port associated with the protocol, such as when HTTP is using 8080.

~]# firewall-cmd --zone=dmz --add-port=12345/tcp --permanent

 


Protocol

The --add-protocol=protocol_name option can be used to allow connections to a certain protocol.

~]# firewall-cmd --zone=dmz --add-protocol=smb2 –permanent

 


Masquerade

The --add-masquerade option can be used to enable IP address masquerading for a zone.

~]# firewall-cmd --zone=external --add-masquerade –permanent

 


Port Forwarding

Masquerade must be turned on to port forward. Use the --add-forward-port=port=xx:proto=xxx:toport=xx to forward traffic from one port to another. In this example, traffic is forwarded from TCP port 22 to port 12345. In this example, the SSH service listening on port 12345 is on the same server as the SSH service with port 22.

~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=12345 –permanent

 

To forward request to another server, add the target IP address.

~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=10.1.2.3:12345 --permanent

 


Lock down

If the firewall is not locked down, services may be able to make changes to the firewall. The firewall can be locked down.

~]# firewall-cmd --lockdown=on

 

You will no longer be able to add a service to the firewall.

~]# firewall-cmd --add-service=dhcp --permanent
Error: ACCESS_DENIED: lockdown is enabled

 

Issue this command so that only you can modify the firewall. Reload the firewall, and you will again be able to modify the firewall.

~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/firewall-cmd*' --permanent

 


Reloading

After making a change to the firewall, there are two ways to reload the file. The --reload option will not interrupt connections to services. The --complete-reload option will interrupt connections to services.

~]$ firewall-cmd –reload
~]$ firewall-cmd –complete-reload

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments