FreeKB - Modify firewalld using the FIREWALL-CMD command in Linux
Modify firewalld using the FIREWALL-CMD command in Linux

Home > Search > Linux commands

Use apt-get or yum to install firewalld.

~]# apt-get install firewalld
~]# yum install firewalld


Start and enable firewalld, and ensure firewalld is active and running.

~]# systemctl enable firewalld
~]# systemctl start firewalld
~]# systemctl status firewalld



Firewalld uses zones, such as public, internal, and dmz. Each zone has its own unique set of rules. For example, public zone can be bound to eth0 and only allow HTTP, and internal zone can be bound to eth1 and allow both HTTP and SSH.


One of the most useful commands is firewall-cmd --list-all. If a zone is not specified, the default zone will be displayed. In this example, public is the default zone.

~]# firewall-cmd --list-all
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  services: https
  masquerade: no
  rich rules:


The --zone=zone_name option can be used to display the settings for a specific zone.

~]# firewall-cmd --list-all --zone=internal
. . .


Information about each zone will be listed in an .xml file at /usr/lib/firewalld/zones/ or /etc/firewalld/zones/. The files in the /usr/lib/firewalld/zones/ should not be edited. When a change is made to a zone, the .xml file will be copied from /usr/lib/firewalld/zones/ to /etc/firewalld/zones/. The .xml files at /etc/firewalld/zones/ can be edited. If the /etc/firewalld/zones/ directory does not contain a file for a zone, this means no changes have been made to the zone.

The default zone can be changed using the --set-default-zone=zone_name option. In this example, the default zone is set to DMZ.

~]$ firewall-cmd --set-default-zone=dmz


Or, add DefaultZone=zone_name to /etc/firewalld/firewalld.conf.



Or, you can add ZONE=zone_name to the /etc/sysconfig/network-scripts/ifcfg-xxxxxxx file.



Instead of using --list-all, you can instead list a single item.

  • --list-ports
  • --list-protocols
  • --info-service=service_name
  • --query-masquerade



The --add-interface=interface_name option can be used to bind an interface to a zone. In this example, eth0 is bound to the public zone.

~]# firewall-cmd --zone=public --add-interface=eth0



The --add-service=service_name option can be used to allow connections to a certain service, such as SMTP.

~]# firewall-cmd --zone=work --add-service=smtp --permanent


Each service has an XML file located at /usr/lib/firewalld/services which contains the port and protocol being used by the service. For example, the ssh.xml file is using port 22 and the TCP protocol.

<?xml version="1.0" encoding="utf-8"?>
  <port protocol="tcp" port="22"/>



The --add-port=port_number/protocol option can be used to allow connections on a port number. This is typically used when a protocol is not used the default port associated with the protocol, such as when HTTP is using 8080.

~]# firewall-cmd --zone=dmz --add-port=12345/tcp --permanent



The --add-protocol=protocol_name option can be used to allow connections to a certain protocol.

~]# firewall-cmd --zone=dmz --add-protocol=smb2 –permanent



The --add-masquerade option can be used to enable IP address masquerading for a zone.

~]# firewall-cmd --zone=external --add-masquerade –permanent


Port Forwarding

Masquerade must be turned on to port forward. Use the --add-forward-port=port=xx:proto=xxx:toport=xx to forward traffic from one port to another. In this example, traffic is forwarded from TCP port 22 to port 12345. In this example, the SSH service listening on port 12345 is on the same server as the SSH service with port 22.

~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=12345 –permanent


To forward request to another server, add the target IP address.

~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport= --permanent


Lock down

If the firewall is not locked down, services may be able to make changes to the firewall. The firewall can be locked down.

~]# firewall-cmd --lockdown=on


You will no longer be able to add a service to the firewall.

~]# firewall-cmd --add-service=dhcp --permanent
Error: ACCESS_DENIED: lockdown is enabled


Issue this command so that only you can modify the firewall. Reload the firewall, and you will again be able to modify the firewall.

~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/firewall-cmd*' --permanent



After making a change to the firewall, there are two ways to reload the file. The --reload option will not interrupt connections to services. The --complete-reload option will interrupt connections to services.

~]$ firewall-cmd –reload
~]$ firewall-cmd –complete-reload


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter in the box below so that we can be sure you are a human.