CentOS 7: Firewalld Command Line Cheat Sheet

I was working on my CentOS 7 box to get familiar with some new functionalities, as you know RHEL 7 and CentOS 7 come with many changes in many aspect.

To have a quick reference for many of this changes, I will try to document some basic command on managing my system, so let start with firewalld.

Firewalld is a new system service on Linux to manage the firewall rules, you should not use it simultaneously  with iptables on the same system.

Firewalld use zones to decide what to do with the incoming packet, these zone are collection of rules you specify that match a specific source address or network interface.

CentOS come with many pre-configured zones like : block, dmz, drop, external, home, internal, trusted, work, public.

To list all the available zones

# firewall-cmd --list-all-zones

Here is an example of the default active zone on my system.

On these zones you can allow services, which is basically an xml file describing the service, tcp or udp, port number…

To list all the services

# firewall-cmd --get-services

Here is an example of the ssh service xml file, this file can be found on /usr/lib/firewalld/services

[root@localhost ~]# cat /usr/lib/firewalld/services/ssh.xml


  SSH
  Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
  

To list the active configuration

[root@localhost ~]# firewall-cmd --list-all

To list the configuration for a specific zone, for example the work zone

[root@localhost ~]# firewall-cmd --list-all --zone=work

You should also note two thing with firewalld, first, you should make sure any configuration change are persistent across reboot with the use of the word –permanent when you make chnage, the second thing is that you should reload your configuration after making change, this will make sure that the current running configuration is synchronized with the configuration on the disk.

let’s take an example for adding the smtp service to our current zone configuration.

To add a service to the current active zone

[root@localhost ~]# firewall-cmd --add-service smtp --permanent
success

List the current zone configuration, as you can see the service isn’t visible

[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eno16777728
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Reload and list the configuration

[root@localhost ~]# firewall-cmd --reload
success

To show the current configured default zone

[root@localhost ~]# firewall-cmd --get-default-zone
public

To remove a service from the current active zone, for example  the smtp service

[root@localhost ~]# firewall-cmd --remove-service=smtp
success

To add a custom port/protocol to a zone, for example, to add the tcp port 8081 on the public zone

[root@localhost ~]# firewall-cmd --add-port=8081/tcp --zone=public --permanent

To set a default zone, for example the work zone

[root@localhost ~]# firewall-cmd --set-default-zone=work

To remove a specific port from the configuration, just replace the add with remove keywork like in the previous command

[root@localhost ~]# firewall-cmd --remove-port=8081/tcp --zone=public --permanent

To add a specific ip address to the zone public

[root@localhost ~]# firewall-cmd --add-source=192.168.244.13/24 --zone=public --permanent

[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eno16777728
  sources: 192.168.244.13/24
  services: dhcpv6-client smtp ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Hope this can help, I will try to publish another post with more examples.

Be Sociable, Share!

(5 votes, average: 4.80 out of 5)

Loading...