CentOS 7: Firewalld Command Line Cheat Sheet
Linux Redhat 0 CommentsI was working on my CentOS 7 box to get familiar with some new functionalities, as you know RHEL 7 and CentOS 7 come with many changes in many aspect.
To have a quick reference for many of this changes, I will try to document some basic command on managing my system, so let start with firewalld.
Firewalld is a new system service on Linux to manage the firewall rules, you should not use it simultaneously with iptables on the same system.
Firewalld use zones to decide what to do with the incoming packet, these zone are collection of rules you specify that match a specific source address or network interface.
CentOS come with many pre-configured zones like : block, dmz, drop, external, home, internal, trusted, work, public.
To list all the available zones
# firewall-cmd --list-all-zones
Here is an example of the default active zone on my system.
On these zones you can allow services, which is basically an xml file describing the service, tcp or udp, port number…
To list all the services
# firewall-cmd --get-services
Here is an example of the ssh service xml file, this file can be found on /usr/lib/firewalld/services
[root@localhost ~]# cat /usr/lib/firewalld/services/ssh.xml SSH Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
To list the active configuration
[root@localhost ~]# firewall-cmd --list-all
To list the configuration for a specific zone, for example the work zone
[root@localhost ~]# firewall-cmd --list-all --zone=work
You should also note two thing with firewalld, first, you should make sure any configuration change are persistent across reboot with the use of the word –permanent when you make chnage, the second thing is that you should reload your configuration after making change, this will make sure that the current running configuration is synchronized with the configuration on the disk.
let’s take an example for adding the smtp service to our current zone configuration.
To add a service to the current active zone
[root@localhost ~]# firewall-cmd --add-service smtp --permanent success
List the current zone configuration, as you can see the service isn’t visible
[root@localhost ~]# firewall-cmd --list-all public (default, active) interfaces: eno16777728 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
Reload and list the configuration
[root@localhost ~]# firewall-cmd --reload success
To show the current configured default zone
[root@localhost ~]# firewall-cmd --get-default-zone public
To remove a service from the current active zone, for example the smtp service
[root@localhost ~]# firewall-cmd --remove-service=smtp success
To add a custom port/protocol to a zone, for example, to add the tcp port 8081 on the public zone
[root@localhost ~]# firewall-cmd --add-port=8081/tcp --zone=public --permanent
To set a default zone, for example the work zone
[root@localhost ~]# firewall-cmd --set-default-zone=work
To remove a specific port from the configuration, just replace the add with remove keywork like in the previous command
[root@localhost ~]# firewall-cmd --remove-port=8081/tcp --zone=public --permanent
To add a specific ip address to the zone public
[root@localhost ~]# firewall-cmd --add-source=192.168.244.13/24 --zone=public --permanent
[root@localhost ~]# firewall-cmd --list-all public (default, active) interfaces: eno16777728 sources: 192.168.244.13/24 services: dhcpv6-client smtp ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
Hope this can help, I will try to publish another post with more examples.
Be Sociable, Share!
(5 votes, average: 4.80 out of 5)
Loading...