The command-line tool firewall-cmd is part of the firewalld application, which is installed by default. It can be used to make permanent and non-permanent runtime changes. Enter the following command to view the help output.

 

Installing firewalld

 

By default, firewalld is included in the “core” rpm group, but if in case it is not installed, you can always install it using yum.

# yum install -y firewalld

 

Enable the firewalld to start at boot:

# systemctl enable firewalld

 

Restart the firewalld service now.

# systemctl restart firewalld

 

Available options with firewall-cmd command

 

# firewall-cmd --help

Usage: firewall-cmd [OPTIONS...]

General Options
  -h, --help           Prints a short help text and exists
  -V, --version        Print the version string of firewalld
  -q, --quiet          Do not print status messages

Status Options
  --state                  Return and print firewalld state
  --reload                 Reload firewall and keep state information
  --complete-reload        Reload firewall and lose state information
  --runtime-to-permanent   Create permanent from runtime configuration

 

The firewall-cmd command offers categories of options such as General, Status, Permanent, Zone, IcmpType, Service, Adapt and Query Zones, Direct, Lockdown, Lockdown Whitelist, and Panic. Refer to the firewall-cmd man page for more information.

 

Useful firewall-cmd Examples

 

1. List all zones

# firewall-cmd --list-all-zones
work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
.....

 

Use the following command to list information for all zones. Only partial output is displayed.

 

Public is the default zone set, if you do not change it. To check the currently set default zone use the below command:

# firewall-cmd --get-default-zone
public

 

2. List allowed service and ports on the system

 

To show currently allowed service on your system use the below command.

# firewall-cmd --list-services
dhcpv6-client ssh

 

To list the ports that are open on your system:

# firewall-cmd --list-ports

 

You would normally see no ports listed here when you have just enabled the firewalld.

 

3. To Enable all the incoming ports for a service

 

You can also open the required ports for a service by using the –add-service option. To permit access by HTTP clients for the public zone:

# firewall-cmd --zone=public --add-service=http
success

 

To list services that are allowed for the public zone:

# firewall-cmd --zone=work --list-services
dhcpv6-client http ssh

 

Using this command only changes the Runtime configuration and does not update the configuration files. The following sequence of commands shows that configuration changes made in Runtime configuration mode are lost when the firewalld service is restarted:

# systemctl restart firewalld

 

# firewall-cmd --permanent --zone=public --add-service=http
success

 

To make changes permanent, use the –permanent option. Example:

# firewall-cmd --permanent --zone=public --add-service=http
success

 

Changes made in Permanent configuration mode are not implemented immediately. Example:

# firewall-cmd --zone=work --list-services
dhcpv6-client ssh

 

However, changes made in a Permanent configuration are written to configuration files. Restarting the firewalld service reads the configuration files and implements the changes.

Example:

 

# systemctl restart firewalld

 

# firewall-cmd --zone=work --list-services
dhcpv6-client http ssh

 

4. Allow traffic on an incoming port

 

The command below will open the port 2222 effective immediately, but will not persist across reboots:

# firewall-cmd --add-port=[YOUR PORT]/tcp

 

For example, to open TCP port 2222 :

# firewall-cmd --add-port=2222/tcp

 

The following command will create a persistent rule, but will not be put into effect immediately:

# firewall-cmd --permanent --add-port=[YOUR PORT]/tcp

 

For Example, to open TCP port 2222 :

# firewall-cmd --permanent --add-port=2222/tcp

 

To list the open ports, use the command :

# firewall-cmd –-list-ports
2222/tcp

 

5. Start and stop firewalld service

 

To start/stop/status firewalld service use the below commands:

# systemctl start firewalld.service
# systemctl stop firewalld.service

 

To check the status of the firewalld service:

# systemctl status firewalld.service

 

آیا این پاسخ به شما کمک کرد؟ 0 کاربر این را مفید یافتند (0 نظرات)