Firewalld Command line Reference (Cheat Sheet)

firewalld is the default method in Red Hat Enterprise Linux 7 for managing host-level firewalls. Started from the firewalld. service systemd service, firewalld manages the Linux kernel netfilter subsystem using the low-level iptables, ip6tables, and ebtables commands.

 

Default Configuration of firewalld Zones

 

Zone name Default configuration
trusted Allow all incoming traffic.
home Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client predefined services.
internal Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client predefined services (same as the home zone to start with).
work Reject incoming traffic unless related to outgoing traffic or matching the ssh, ipp – client, or dhcpv6 – client predefined services.
public Reject incoming traffic unless related to outgoing traffic or matching the ssh or dhcpv6 – client predefined services. The default zone for newly added network interfaces
external Reject incoming traffic unless related to outgoing traffic or matching the ssh predefined service. Outgoing 1Pv4 traffic forwarded through this zone is masqueraded to look like it originated from the 1Pv4 address of the outgoing network interface.
dmz Reject incoming traffic unless related to outgoing traffic or matching the ssh predefined service.
block Reject all incoming traffic unless related to outgoing traffic.
drop Drop all incoming traffic unless related to outgoing traffic (do not even respond with ICMP errors).

 

Firewalld Commandline reference

 

firewall -cmd Commands Explanation
–get-default-zone Query the current default zone.
–set-default-zone=[ZONE] Set the default zone. This changes both the runtime and the permanent configuration.
–get-zones List all available zones.
–get-services List all predefined services.
–get-active-zones List all zones currently in use (have an interface or source tied to them), along with their interface and source information.
–add-source=[CIDR] [ –zone=[ZONE] Route all traffic coming from the IP address or network/netmask [CIDR] to the specified zone. If no –zone= option is provided, the default zone will be used.
–remove-source=[CIDR] [ –zone=[ZONE] Remove the rule routing all traffic coming from the IP address or network/netmask [CIDR] from the specified zone. If no –zone= option is provided, the default zone will be used.
–add-interface=[INTERFACE] [ –zone=[ZONE] Route all traffic coming from [INTERFACE] to the specified zone. If no –zone= option is provided, the default zone will be used.
–change -interface=[INTERFACE] [–zone=[ZONE] Associate the interface with [ZONE] instead of its current zone. If no –zone= option is provided, the default zone will be used.
–list-all [–zone=[ZONE]] Listallconfiguredinterfaces, sources, services, and ports for [ZONE]. If no –zone= option is provided, the default zone will be used.
–list-all-zones Retrieve all information for all zones (interfaces, sources, ports, services, etc.).
–add-service=[SERVICE] Allow traffic to [SERVICE]. If no –zone= option is provided, the default zone will be used.
–add-port=[PORT/PROTOCOL] Allow traffic to the [PORT/ PROTOCOL] port(s). If no –zone= option is provided, the default zone will be used.
–remove-service=[SERVICE] Remove [SERVICE] from the allowed list for the zone. If no –zone= option is provided, the default zone will be used.
–remove-port=[PORT/PROTOCOL] Remove the [PORT/PROTOCOL] port(s) from the allowed list for the zone. If no –zone= option is provided, the default zone will be used.
–reload Drop the runtime configuration and apply the persistent configuration.
Was this answer helpful? 0 Users Found This Useful (0 Votes)