CentOS 8.x firewalld commands

From Notes_Wiki

Home > CentOS > CentOS 8.x > System Administration > firewalld > Commands

Zones

  • To get a list of the available zones 
    firewall-cmd --get-zones


  • To view the default zone 
    firewall-cmd --get-default-zone


  • To change the default zone 
    firewall-cmd --set-default-zone=internal


  • To view the list of active zones with a list of the interfaces 
    firewall-cmd --get-active-zones


  • To find out the zone that an interface, for example, em1, is currently assigned to 
    firewall-cmd --get-zone-of-interface=eth0


  • To find out all the interfaces assigned to a zone 
    firewall-cmd --zone=public --list-interfaces


  • To find out all the settings of a zone 
    firewall-cmd --zone=public --list-all


  • To view the zone information, use the --info-zone option. 
    firewall-cmd --info-zone=public


  • To view the list of services currently loaded 
    firewall-cmd --get-services


  • To list the custom services that have been created but not loaded 
    firewall-cmd --permanent --get-services


  • To show the settings of the particular service like ssh 
    firewall-cmd --info-service=ssh


  • Changing the Zone of an Interface for the Current Session. 
    firewall-cmd --zone=work --change-interface=eth0


  • To add an interface to a zone (for example, to add ens9 to the public zone) 
    firewall-cmd --zone=public --add-interface=ens9


  • Enable forwarding of packets between multiple interfaces between zone
    By default packets from one interface of a zone to another interface may not get accepted / forwarded. To enable such forwarding use: 
    firewall-cmd --zone=internal --set-target=ACCEPT --permanent
    

    firewall-cmd --reload
    

    firewall-cmd --zone=internal --list-all
    This is required for default zones such as internal, external, etc. also.

Thus, if you want to use Linux machine as L3 switch / router (Refer Using_Linux_machine_for_BGP.2C_DHCP_and_inter-VLAN_routing) you can set most interfaces as internal with zone target set to ACCEPT and then have one interface as external for NAT to outside/internet.

  • There is also other option to enable forwarding such as: 
    firewall-cmd --zone=internal --add-forward

Refer: https://firewalld.org/2020/04/intra-zone-forwarding


Creating Your Own Zones

  • When adding a zone, you must add it to the permanent firewall configuration. You can then reload to bring the configuration into your running session 
    firewall-cmd --permanent --new-zone=testzone


  • You can verify that these are present in your permanent configuration 
    firewall-cmd --permanent --get-zones


  • As stated before, these won't be available in the current instance of the firewall yet 
    firewall-cmd --get-zones


  • Reload the firewall to bring these new zones into the active configuration 
    firewall-cmd --reload


  • Delete zone 
    firewall-cmd --permanent --delete-zone=testzone
    

    firewall-cmd --reload



Changing the Firewall Settings

Dropping all packets

  • To start dropping all incoming and outgoing packets. 
    firewall-cmd --panic-on

Active connections will be terminated after a period of inactivity


  • To start passing incoming and outgoing packets again 
    firewall-cmd --panic-off


  • To find out if panic mode is enabled or disabled 
    firewall-cmd --query-panic



Reloading the firewall

  • To reload the firewall without interrupting user connections (without losing state information) 
    firewall-cmd --reload
  • To reload the firewall and interrupt user connections, discarding state information 
    firewall-cmd --complete-reload



Opening / Closing ports in the firewall

  • To list all open ports for a zone 
    firewall-cmd --zone=public --list-ports


  • To add a port to a zone 
    firewall-cmd --zone=public --add-port=80/tcp


  • To add a range of ports to a zone 
    firewall-cmd --zone=public --add-port=5060-5061/udp


  • To remove a port to a zone 
    firewall-cmd --zone=public --remove-port=80/tcp


  • To remove a range of ports to a zone 
    firewall-cmd --zone=public --remove-port=5060-5061/udp


  • Verify the port is open 
    firewall-cmd --zone=public --query-port=80/tcp



Opening protocols

  • To list all open protocols for a zone 
    firewall-cmd --zone=dmz --list-protocols


  • To add a protocol to a zone 
    firewall-cmd --zone=dmz --add-protocol=esp




Opening source ports

  • To list all open source ports for a zone 
    firewall-cmd --zone=public --list-source-ports


  • To add a source port to a zone 
    firewall-cmd --zone=public --add-source-port=8080/tcp


  • To add a range of source ports to a zone 
    firewall-cmd --zone=public --add-source-port=5060-5061/udp



Adding / Removing service (mapped to TCP/UDP ports) to a zone

  • To add a service to a zone 
    firewall-cmd --zone=public --add-service=smtp


  • To remove a service from a zone 
    firewall-cmd --zone=public --remove-service=smtp


  • Verify the service port has been opened 
    firewall-cmd --zone=public --query-service=smtp




Configure IP address masquerading

  • To check if IP masquerading is enabled 
    firewall-cmd --zone=public --query-masquerade


  • To enable IP masquerading 
    firewall-cmd --zone=public --add-masquerade


  • To disable IP masquerading 
    firewall-cmd --zone=public --remove-masquerade




Configuring port forwarding

  • To forward inbound network packets from one port to an alternative port or address, first enable IP address masquerading for a zone 
    firewall-cmd --zone=public --add-masquerade


  • To forward packets to a local port 
    firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=3753


  • To forward packets to another IPv4 address, without changing the destination port 
    firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55


  • To forward packets to another port at another IPv4 address, 
    firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55


  • To list forward ports 
    firewall-cmd --zone=public --list-forward-ports


  • To check forwarding rule 
    firewall-cmd --zone=public --query-forward-port=port=22:proto=tcp:toaddr=192.168.1.161



Block and Enable ICMP

  • Check the type of icmp we are using 
    firewall-cmd --get-icmptypes


  • To add icmp block on any zone 
    firewall-cmd --zone=public --query-icmp-block=echo-reply
    

    firewall-cmd --zone=public --add-icmp-block=echo-reply --permanent


  • Reload firewall and check 
    firewall-cmd --reload
    

    firewall-cmd --list-all



Firewalld Lockdown Rules

It’s possible to change the firewalld rules by any local applications, which have the root privileges. To avoid making changes to firewalld rules, we have to put a lock-down to yes. This mostly used to protect the firewalld from any unwanted rules changes by any applications

  • Verify whether firewalld was lockdown 
    firewall-cmd --query-lockdown


  • To on lockdown 
    firewall-cmd --lockdown-on


  • To Off lockdown 
    firewall-cmd --lockdown-off


  • Reload firewall and check lockdown 
    firewall-cmd --reload
    

    firewall-cmd --query-lockdown


Miscellaneous commands

  • To check version of firewalld 
    firewall-cmd --version


  • To get the help 
    firewall-cmd --help


  • state of firewalld 
    firewall-cmd --state


Article contributed by Pavan Ponamala


Home > CentOS > CentOS 8.x > System Administration > firewalld > Commands

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=CentOS_8.x_firewalld_commands&oldid=6068"