List of Important Firewalld Commands in Linux

Firewalld is system utility which is upgraded version of iptables in Linux. It is use to configure Linux machine to give access/restrict other resource/services to communicate. Below are some basic firewalld commands in Linux which every sysadmin should know.

Before run below command enusre firewalld service is installed & running in your can check it with below command

yum install firewalld #to install firewalld utility

systemctl start firewalld.service #start the service

systemctl enable firewalld.service #enable for autostart

systemctl status firewalld #check the status of service

1) To check current state of the firewall

firewall-cmd --state

2) To get zone info

firewall-cmd --get-default-zone

3)To get info about your active zone

firewall-cmd --get-active-zones

4) To get the rules implied on active zone

firewall-cmd --list-all

5) To get info about all zones

firewall-cmd --get-zones

6) To get all info about any particular zone (have to specify zone public , private..)

firewall-cmd --zone=public --list-all 

7) List info about all the zones

firewall-cmd --list-all-zones

8)Change the interface of a zone

firewall-cmd --zone=public  --change-interface=enp0s3  

(It will change interface from home to public)

9) To make zone command permanent

append the line "ZONE=public" in /etc/sysconfig/network-scripts/enp0s3

10) Reload the firewall

firewall-cmd --reload

11) To set the zone default

firewall-cmd --set-default-zone=home

12) Firewall service which are allowed

firewall-cmd --get-services

(you can see more info about particular service /usr/lib/firewalld/services)

13) Add a service to firewall

firewall-cmd --add-service=http #will add http service

firewall-cmd --permanent --add-service=http # to add permenent

and reload

14) List which services are allowed in a zone

firewall-cmd --zone=public --list-services

15) Add a port

firewall-cmd --permanent --add-port=7734/tcp

firewall-cmd --permanent --add-port=7000-7200/tcp #add a range of add ports

16) Add a custom service with assign a port to it

-just copy any template from /usr/lib/firewalld/services/ssh.xml  to   /etc/firewall/services/CustomServiceName.xml

-then open  CustomServiceName.xml file & replace the option with your requrement e.g name description port protocols & then reload the service firewalld

17) Add an ip or machine in zone if you trust

firewall-cmd --permanent --zone=public --add-source= 

then reload

18) Create a rich rule with the help of man pages

man 5 firewalld.richlanguage #man pages about rich firewall commands

firewall-cmd –-permanent –zone=public –add-rich-rule=’rule family=”ipv4” source address=”” service=ftp reject’

This will reject the ip with serivce tftp


Post a Comment