Table of Contents
In this article, I will take you through 26 Useful Firewall CMD Examples on RedHat/CentOS 7. firewalld provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings.
There is a separation of the runtime and permanent configuration options. It also provides an interface for services or applications to add iptables, ip6tables and ebtables rules directly. This interface can also be used by advanced users. You can check more about firewalld in its Official Documentation.
There are many tools which can be used to manage the firewall rules and configuration. firewall-cmd is one such tool which we are going to cover in this section. I will go through other tools in later articles.
Firewall CMD Examples
30 Most Popular IPtables command in Linux
Example 1. Check firewall-cmd version
To check firewall cmd version, you need to use -V
option as shown below. As you can see from below output current firewalld version is 0.6.3
.
[root@localhost ~]# firewall-cmd -V 0.6.3
-V :
Print the version string of firewalld. More info on Firewall cmd Man Page.
Example 2. Using Firewall-cmd to check firewall current state
If you want to verify the current state of firewall then you need to use --state
option with firewall-cmd command to check that. As you can see from below output, firewalld is currently in running
state.
[root@localhost ~]# firewall-cmd --state running
--state :
Check whether the firewalld daemon is active (i.e. running). More info on Firewall cmd Man Page
NOTE:
root
user. You can use any user with sudo
access to run all these commands. Running firewall command requires privileged access to the user. Hence make sure to provide required permission to the user or else it will show Permission denied
error.Example 3. Using Firewall cmd list allowed services
If you want to check all the allowed services for the default zone through firewall then you need to use --list-services
option with firewall-cmd commad to list that. As you can see, currently hdcpv6-client , http , https and ssh services are allowed for public
zone through firewall.
[root@localhost ~]# firewall-cmd --list-services dhcpv6-client http https ssh
--list-services :
List services added for zone as a space separated list. If zone is omitted, default zone will be used. More info on Firewall cmd Man Page
Example 4. Using Firewall cmd list allowed ports
To check all the allowed ports through firewall zones you need to use --list-ports
option as shown below. Here you can see all the allowed ports through firewall for deafult public zone.
[root@localhost ~]# firewall-cmd --list-ports 6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp
--list-ports :
List ports added for zone as a space separated list. If zone is omitted, default zone will be used. More info on Firewall cmd Man Page
Example 5. List Active Zones Using Firewall cmd
If you want to check current active zones and interfaces associated with that active zone then you need to use --get-active-zones
option with firewall-cmd to check that.
[root@localhost ~]# firewall-cmd --get-active-zones public interfaces: enp0s3
--get-active-zones :
Print currently active zones altogether with interfaces and sources used in these zones. More info on Firewall cmd Man Page
Example 6. Print Log denied Setting Using Firewall cmd
If you want to check the log denied setting you need to use --get-log-denied
option with firewall-cmd command as shown below. This setting can be enabled to log rejected packets if required to.
[root@localhost ~]# firewall-cmd --get-log-denied off
Example 7. Print Automatic Helper Setting
If you want to check current automatic helper setting then you need to use --get-automatic-helpers
option as shown below. A firewalld helper defines the configuration that are needed to be able to use a netfilter connection tracking helper if automatic helper assignment is turned off, which is then the secure use of connection tracking helpers. As you can see from output, current automatic helpers is set to System.
[root@localhost ~]# firewall-cmd --get-automatic-helpers system
--get-automatic-helpers :
Print the automatic helpers setting. More info on Firewall cmd Man Page
Example 8. List ICMP Types
If you want to list all the ICMP types then you need to use --get-icmptypes
option to list those ICMP types as shown below. You can see different ICMP types in the output for example - address-unreachable, bad header , coomunication-prohibited, destination-reachable, echo-reply etc. This ICMP types can also be blocked through firewall if required.
[root@localhost ~]# firewall-cmd --get-icmptypes address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
Example 9. Enable Panic Mode
If you think that there is some serious problem going in your network where you want to expire all active connections and stop all incoming and outgoing traffic then you need to use --panic-on
firewall cmd option to achieve that as shown below.
[root@localhost ~]# firewall-cmd --panic-on
--panic-on :
Enable panic mode. More info on Firewall cmd Man Page
Example 10. Disable Panic Mode
Now you know how to enable panic mode with firewall cmd command, you can disable it also by using --panic-off
option with firewall-cmd command as shown below.
[root@localhost ~]# firewall-cmd --panic-off
--panic-off :
Disable panic mode. More info on Firewall cmd Man Page
Example 11. Check If Panic Mode is enabled or Not
If you want to check panic mode is enabled or not in firewalld then you need to use --query-panic
option with firewall-cmd command to check that.
[root@localhost ~]# firewall-cmd --query-panic no
--query-panic :
Returns 0 if panic mode is enabled, 1 otherwise. More info on Firewall-cmd Man Page
Example 12. Create a New Permanent Zone
If you want to create a permanent zone then you need to use --new-zone=<zone_name>
with firewall-cmd command to create that as shown below.
[root@localhost ~]# firewall-cmd --permanent --new-zone=private success
Now check if the zone got created or not.
[root@localhost ~]# firewall-cmd --permanent --info-zone=private private target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Example 13. List Zone Details using firewall-cmd command
You can check zone details by specifying the zone name in --info-zone
option with firewall cmd as shown below. From below output various details like associated target , interfaces , allowed services, allowed ports etc can be checked.
[root@localhost ~]# firewall-cmd --permanent --info-zone=public public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client http https ssh ports: 6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp 7000/tcp 6990-7000/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
--info-zone :
Print information about the zone. More info on Firewall cmd Man Page
Example 14. Delete a Zone
You can delete a zone by passing zone name to --delete-zone
option. Here we are deleting private zone by passing zone name as specified below.
[root@localhost ~]# firewall-cmd --permanent --delete-zone=private success
--delete-zone :
Delete an existing permanent zone. More info on Firewall cmd Man Page
Example 15 : Query Lockdown
You can check if lockdown is enabled or not by using --query-lockdown
option as shown below.
[root@localhost ~]# firewall-cmd --query-lockdown no
--query-lockdown :
Query whether lockdown is enabled. Returns 0 if lockdown is enabled, 1 otherwise. More info on Firewall-cmd Man Page
Example 16 : Enable Lockdown
Applications running in your system with root access sometime might be able to change the firewall configuration so to stop applications from doing that you can enable lockdown by using --lockdown-on
option with firewall cmd command.
[root@localhost ~]# firewall-cmd --lockdown-on success
--lockdown-on :
Enable lockdown. More info on Firewall cmd Man Page
Example 17 : Disable Lockdown
To disable the lockdown you can use --lockdown-off
option with firewall cmd command as shown below.
[root@localhost ~]# firewall-cmd --lockdown-off success
--lockdown-off :
Disable lockdown. More info on Firewall-cmd Man Page
Example 18 : Reload Firewall cmd
To reload firewall rules and configuration you need to use --reload
option as shown below.
[root@localhost ~]# firewall-cmd --reload success
--reload :
Reload firewall rules and keep state information. More info on Firewall cmd Man Page
NOTE:
Example 19 : Complete Reload of Firewalld
To completely reload the firewall rules and configuration along with netfilter kernel modules, you need to use complete-reload
option as shown below.
[root@localhost ~]# firewall-cmd --complete-reload success
--complete-reload :
Reload firewall completely, even netfilter kernel modules. More info on Firewall cmd Man Page
Example 20 : Query Masquerade
To check if IPV4 masquerading is enabled or not you can query it by using --query-masquerade
option as shown below.
[root@localhost ~]# firewall-cmd --permanent --zone=public --query-masquerade no
--query-masquerade :
Return whether IPv4 masquerading has been enabled for zone
. If zone is omitted, default zone will be used. Returns 0 if true, 1 otherwise. More info on Firewall cmd Man Page
Example 21 : Check complete description
To get the complete description about a zone you can use --get-description
option as shown below.
[root@localhost ~]# firewall-cmd --permanent --zone=public --get-description For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
--get-description :
Print description for zone. More info on Firewall cmd Man Page
Example 22 : Check Short Description
To get a short description about a zone you need to use --get-short
option as shown below.
[root@localhost ~]# firewall-cmd --permanent --zone=public --get-short Public
--get-short :
Print short description for zone. More info on Firewall cmd Man Page
Example 23: Check Target for a Zone
To get a complete description about a zone you need to use --get-target
option as shown below.
[root@localhost ~]# firewall-cmd --permanent --zone=public --get-target default
--get-target :
Get the target of a permanent zone. More info on Firewall cmd Man Page
Example 24 : List of Ports
To list all the ports currently allowed through firewall you need to use --list-ports
option as shown below.
[root@localhost ~]# firewall-cmd --permanent --list-ports 6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp 7000/tcp 6990-7000/tcp 3306/tcp 8000/tcp 400/tcp
--list-ports :
List ports added for zone as a space separated list. More info on Firewall cmd Man Page
Example 25 : Add Ports
If you want to add some port to allow it through firewalld then you need to use --add-port
option and pass the port number as mentioned below.
[root@localhost ~]# firewall-cmd --permanent --add-port=6000/tcp success
--add-port :
Add a new port. More info on Firewall cmd Man Page
Example 26: Check Other firewall cmd options
You can check other firewall cmd options using --help
as shown below.
[root@localhost ~]# firewall-cmd --help Usage: firewall-cmd [OPTIONS...] General Options -h, --help Prints a short help text and exists -V, --version Print the version string of firewalld -q, --quiet Do not print status messages Status Options --state Return and print firewalld state --reload Reload firewall and keep state information --complete-reload Reload firewall and lose state information --runtime-to-permanent Create permanent from runtime configuration --check-config Check permanent configuration for errors Log Denied Options --get-log-denied Print the log denied value --set-log-denied=<value> Set log denied value
--help :
Prints a short help text and exits.