Firewalld Quick Operational Commands

Below is a list of important commands that are useful during everyday work with firewalld.

Firewall operating status

[root@centos7 vagrant]# firewall-cmd --state
running

Examine the active zone

[root@centos7 vagrant]# firewall-cmd --get-active-zones
public
  interfaces: eth0 eth1

Check current settings: Active Zone

[root@centos7 vagrant]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports: port=8080:proto=tcp:toport=80:toaddr=
  source-ports:
  icmp-blocks:
  rich rules:

Check current settings: All zones

[root@centos7 vagrant]# firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
dmz
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
external
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
home
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports: port=8080:proto=tcp:toport=80:toaddr=
  source-ports:
  icmp-blocks:
  rich rules:
trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Service add/delete

Add Service

[root@centos7 vagrant]# firewall-cmd --permanent --add-service=ssh
Warning: ALREADY_ENABLED: ssh
success

Delete Service

[root@centos7 vagrant]# firewall-cmd --permanent --zone=public --remove-service=ssh
success

Port add/delete

Add Port

[root@centos7 vagrant]# firewall-cmd --zone=public --add-port=9001/tcp --permanent
success

Delete Port

[root@centos7 vagrant]# firewall-cmd --zone=public --remove-port=9001/tcp --permanent
success

Reload configuration

[root@centos7 vagrant]# firewall-cmd --reload
success

Example of complex command

[root@centos7 vagrant]# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.123.0/24" port protocol="tcp" port="22" accept"
success