Overview
When the communication is inputted, the input that sets the packet filter zone has units of (Zone), zone service is configured in units of (Service), services are defined by the port number and name XML file Composed of.
To operate firewalld, firewall-cmduse the command.--permanentWith an option, it will be retained even after rebooting. If you execute without setting, the setting will be volatilized (will disappear after rebooting).
Check the operation
[root@centos7 vagrant]# firewall-cmd --state
runningCreate a service definition file
/usr/lib/firewalld/services/*.xmlIs the substance. Path may vary depending on distribution but CentOS7 and openSUSE Tumbleweed had the same path
Example: SSH
[root@centos7 services]# cat /usr/lib/firewalld/services/ssh.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SSH</short>
<description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
<port protocol="tcp" port="22"/>
</service>
[root@centos7 services]#It looks like. You only need to write following this file. The owner of the file seems to be root:rootand the permissions seem to be 644 .
Reload the service definition file
The file is not recognized just by adding it.
[root@centos7 services]# firewall-cmd --reload
successAdd services to the zone
When adding https(443/TCP) to the filter that allows communication
[root@centos7 services]# firewall-cmd --zone=public --permanent --add-service=https
successAdd port number
For example I want to add TCP 8081 port to the filter that allows communication.
[root@centos7 services]# firewall-cmd --zone=public --permanent --add-port=8081/tcp
successList of ports being set
List of currently set ports
[root@centos7 services]# firewall-cmd --zone=public --permanent --list-ports
8081/tcpList of currently set services
[root@centos7 services]# firewall-cmd --zone=public --permanent --list-services
dhcpv6-client https sshList of services that can be added
[root@centos7 services]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-serverFirewalld filter confirmation
Settings are written to iptables, so iptables -Lcheck the status by doing something like (but it's hard to see).
More reference
