Firewalld is system utility which is upgraded version of iptables in Linux. It is use to configure Linux machine to give access/restrict other resource/services to communicate. Below are some basic firewalld commands in Linux which every sysadmin should know.
Before run below command enusre firewalld service is installed & running in your system.you can check it with below command
yum install firewalld #to install firewalld utility
systemctl start firewalld.service #start the service
systemctl enable firewalld.service #enable for autostart
systemctl status firewalld #check the status of service
1) To check current state of the firewall
firewall-cmd --state
2) To get zone info
firewall-cmd --get-default-zone
3)To get info about your active zone
firewall-cmd --get-active-zones
4) To get the rules implied on active zone
firewall-cmd --list-all
5) To get info about all zones
firewall-cmd --get-zones
6) To get all info about any
particular zone (have to specify zone public , private..)
firewall-cmd --zone=public --list-all
7) List info about all the zones
firewall-cmd --list-all-zones
8)Change the interface of a zone
firewall-cmd --zone=public --change-interface=enp0s3
(It will change interface from home to public)
9) To make zone command permanent
append the line "ZONE=public" in /etc/sysconfig/network-scripts/enp0s3
10) Reload the firewall
firewall-cmd --reload
11) To set the zone default
firewall-cmd --set-default-zone=home
12) Firewall service which are allowed
firewall-cmd --get-services
(you can see more info about particular service /usr/lib/firewalld/services)
13) Add a service to firewall
firewall-cmd --add-service=http #will add http service
firewall-cmd --permanent --add-service=http # to add permenent
and reload
14) List which services are allowed in a zone
firewall-cmd --zone=public --list-services
15) Add a port
firewall-cmd --permanent --add-port=7734/tcp
firewall-cmd --permanent --add-port=7000-7200/tcp #add a range of add ports
16) Add a custom service with assign a port to it
-just copy any template from /usr/lib/firewalld/services/ssh.xml to /etc/firewall/services/CustomServiceName.xml
-then open CustomServiceName.xml file & replace the option with your requrement e.g name description port protocols & then reload the service firewalld
17) Add an ip or machine in zone if you trust
firewall-cmd --permanent --zone=public --add-source=10.1.1.1
then reload
18) Create a rich rule with the help of man pages
man 5 firewalld.richlanguage #man
pages about rich firewall commands
firewall-cmd –-permanent –zone=public –add-rich-rule=’rule
family=”ipv4” source address=”10.0.2.23/24” service=ftp reject’
This will reject the ip with serivce tftp
0 Comments