firewall-cmd Command Examples in Linux

The firewall-cmd command enables you to configure firewalld by querying, adding, modifying, and deleting zones and services as desired. Because firewalld is the default firewall service for many Linux distributions, including Red Hat Enterprise Linux and CentOS, you will be using the firewall-cmd command regularly. The command includes options to identify which zone and which interface you want to configure, as well as the ability to permit services by name or by port number.

firewall-cmd Command Examples

The following are some common examples of using the firewall-cmd command:

1. List all available firewalld zones.

# firewall-cmd --get-zones

2. List only active zones of firewalld by using the following command line:

# firewall-cmd --get-active-zones

3. List all details of the dmz zone, including the interfaces, ports, services, protocols, and more that the zone applies to.

# firewall-cmd --zone=dmz --list-all

4. List the current default zone by using the following command line:

# firewall-cmd --get-default-zone

5. Add the specified interface to the dmz zone.

# firewall-cmd --zone=dmz --change-interface=[device ID]

6. List the services available for configuration with firewalld by using the following command line:

# firewall-cmd --get-services

7. Add the HTTP service to the dmz zone.

# firewall-cmd --zone=dmz --add-service=http

8. Add TCP port 21 (FTP) to the dmz zone.

# firewall-cmd --zone=dmz --add-port=21/tcp

9. Remove the HTTP service from the dmz zone.

# firewall-cmd --zone=dmz --remove-service=http

10. Remove TCP port 21 (FTP) from the dmz zone.

# firewall-cmd --zone=dmz --remove-port=21/tcp

11. View the tcp/udp ports that are allowed by your firewall using the following command:

# firewall-cmd --list-ports

12. Reload the zone’s configuration.

# firewall-cmd --reload

13. The user can drop all incoming and outgoing packets of an active connection when there is a breach in the network by using the panic options of firewall-cmd as shown in the following command line:

# firewall-cmd --panic-on

14. On execution of the preceding command, any ping, ssh, or web-related activity on the system will be blocked. To turn off this feature, execute the following command:

# firewall --panic-off

15. Permanently open port 10000/tcp and view the results:

# firewall-cmd --permanent --add-port=10000/tcp
# firewall-cmd --list-ports
# firewall-cmd --reload
# firewall-cmd --list-ports
# firewall-cmd --info-zone=dmz

16. Remove the port that you just added:

# firewall-cmd --permanent --remove-port=10000/tcp
# firewall-cmd --reload
# firewall-cmd --list-ports
# firewall-cmd --info-zone=dmz

17. Block the host-redirect and network-redirect ICMP types:

# firewall-cmd --add-icmp-block={host-redirect,network-redirect}

18. Add the directive to log all dropped packets:

# firewall-cmd --set-log-denied=all

19. View both the runtime and permanent configurations and note the differences between them:

# firewall-cmd --info-zone=public
# firewall-cmd --info-zone=public --permanent

20. Make the runtime configuration permanent and verify that it took effect:

# firewall-cmd --runtime-to-permanent
# firewall-cmd --info-zone=public --permanent

Example of allowing incoming requests for NFS (v4)

Perform the following steps to allow NFSv4 traffic on your system:

1. First, allow nfs traffic via this command:

# firewall-cmd --add-service nfs –-permanent
success

2. Then, reload the configuration as follows:

# firewall-cmd --reload
success

3. Now, check the newly applied rule by executing the following command line:

# firewall-cmd –-list-services
nfs

Final Words

firewalld comes with a set of predefined port configurations, such as HTTP and HTTPS. You can find all such definitions in /lib/firewalld/services. When creating your own port definitions or modifying the existing ones, you should create new port definition files in /etc/firewalld/services.

When creating new “rules” by adding ports, services, and so on, you need to add the –permanent option, or your changes would be lost upon the rebooting of the system or the reloading of the firewalld policy.