CentOS 7: Firewalld Command Line Cheat Sheet

Linux Redhat 0 Comments

I was working on my CentOS 7 box to get familiar with some new functionalities, as you know RHEL 7 and CentOS 7 come with many changes in many aspect.

To have a quick reference for many of this changes, I will try to document some basic command on managing my system, so let start with firewalld.

Firewalld is a new system service on Linux to manage the firewall rules, you should not use it simultaneously  with iptables on the same system.

Firewalld use zones to decide what to do with the incoming packet, these zone are collection of rules you specify that match a specific source address or network interface.

CentOS come with many pre-configured zones like : block, dmz, drop, external, home, internal, trusted, work, public.

To list all the available zones

# firewall-cmd --list-all-zones

Here is an example of the default active zone on my system.

firewalld active zone

On these zones you can allow services, which is basically an xml file describing the service, tcp or udp, port number…

To list all the services

# firewall-cmd --get-services

firewall-cmd get services

Here is an example of the ssh service xml file, this file can be found on /usr/lib/firewalld/services

[root@localhost ~]# cat /usr/lib/firewalld/services/ssh.xml

  Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.

To list the active configuration

[root@localhost ~]# firewall-cmd --list-all

To list the configuration for a specific zone, for example the work zone

[root@localhost ~]# firewall-cmd --list-all --zone=work

firewall-cmd list work zone

You should also note two thing with firewalld, first, you should make sure any configuration change are persistent across reboot with the use of the word –permanent when you make chnage, the second thing is that you should reload your configuration after making change, this will make sure that the current running configuration is synchronized with the configuration on the disk.

let’s take an example for adding the smtp service to our current zone configuration.

To add a service to the current active zone

[root@localhost ~]# firewall-cmd --add-service smtp --permanent

List the current zone configuration, as you can see the service isn’t visible

[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eno16777728
  services: dhcpv6-client ssh
  masquerade: no
  rich rules:

Reload and list the configuration

[root@localhost ~]# firewall-cmd --reload

firewall-cmd smtp

To show the current configured default zone

[root@localhost ~]# firewall-cmd --get-default-zone

To remove a service from the current active zone, for example  the smtp service

[root@localhost ~]# firewall-cmd --remove-service=smtp

To add a custom port/protocol to a zone, for example, to add the tcp port 8081 on the public zone

[root@localhost ~]# firewall-cmd --add-port=8081/tcp --zone=public --permanent

To set a default zone, for example the work zone

[root@localhost ~]# firewall-cmd --set-default-zone=work

To remove a specific port from the configuration, just replace the add with remove keywork like in the previous command

[root@localhost ~]# firewall-cmd --remove-port=8081/tcp --zone=public --permanent

To add a specific ip address to the zone public

[root@localhost ~]# firewall-cmd --add-source= --zone=public --permanent
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eno16777728
  services: dhcpv6-client smtp ssh
  masquerade: no
  rich rules:

Hope this can help, I will try to publish another post with more examples.

Be Sociable, Share!

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 4.80 out of 5)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.