Show Menu
Cheatography

firewalld command line configuration

Initial inform­ation

Get the status of firewalld
firewa­ll-cmd --state
Reload the firewall
firewa­ll-cmd --reload
List of all supported zones
firewa­ll-cmd --get-­zones
List of all supported services
firewa­ll-cmd --get-­ser­vices
List of all supported icmptypes
firewa­ll-cmd --get-­icm­ptypes
List all zones with the enabled features
firewa­ll-cmd --list­-al­l-zones
Print zone with the enabled features
firewa­ll-cmd [--zon­e=<­zon­e>] --list-all
Get the default zone
firewa­ll-cmd --get-­def­aul­t-zone
Set the default zone
firewa­ll-cmd --set-­def­aul­t-z­one­=<z­one>
Get active zones
firewa­ll-cmd --get-­act­ive­-zones
Get zone related to an interface
firewa­ll-cmd --get-­zon­e-o­f-i­nte­rfa­ce=­<in­ter­fac­e>

Interface

Add an interface to a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­int­erf­ace­=<i­nte­rfa­ce>
Change the zone an interface belongs to
firewa­ll-cmd [--zon­e=<­zon­e>] --chan­ge-­int­erf­ace­=<i­nte­rfa­ce>
Remove an interface from a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­int­erf­ace­=<i­nte­rfa­ce>
Query if an interface is in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-i­nte­rfa­ce=­<in­ter­fac­e>
List the enabled services in a zone
firewa­ll-cmd [ --zone­=<z­one> ] --list­-se­rvices

Service

Enable a service in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­ser­vic­e=<­ser­vic­e> [--tim­eou­t=<­sec­ond­s>]
Disable a service in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­ser­vic­e=<­ser­vic­e>
Query if a service is enabled in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-s­erv­ice­=<s­erv­ice>

Source

Enable a source in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­sou­rce­=<a­­dd­r­e­ss> [--tim­eou­t=<­sec­ond­s>]
Disable a source in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­sou­rce­=<a­­dd­r­e­ss>
Query if a source is enabled in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-s­our­ce=­<a­­ddr­­es­s>

ICMP

Enable ICMP blocks in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­icm­p-b­loc­k=<­icm­pty­pe>
Disable ICMP blocks in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­icm­p-b­loc­k=<­icm­pty­pe>
Query ICMP blocks in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-i­cmp­-bl­ock­=<i­cmp­typ­e>
Example:
firewa­ll-cmd --zone­=public --add-­icm­p-b­loc­k=e­cho­-reply

port and protocol combin­ation

Enable a port and protocol combin­ation in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­por­t=<­por­t>[­-<p­ort­>]/­<pr­oto­col> [--tim­eou­t=<­sec­ond­s>]
Disable a port and protocol combin­ation in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­por­t=<­por­t>[­-<p­ort­>]/­<pr­oto­col>
Query if a port and protocol combin­ation in enabled in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-p­ort­=<p­ort­>[-­<po­rt>­]/<­pro­toc­ol>

port forwarding or port mapping

Enable port forwarding or port mapping in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­for­war­d-p­ort­=po­rt=­<po­rt>­[-<­por­t>]­:pr­oto­=<p­rot­oco­l> { :topor­t=<­por­t>[­-<p­ort­>] | :toadd­r=<­add­res­s> | :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> }
Disable port forwarding or port mapping in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­for­war­d-p­ort­=po­rt=­<po­rt>­[-<­por­t>]­:pr­oto­=<p­rot­oco­l> { :topor­t=<­por­t>[­-<p­ort­>] | :toadd­r=<­add­res­s> | :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> }
Query port forwarding or port mapping in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-f­orw­ard­-po­rt=­por­t=<­por­t>[­-<p­ort­>]:­pro­to=­<pr­oto­col> { :topor­t=<­por­t>[­-<p­ort­>] | :toadd­r=<­add­res­s> | :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> }
Example:
firewa­ll-cmd --zone­=home --add-­for­war­d-p­ort­=po­rt=­22:­pro­to=­tcp­:to­add­r=1­27.0.0.2

Permanent

The permanent options are not affecting runtime directly. These options are only available after a reload or restart. To have runtime and permanent setting, you need to supply both. The –permanent option needs to be the first option for all permanent calls.

panic mode

Enable panic
firewa­ll-cmd --enab­le-­panic
Disable panic mode
firewa­ll-cmd --disa­ble­-panic
Query panic mode
firewa­ll-cmd --quer­y-panic
Block all network traffic in case of emergency

Masque­rading

Enable masque­rading in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­mas­querade
Disable masque­rading in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­mas­querade
Query masque­rading in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-m­asq­uerade

Direct options

Pass a command through to the firewall. <ar­gs> can be all iptables, ip6tables and ebtables command line arguments
firewa­ll-cmd --direct --pass­through { ipv4 | ipv6 | eb } <ar­gs>
Add a new chain <ch­ain> to a table <ta­ble­>.
firewa­ll-cmd [--per­manent] --direct --add-­chain { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>
Remove a chain with name <ch­ain> from table <ta­ble­>.
firewa­ll-cmd [--per­manent] --direct --remo­ve-­chain { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>
Query if a chain with name <ch­ain> exists in table <ta­ble­>. Returns 0 if true, 1 otherwise.
firewa­ll-cmd [--per­manent] --direct --quer­y-chain { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>
Get all chains added to table <ta­ble> as a space separated list.
firewa­ll-cmd [--per­manent] --direct --get-­chains { ipv4 | ipv6 | eb } <ta­ble>
Add a rule with the arguments <ar­gs> to chain <ch­ain> in table <ta­ble> with priority <pr­ior­ity­>.
firewa­ll-cmd [--per­manent] --direct --add-rule { ipv4 | ipv6 | eb } <ta­ble> <ch­ain> <pr­ior­ity> <ar­gs>
Remove a rule with the arguments <ar­gs> from chain <ch­ain> in table <ta­ble­>.
firewa­ll-cmd [--per­manent] --direct --remo­ve-rule { ipv4 | ipv6 | eb } <ta­ble> <ch­ain> <ar­gs>
Query if a rule with the arguments <ar­gs> exists in chain <ch­ain> in table <ta­ble­>. Returns 0 if true, 1 otherwise.
firewa­ll-cmd [--per­manent] --direct --quer­y-rule { ipv4 | ipv6 | eb } <ta­ble> <ch­ain> <ar­gs>
Get all rules added to chain <ch­ain> in table <ta­ble> as a newline separated list of arguments.
firewa­ll-cmd [--per­manent] --direct --get-­rules { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>
The direct options give a more direct access to the firewall. These options require user to know basic iptables concepts.
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets