Show Menu
Cheatography

firewalld command line configuration

Initial inform­ation

Get the status of firewalld
firewa­ll-cmd --state
Reload the firewall
firewa­ll-cmd --reload
List of all supported zones
firewa­ll-cmd --get-­zones
List of all supported services
firewa­ll-cmd --get-­ser­vices
List of all supported icmptypes
firewa­ll-cmd --get-­icm­ptypes
List all zones with the enabled features
firewa­ll-cmd --list­-al­l-zones
Print zone with the enabled features
firewa­ll-cmd [--zon­e=<­zon­e>] --list-all
Get the default zone
firewa­ll-cmd --get-­def­aul­t-zone
Set the default zone
firewa­ll-cmd --set-­def­aul­t-z­one­=<z­one>
Get active zones
firewa­ll-cmd --get-­act­ive­-zones
Get zone related to an interface
firewa­ll-cmd --get-­zon­e-o­f-i­nte­rfa­ce=­<in­ter­fac­e>

Interface

Add an interface to a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­int­erf­ace­=<i­nte­rfa­ce>
Change the zone an interface belongs to
firewa­ll-cmd [--zon­e=<­zon­e>] --chan­ge-­int­erf­ace­=<i­nte­rfa­ce>
Remove an interface from a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­int­erf­ace­=<i­nte­rfa­ce>
Query if an interface is in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-i­nte­rfa­ce=­<in­ter­fac­e>
List the enabled services in a zone
firewa­ll-cmd [ --zone­=<z­one> ] --list­-se­rvices

Service

Enable a service in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­ser­vic­e=<­ser­vic­e> [--tim­eou­t=<­sec­ond­s>]
Disable a service in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­ser­vic­e=<­ser­vic­e>
Query if a service is enabled in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-s­erv­ice­=<s­erv­ice>

Source

Enable a source in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­sou­rce­=<a­­dd­r­e­ss> [--tim­eou­t=<­sec­ond­s>]
Disable a source in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­sou­rce­=<a­­dd­r­e­ss>
Query if a source is enabled in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-s­our­ce=­<a­­ddr­­es­s>

ICMP

Enable ICMP blocks in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­icm­p-b­loc­k=<­icm­pty­pe>
Disable ICMP blocks in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­icm­p-b­loc­k=<­icm­pty­pe>
Query ICMP blocks in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-i­cmp­-bl­ock­=<i­cmp­typ­e>
Exam­ple:
firewa­ll-cmd --zone­=public --add-­icm­p-b­loc­k=e­cho­-reply

port and protocol combin­ation

Enable a port and protocol combin­ation in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­por­t=<­por­t>[­-<p­ort­>]/­<pr­oto­col> [--tim­eou­t=<­sec­ond­s>]
Disable a port and protocol combin­ation in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­por­t=<­por­t>[­-<p­ort­>]/­<pr­oto­col>
Query if a port and protocol combin­ation in enabled in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-p­ort­=<p­ort­>[-­<po­rt>­]/<­pro­toc­ol>

port forwarding or port mapping

Enable port forwarding or port mapping in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­for­war­d-p­ort­=po­rt=­<po­rt>­[-<­por­t>]­:pr­oto­=<p­rot­oco­l> { :topor­t=<­por­t>[­-<p­ort­>] | :toadd­r=<­add­res­s> | :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> }
Disable port forwarding or port mapping in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­for­war­d-p­ort­=po­rt=­<po­rt>­[-<­por­t>]­:pr­oto­=<p­rot­oco­l> { :topor­t=<­por­t>[­-<p­ort­>] | :toadd­r=<­add­res­s> | :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> }
Query port forwarding or port mapping in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-f­orw­ard­-po­rt=­por­t=<­por­t>[­-<p­ort­>]:­pro­to=­<pr­oto­col> { :topor­t=<­por­t>[­-<p­ort­>] | :toadd­r=<­add­res­s> | :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> }
Exam­ple:
firewa­ll-cmd --zone­=home --add-­for­war­d-p­ort­=po­rt=­22:­pro­to=­tcp­:to­add­r=1­27.0.0.2

Permanent

The permanent options are not affecting runtime directly. These options are only available after a reload or restart. To have runtime and permanent setting, you need to supply both. The –per­man­ent option needs to be the first option for all permanent calls.

panic mode

Enable panic
firewa­ll-cmd --enab­le-­panic
Disable panic mode
firewa­ll-cmd --disa­ble­-panic
Query panic mode
firewa­ll-cmd --quer­y-panic
Block all network traffic in case of emergency

Masque­rading

Enable masque­rading in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --add-­mas­querade
Disable masque­rading in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­mas­querade
Query masque­rading in a zone
firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-m­asq­uerade

Direct options

Pass a command through to the firewall. <ar­gs> can be all iptables, ip6tables and ebtables command line arguments
firewa­ll-cmd --direct --pass­through { ipv4 | ipv6 | eb } <ar­gs>
Add a new chain <ch­ain> to a table <ta­ble­>.
firewa­ll-cmd [--per­manent] --direct --add-­chain { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>
Remove a chain with name <ch­ain> from table <ta­ble­>.
firewa­ll-cmd [--per­manent] --direct --remo­ve-­chain { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>
Query if a chain with name <ch­ain> exists in table <ta­ble­>. Returns 0 if true, 1 otherwise.
firewa­ll-cmd [--per­manent] --direct --quer­y-chain { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>
Get all chains added to table <ta­ble> as a space separated list.
firewa­ll-cmd [--per­manent] --direct --get-­chains { ipv4 | ipv6 | eb } <ta­ble>
Add a rule with the arguments <ar­gs> to chain <ch­ain> in table <ta­ble> with priority <pr­ior­ity­>.
firewa­ll-cmd [--per­manent] --direct --add-rule { ipv4 | ipv6 | eb } <ta­ble> <ch­ain> <pr­ior­ity> <ar­gs>
Remove a rule with the arguments <ar­gs> from chain <ch­ain> in table <ta­ble­>.
firewa­ll-cmd [--per­manent] --direct --remo­ve-rule { ipv4 | ipv6 | eb } <ta­ble> <ch­ain> <ar­gs>
Query if a rule with the arguments <ar­gs> exists in chain <ch­ain> in table <ta­ble­>. Returns 0 if true, 1 otherwise.
firewa­ll-cmd [--per­manent] --direct --quer­y-rule { ipv4 | ipv6 | eb } <ta­ble> <ch­ain> <ar­gs>
Get all rules added to chain <ch­ain> in table <ta­ble> as a newline separated list of arguments.
firewa­ll-cmd [--per­manent] --direct --get-­rules { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>
The direct options give a more direct access to the firewall. These options require user to know basic iptables concepts.
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.