Cheatography
https://cheatography.com
firewalld command line configuration
Initial informationGet the status of firewalld | firewall-cmd --state | Reload the firewall | firewall-cmd --reload | List of all supported zones | firewall-cmd --get-zones | List of all supported services | firewall-cmd --get-services | List of all supported icmptypes | firewall-cmd --get-icmptypes | List all zones with the enabled features | firewall-cmd --list-all-zones | Print zone with the enabled features | firewall-cmd [--zone=<zone>] --list-all | Get the default zone | firewall-cmd --get-default-zone | Set the default zone | firewall-cmd --set-default-zone=<zone> | Get active zones | firewall-cmd --get-active-zones | Get zone related to an interface | firewall-cmd --get-zone-of-interface=<interface> |
InterfaceAdd an interface to a zone | firewall-cmd [--zone=<zone>] --add-interface=<interface> | Change the zone an interface belongs to | firewall-cmd [--zone=<zone>] --change-interface=<interface> | Remove an interface from a zone | firewall-cmd [--zone=<zone>] --remove-interface=<interface> | Query if an interface is in a zone | firewall-cmd [--zone=<zone>] --query-interface=<interface> | List the enabled services in a zone | firewall-cmd [ --zone=<zone> ] --list-services |
ServiceEnable a service in a zone | firewall-cmd [--zone=<zone>] --add-service=<service> [--timeout=<seconds>] | Disable a service in a zone | firewall-cmd [--zone=<zone>] --remove-service=<service> | Query if a service is enabled in a zone | firewall-cmd [--zone=<zone>] --query-service=<service> |
SourceEnable a source in a zone | firewall-cmd [--zone=<zone>] --add-source=<address> [--timeout=<seconds>] | Disable a source in a zone | firewall-cmd [--zone=<zone>] --remove-source=<address> | Query if a source is enabled in a zone | firewall-cmd [--zone=<zone>] --query-source=<address> |
ICMPEnable ICMP blocks in a zone | firewall-cmd [--zone=<zone>] --add-icmp-block=<icmptype> | Disable ICMP blocks in a zone | firewall-cmd [--zone=<zone>] --remove-icmp-block=<icmptype> | Query ICMP blocks in a zone | firewall-cmd [--zone=<zone>] --query-icmp-block=<icmptype> | Example: | firewall-cmd --zone=public --add-icmp-block=echo-reply |
port and protocol combinationEnable a port and protocol combination in a zone | firewall-cmd [--zone=<zone>] --add-port=<port>[-<port>]/<protocol> [--timeout=<seconds>] | Disable a port and protocol combination in a zone | firewall-cmd [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol> | Query if a port and protocol combination in enabled in a zone | firewall-cmd [--zone=<zone>] --query-port=<port>[-<port>]/<protocol> |
port forwarding or port mappingEnable port forwarding or port mapping in a zone | firewall-cmd [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> } | Disable port forwarding or port mapping in a zone | firewall-cmd [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> } | Query port forwarding or port mapping in a zone | firewall-cmd [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> } | Example: | firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2 |
PermanentThe permanent options are not affecting runtime directly. These options are only available after a reload or restart. To have runtime and permanent setting, you need to supply both. The –permanent option needs to be the first option for all permanent calls. |
panic modeEnable panic | firewall-cmd --enable-panic | Disable panic mode | firewall-cmd --disable-panic | Query panic mode | firewall-cmd --query-panic |
Block all network traffic in case of emergency MasqueradingEnable masquerading in a zone | firewall-cmd [--zone=<zone>] --add-masquerade | Disable masquerading in a zone | firewall-cmd [--zone=<zone>] --remove-masquerade | Query masquerading in a zone | firewall-cmd [--zone=<zone>] --query-masquerade |
Direct optionsPass a command through to the firewall. <args> can be all iptables, ip6tables and ebtables command line arguments | firewall-cmd --direct --passthrough { ipv4 | ipv6 | eb } <args> | Add a new chain <chain> to a table <table>. | firewall-cmd [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } <table> <chain> | Remove a chain with name <chain> from table <table>. | firewall-cmd [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } <table> <chain> | Query if a chain with name <chain> exists in table <table>. Returns 0 if true, 1 otherwise. | firewall-cmd [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } <table> <chain> | Get all chains added to table <table> as a space separated list. | firewall-cmd [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } <table> | Add a rule with the arguments <args> to chain <chain> in table <table> with priority <priority>. | firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args> | Remove a rule with the arguments <args> from chain <chain> in table <table>. | firewall-cmd [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <args> | Query if a rule with the arguments <args> exists in chain <chain> in table <table>. Returns 0 if true, 1 otherwise. | firewall-cmd [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <args> | Get all rules added to chain <chain> in table <table> as a newline separated list of arguments. | firewall-cmd [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } <table> <chain> |
The direct options give a more direct access to the firewall. These options require user to know basic iptables concepts. |
Created By
Metadata
Favourited By
Comments
No comments yet. Add yours below!
Add a Comment
Related Cheat Sheets