Cheatography
https://cheatography.com
firewalld command line configuration
Initial informationGet the status of firewalld | firewall-cmd --state | Reload the firewall | firewall-cmd --reload | List of all supported zones | firewall-cmd --get-zones | List of all supported services | firewall-cmd --get-services | List of all supported icmptypes | firewall-cmd --get-icmptypes | List all zones with the enabled features | firewall-cmd --list-all-zones | Print zone with the enabled features | firewall-cmd [--zone=<zone>] --list-all | Get the default zone | firewall-cmd --get-default-zone | Set the default zone | firewall-cmd --set-default-zone=<zone> | Get active zones | firewall-cmd --get-active-zones | Get zone related to an interface | firewall-cmd --get-zone-of-interface=<interface> |
InterfaceAdd an interface to a zone | firewall-cmd [--zone=<zone>] --add-interface=<interface> | Change the zone an interface belongs to | firewall-cmd [--zone=<zone>] --change-interface=<interface> | Remove an interface from a zone | firewall-cmd [--zone=<zone>] --remove-interface=<interface> | Query if an interface is in a zone | firewall-cmd [--zone=<zone>] --query-interface=<interface> | List the enabled services in a zone | firewall-cmd [ --zone=<zone> ] --list-services |
ServiceEnable a service in a zone | firewall-cmd [--zone=<zone>] --add-service=<service> [--timeout=<seconds>] | Disable a service in a zone | firewall-cmd [--zone=<zone>] --remove-service=<service> | Query if a service is enabled in a zone | firewall-cmd [--zone=<zone>] --query-service=<service> |
SourceEnable a source in a zone | firewall-cmd [--zone=<zone>] --add-source=<address> [--timeout=<seconds>] | Disable a source in a zone | firewall-cmd [--zone=<zone>] --remove-source=<address> | Query if a source is enabled in a zone | firewall-cmd [--zone=<zone>] --query-source=<address> |
ICMPEnable ICMP blocks in a zone | firewall-cmd [--zone=<zone>] --add-icmp-block=<icmptype> | Disable ICMP blocks in a zone | firewall-cmd [--zone=<zone>] --remove-icmp-block=<icmptype> | Query ICMP blocks in a zone | firewall-cmd [--zone=<zone>] --query-icmp-block=<icmptype> | Example: | firewall-cmd --zone=public --add-icmp-block=echo-reply |
port and protocol combinationEnable a port and protocol combination in a zone | firewall-cmd [--zone=<zone>] --add-port=<port>[-<port>]/<protocol> [--timeout=<seconds>] | Disable a port and protocol combination in a zone | firewall-cmd [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol> | Query if a port and protocol combination in enabled in a zone | firewall-cmd [--zone=<zone>] --query-port=<port>[-<port>]/<protocol> |
port forwarding or port mappingEnable port forwarding or port mapping in a zone | firewall-cmd [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> } | Disable port forwarding or port mapping in a zone | firewall-cmd [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> } | Query port forwarding or port mapping in a zone | firewall-cmd [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> } | Example: | firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2 |
PermanentThe permanent options are not affecting runtime directly. These options are only available after a reload or restart. To have runtime and permanent setting, you need to supply both. The –permanent option needs to be the first option for all permanent calls. |
panic modeEnable panic | firewall-cmd --enable-panic | Disable panic mode | firewall-cmd --disable-panic | Query panic mode | firewall-cmd --query-panic |
Block all network traffic in case of emergency
MasqueradingEnable masquerading in a zone | firewall-cmd [--zone=<zone>] --add-masquerade | Disable masquerading in a zone | firewall-cmd [--zone=<zone>] --remove-masquerade | Query masquerading in a zone | firewall-cmd [--zone=<zone>] --query-masquerade |
Direct optionsPass a command through to the firewall. <args> can be all iptables, ip6tables and ebtables command line arguments | firewall-cmd --direct --passthrough { ipv4 | ipv6 | eb } <args> | Add a new chain <chain> to a table <table>. | firewall-cmd [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } <table> <chain> | Remove a chain with name <chain> from table <table>. | firewall-cmd [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } <table> <chain> | Query if a chain with name <chain> exists in table <table>. Returns 0 if true, 1 otherwise. | firewall-cmd [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } <table> <chain> | Get all chains added to table <table> as a space separated list. | firewall-cmd [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } <table> | Add a rule with the arguments <args> to chain <chain> in table <table> with priority <priority>. | firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args> | Remove a rule with the arguments <args> from chain <chain> in table <table>. | firewall-cmd [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <args> | Query if a rule with the arguments <args> exists in chain <chain> in table <table>. Returns 0 if true, 1 otherwise. | firewall-cmd [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <args> | Get all rules added to chain <chain> in table <table> as a newline separated list of arguments. | firewall-cmd [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } <table> <chain> |
The direct options give a more direct access to the firewall. These options require user to know basic iptables concepts.
|
Help Us Go Positive!
We offset our carbon usage with Ecologi. Click the link below to help us!
Created By
Metadata
Favourited By
Comments
No comments yet. Add yours below!
Add a Comment