Cyberithub

26 Useful Firewall CMD Examples on RedHat/CentOS 7

by

In this article, I will take you through 26 Useful Firewall CMD Examples on RedHat/CentOS 7. firewalld provides a dynamically managed firewall with support for network/firewall “zones” to assign a level of trust to a network and its associated connections, interfaces or sources. It has support for IPv4, IPv6, Ethernet bridges and also for IPSet firewall settings.

There is a separation of the runtime and permanent configuration options. It also provides an interface for services or applications to add iptables, ip6tables and ebtables rules directly. This interface can also be used by advanced users. You can check more about firewalld in its Official Documentation.
There are many tools which can be used to manage the firewall rules and configuration. firewall-cmd is one such tool which we are going to cover in this section. I will go through other tools in later articles.

26 Useful Firewall CMD Examples on RedHat/CentOS 7 1

Firewall CMD Examples

30 Most Popular IPtables command in Linux

Example 1. Check firewall-cmd version

To check firewall cmd version, you need to use -V option as shown below. As you can see from below output current firewalld version is 0.6.3.

[root@localhost ~]# firewall-cmd -V
0.6.3

-V : Print the version string of firewalld. More info on Firewall cmd Man Page.

Example 2. Using Firewall-cmd to check firewall current state

If you want to verify the current state of firewall then you need to use --state option with firewall-cmd command to check that. As you can see from below output, firewalld is currently in running state.

[root@localhost ~]# firewall-cmd --state
running

--state : Check whether the firewalld daemon is active (i.e. running). More info on Firewall cmd Man Page

NOTE:

Please note that I am running all the commands here from root user. You can use any user with sudo access to run all these commands. Running firewall command requires privileged access to the user. Hence make sure to provide required permission to the user or else it will show Permission denied error.

Example 3. Using Firewall cmd list allowed services 

If you want to check all the allowed services for the default zone through firewall then you need to use --list-services option with firewall-cmd commad to list that. As you can see, currently hdcpv6-client , http , https and ssh services are allowed for public zone through firewall.

[root@localhost ~]# firewall-cmd --list-services
dhcpv6-client http https ssh

--list-services : List services added for zone as a space separated list. If zone is omitted, default zone will be used. More info on Firewall cmd Man Page

Example 4. Using Firewall cmd list allowed ports

To check all the allowed ports through firewall zones you need to use --list-ports option as shown below. Here you can see all the allowed ports through firewall for deafult public zone.

[root@localhost ~]# firewall-cmd --list-ports
6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp

--list-ports : List ports added for zone as a space separated list. If zone is omitted, default zone will be used. More info on Firewall cmd Man Page

Example 5. List Active Zones Using Firewall cmd

If you want to check current active zones and interfaces associated with that active zone then you need to use --get-active-zones option with firewall-cmd to check that.

[root@localhost ~]# firewall-cmd --get-active-zones
public
interfaces: enp0s3

--get-active-zones : Print currently active zones altogether with interfaces and sources used in these zones. More info on Firewall cmd Man Page

Example 6. Print Log denied Setting Using Firewall cmd

If you want to check the log denied setting you need to use --get-log-denied option with firewall-cmd command as shown below. This setting can be enabled to log rejected packets if required to.

[root@localhost ~]# firewall-cmd --get-log-denied
off

Example 7. Print Automatic Helper Setting

If you want to check current automatic helper setting then you need to use --get-automatic-helpers option as shown below. A firewalld helper defines the configuration that are needed to be able to use a netfilter connection tracking helper if automatic helper assignment is turned off, which is then the secure use of connection tracking helpers. As you can see from output, current automatic helpers is set to System.

[root@localhost ~]# firewall-cmd --get-automatic-helpers
system

--get-automatic-helpers : Print the automatic helpers setting. More info on Firewall cmd Man Page

Example 8. List ICMP Types

If you want to list all the ICMP types then you need to use --get-icmptypes option to list those ICMP types as shown below. You can see different ICMP types in the output for example – address-unreachable, bad header , coomunication-prohibited, destination-reachable, echo-reply etc. This ICMP types can also be blocked through firewall if required.

[root@localhost ~]# firewall-cmd --get-icmptypes
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option

Example 9. Enable Panic Mode

If you think that there is some serious problem going in your network where you want to expire all active connections and stop all incoming and outgoing traffic then you need to use --panic-on firewall cmd option to achieve that as shown below.

[root@localhost ~]# firewall-cmd --panic-on

--panic-on : Enable panic mode. More info on Firewall cmd Man Page

Example 10. Disable Panic Mode

Now you know how to enable panic mode with firewall cmd command, you can disable it also by using --panic-off option with firewall-cmd command as shown below.

[root@localhost ~]# firewall-cmd --panic-off

--panic-off : Disable panic mode. More info on Firewall cmd Man Page

Example 11. Check If Panic Mode is enabled or Not

If you want to check panic mode is enabled or not in firewalld then you need to use --query-panic option with firewall-cmd command to check that.

[root@localhost ~]# firewall-cmd --query-panic
no

--query-panic : Returns 0 if panic mode is enabled, 1 otherwise. More info on Firewall-cmd Man Page

Example 12. Create a New Permanent Zone

If you want to create a permanent zone then you need to use --new-zone=<zone_name> with firewall-cmd command to create that as shown below.

[root@localhost ~]# firewall-cmd --permanent --new-zone=private
success

Now check if the zone got created or not.

[root@localhost ~]# firewall-cmd --permanent --info-zone=private
private
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Example 13. List Zone Details using firewall-cmd command

You can check zone details by specifying the zone name in --info-zone option with firewall cmd as shown below. From below output various details like associated target , interfaces , allowed services, allowed ports etc can be checked.

[root@localhost ~]# firewall-cmd --permanent --info-zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http https ssh
ports: 6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp 7000/tcp 6990-7000/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

--info-zone : Print information about the zone. More info on Firewall cmd Man Page

Example 14. Delete a Zone 

You can delete a zone by passing zone name to --delete-zone option. Here we are deleting private zone by passing zone name as specified below.

[root@localhost ~]# firewall-cmd --permanent --delete-zone=private
success

--delete-zone : Delete an existing permanent zone. More info on Firewall cmd Man Page

Example 15 : Query Lockdown

You can check if lockdown is enabled or not by using --query-lockdown option as shown below.

[root@localhost ~]# firewall-cmd --query-lockdown
no

--query-lockdown : Query whether lockdown is enabled. Returns 0 if lockdown is enabled, 1 otherwise. More info on Firewall-cmd Man Page

Example 16 : Enable Lockdown

Applications running in your system with root access sometime might be able to change the firewall configuration so to stop applications from doing that you can enable lockdown by using --lockdown-on option with firewall cmd command.

[root@localhost ~]# firewall-cmd --lockdown-on
success

--lockdown-on : Enable lockdown. More info on Firewall cmd Man Page

Example 17 : Disable Lockdown 

To disable the lockdown you can use --lockdown-off option with firewall cmd command as shown below.

[root@localhost ~]# firewall-cmd --lockdown-off
success

--lockdown-off : Disable lockdown. More info on Firewall-cmd Man Page

Example 18 : Reload Firewall cmd

To reload firewall rules and configuration you need to use --reload option as shown below.

[root@localhost ~]# firewall-cmd --reload
success

--reload : Reload firewall rules and keep state information. More info on Firewall cmd Man Page

NOTE:

Please note that reload is different from restarting a firewall service. Reloading a firewall is just reapplying the updated configuration but restarting firewall service release the acquired resources, close all active rules, end all firewall process and then starts the process again.

Example 19 : Complete Reload of Firewalld

To completely reload the firewall rules and configuration along with netfilter kernel modules, you need to use complete-reload option as shown below.

[root@localhost ~]# firewall-cmd --complete-reload
success

--complete-reload : Reload firewall completely, even netfilter kernel modules. More info on Firewall cmd Man Page

Example 20 : Query Masquerade

To check if IPV4 masquerading is enabled or not you can query it by using --query-masquerade option as shown below.

[root@localhost ~]# firewall-cmd --permanent --zone=public --query-masquerade
no

--query-masquerade : Return whether IPv4 masquerading has been enabled for zone. If zone is omitted, default zone will be used. Returns 0 if true, 1 otherwise. More info on Firewall cmd Man Page

Example 21 : Check complete description

To get the complete description about a zone you can use --get-description option as shown below.

[root@localhost ~]# firewall-cmd --permanent --zone=public --get-description
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

--get-description : Print description for zone. More info on Firewall cmd Man Page

Example 22 : Check Short Description

To get a short description about a zone you need to use --get-short option as shown below.

[root@localhost ~]# firewall-cmd --permanent --zone=public --get-short
Public

--get-short : Print short description for zone. More info on Firewall cmd Man Page

Example 23: Check Target for a Zone

To get a complete description about a zone you need to use --get-target option as shown below.

[root@localhost ~]# firewall-cmd --permanent --zone=public --get-target
default

--get-target : Get the target of a permanent zone. More info on Firewall cmd Man Page

Example 24 : List of Ports

To list all the ports currently allowed through firewall you need to use --list-ports option as shown below.

[root@localhost ~]# firewall-cmd --permanent --list-ports
6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp 7000/tcp 6990-7000/tcp 3306/tcp 8000/tcp 400/tcp

--list-ports : List ports added for zone as a space separated list. More info on Firewall cmd Man Page

Example 25 : Add Ports

If you want to add some port to allow it through firewalld then you need to use --add-port option and pass the port number as mentioned below.

[root@localhost ~]# firewall-cmd --permanent --add-port=6000/tcp
success

--add-port : Add a new port. More info on Firewall cmd Man Page

Example 26: Check Other firewall cmd options

You can check other firewall cmd options using --help as shown below.

[root@localhost ~]# firewall-cmd --help

Usage: firewall-cmd [OPTIONS...]

General Options
-h, --help Prints a short help text and exists
-V, --version Print the version string of firewalld
-q, --quiet Do not print status messages

Status Options
--state Return and print firewalld state
--reload Reload firewall and keep state information
--complete-reload Reload firewall and lose state information
--runtime-to-permanent
Create permanent from runtime configuration
--check-config Check permanent configuration for errors

Log Denied Options
--get-log-denied Print the log denied value
--set-log-denied=<value>
Set log denied value

--help : Prints a short help text and exits.

Leave a Comment