All commands need to be run as root
# su -
Or use sudo to perform the action.
$ sudo firewall-cmd {actions}
Password:
To control the firewalld service
# systemctl disable firewalld
# systemctl stop firewalld
# systemctl restart firewalld.service
# systemctl status firewalld
Note! When allowing or removing services and ports, alway restart the firewall service after!
Get the default zone
# firewall-cmd --get-active-zones
List services on that zone
# firewall-cmd --zone=public --list-all
# firewall-cmd --zone=work --list-all
Note! Any rules in the public zone will always be active, regardless of what zone is actually active.
Add a TCP and UDP ports
# firewall-cmd --permanent --zone=public --add-port=80/tcp
# firewall-cmd --permanent --zone=public --add-port=123/udp
Add specific IP's or IP-ranges
Get info:
# firewall-cmd --permanent --zone=work --list-sources
Add a range: # firewall-cmd --permanent --zone=work --add-source=192.168.100.0/24
Add a specific IP:
# firewall-cmd --permanent --zone=work --add-source=192.168.100.2/24
Add specific ports or port-ranges
Add a port:
# firewall-cmd --permanent --zone=work --add-port=2812/tcp
Add a port range using tcp to the work zone:
# firewall-cmd --permanent --zone=work --add-port=1-64999/tcp
Add a port range using udp to the work zone # firewall-cmd --permanent --zone=work --add-port=1-64999/udp
Restart firewalld daemon to activate changes: # systemctl restart firewalld.service
or
# firewall-cmd --reload
Confirm changes: # firewall-cmd --get-active-zones # firewall-cmd --permanent --zone=work --list-sources
# firewall-cmd --list-sources
Add and remove a service
# firewall-cmd --permanent --zone=public --add-service=http
# firewall-cmd --permanent --zone=public --add-service=nfs
# firewall-cmd --permanent --zone=public --remove-service=http
# firewall-cmd --permanent --zone=public --remove-service=nfs
Add source, then a service or port from that source
Add specific IP-source to public zone:
# firewall-cmd --permanent --zone=public --add-source=192.168.0.9/24
Add service:
# firewall-cmd --permanent --zone=public --add-service=rsync
Add port to public zone:
# firewall-cmd --permanent --zone=public --add-port=5000/tcp
Add port-range to public zone:
# firewall-cmd --permanent --zone=public --add-port=10000-10005/tcp
Note! When allowing or removing services and ports, alway restart the firewall service after!
Remove a source, service or port
A specific IP:
# firewall-cmd --permanent --zone=public --remove-source=192.168.0.9/24
A range:
# firewall-cmd --permanent --zone=public --remove-source=192.168.100.0/24
A source:
# firewall-cmd --permanent --zone=public --remove-service=rsync
A port:
# firewall-cmd --permanent --zone=public --remove-port=2812
A port range:
# firewall-cmd --permanent --zone=public --remove-port=10000-10005
Sources
https://www.liquidweb.com/kb/how-to-stop-and-disable-firewalld-on-centos-7/
https://blog.christophersmart.com/2014/01/15/add-permanent-rules-to-firewalld/
https://www.thegeekdiary.com/centos-rhel-7-firewalld-command-line-reference-cheat-sheet/
https://hoops.rocks/2015/10/28/centos-7-firewalld-cheatsheet/
https://www.certdepot.net/rhel7-get-started-firewalld/
