1. All commands need to be run as root

# su -

Or use sudo to perform the action.
$ sudo firewall-cmd {actions}
Password:
 

2. To control the firewalld service

# systemctl disable firewalld

# systemctl stop firewalld

# systemctl restart firewalld.service

# systemctl status firewalld

Note! When allowing or removing services and ports, alway restart the firewall service after!

 

3. Get the default zone

# firewall-cmd --get-active-zones
 

4. List services on that zone

# firewall-cmd --zone=public --list-all
# firewall-cmd --zone=work --list-all

Note! Any rules in the public zone will always be active, regardless of what zone is actually active.

 

5. Add a TCP and UDP ports

# firewall-cmd --permanent --zone=public --add-port=80/tcp
# firewall-cmd --permanent --zone=public --add-port=123/udp

 

6. Add specific IP's or IP-ranges

Get info:
# firewall-cmd --permanent --zone=work --list-sources

Add a range: # firewall-cmd --permanent --zone=work --add-source=192.168.100.0/24

Add a specific IP:
# firewall-cmd --permanent --zone=work --add-source=192.168.100.2/24

 

7. Add specific ports or port-ranges

Add a port:
# firewall-cmd --permanent --zone=work --add-port=2812/tcp

Add a port range using tcp to the work zone:
# firewall-cmd --permanent --zone=work --add-port=1-64999/tcp

Add a port range using udp to the work zone # firewall-cmd --permanent --zone=work --add-port=1-64999/udp

Restart firewalld daemon to activate changes: # systemctl restart firewalld.service
or
# firewall-cmd --reload

Confirm changes: # firewall-cmd --get-active-zones # firewall-cmd --permanent --zone=work --list-sources

# firewall-cmd --list-sources
 

8. Add and remove a service

# firewall-cmd --permanent --zone=public --add-service=http
# firewall-cmd --permanent --zone=public --add-service=nfs

# firewall-cmd --permanent --zone=public --remove-service=http
# firewall-cmd --permanent --zone=public --remove-service=nfs
 

9. Add source, then a service or port from that source

Add specific IP-source to public zone:
# firewall-cmd --permanent --zone=public --add-source=192.168.0.9/24

Add service:
# firewall-cmd --permanent --zone=public --add-service=rsync

Add port to public zone:
# firewall-cmd --permanent --zone=public --add-port=5000/tcp

Add port-range to public zone:
# firewall-cmd --permanent --zone=public --add-port=10000-10005/tcp
Note! When allowing or removing services and ports, alway restart the firewall service after!
 

10. Remove a source, service or port

A specific IP:
# firewall-cmd --permanent --zone=public --remove-source=192.168.0.9/24

A range:
# firewall-cmd --permanent --zone=public --remove-source=192.168.100.0/24

A source:
# firewall-cmd --permanent --zone=public --remove-service=rsync

A port:
# firewall-cmd --permanent --zone=public --remove-port=2812

A port range:
# firewall-cmd --permanent --zone=public --remove-port=10000-10005
 

11. Sources

https://www.liquidweb.com/kb/how-to-stop-and-disable-firewalld-on-centos-7/

https://blog.christophersmart.com/2014/01/15/add-permanent-rules-to-firewalld/

https://www.thegeekdiary.com/centos-rhel-7-firewalld-command-line-reference-cheat-sheet/

https://hoops.rocks/2015/10/28/centos-7-firewalld-cheatsheet/

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

https://www.certdepot.net/rhel7-get-started-firewalld/

http://www.subnetmask.info/