Table of contents
Open Table of contents
Introduction
Firewall-cmd is a command-line front end for the firewalld daemon to manage firewall rules. It provides a dynamic way to manage the firewall rules without the need to restart the firewall service. In this post, I will record the essential firewall-cmd commands for everyday use.
systemctl
systemctl status firewalld
systemctl start firewalld
systemctl stop firewalld
systemctl restart firewalld
systemctl enable firewalld
firewall-cmd
# Add the rule to the permanent configuration.
--permanent
# Reload the firewall configuration.
--reload
# List all available zones.
--get-zones
# List all active zones.
--get-active-zones
# Add an interface to a zone.
--add-interface
# List all rules for the specified zone.
--list-all [--zone=public]
# Remove the http service from the specified zone.
--remove-service=http [--zone=public]
# Add the http service to the specified zone.
--add-service=http [--zone=public]
# Add the TCP port 80 to the specified zone.
--add-port=80/tcp [--zone=public]
# Remove the TCP port 80 from the specified zone.
--remove-port=80/tcp [--zone=public]
# Add a rich rule to the specified zone.
--add-rich-rule='rule family="ipv4" source address="172.26.0.0/16" port port="80" protocol="tcp" accept' [--zone=public]
# Remove a rich rule from the specified zone.
--remove-rich-rule='rule family="ipv4" source address="172.26.0.0/16" port port="80" protocol="tcp" accept' [--zone=public]
# List all rich rules for the specified zone.
--list-rich-rules [--zone=public]
# Add a port forwarding rule to the specified zone.
--add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.0.101 [--zone=public]
# Remove a port forwarding rule from the specified zone.
--remove-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.0.101 [--zone=public]
Note: If want to use forwarding, needs to enable the forwarding in the kernel:
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf && sysctl -p