How to use the command 'firewall-cmd' (with examples)
- Linux
- December 25, 2023
The ‘firewall-cmd’ command-line client is used to manage firewalld, a dynamic firewall manager for Linux operating systems. It provides an interface to configure and manage firewall rules and zones. This article will demonstrate various use cases of the ‘firewall-cmd’ command, along with examples for each case.
Use case 1: View the available firewall zones
Code:
firewall-cmd --get-active-zones
Motivation:
Viewing the available firewall zones is useful to understand the current configuration and determine which zone a particular interface or service belongs to.
Explanation:
The ‘–get-active-zones’ option is used to display the active zones configured in firewalld. Zones represent different network environments and have specific rules associated with them.
Example output:
public
interfaces: eth0
sources:
services: dhcpv6-client https ssh
ports:
protocols:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
...
Use case 2: View the rules which are currently applied
Code:
firewall-cmd --list-all
Motivation:
Listing all currently applied rules allows users to analyze the existing firewall configuration and verify if the desired rules are in place.
Explanation:
The ‘–list-all’ option shows comprehensive details of the current firewall configuration, including zones, interfaces, services, ports, and rich rules.
Example output:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
...
Use case 3: Permanently move the interface into the block zone, effectively blocking all communication
Code:
firewall-cmd --permanent --zone=block --change-interface=enp1s0
Motivation:
Moving an interface into the block zone is useful when you want to completely disable network communication on that interface to prevent any incoming or outgoing traffic.
Explanation:
The ‘–permanent’ option ensures that the change is applied permanently. The ‘–zone=block’ argument specifies the target zone as the ‘block’ zone. The ‘–change-interface=enp1s0’ argument specifies the interface that needs to be moved to the block zone.
Example output:
No output (The command will run silently if successful)
Use case 4: Permanently open the port for a service in the specified zone (like port 443 when in the public zone)
Code:
firewall-cmd --permanent --zone=public --add-service=https
Motivation:
Opening a port for a service in a specified zone allows incoming connections to that service. This example opens port 443 (HTTPS) in the public zone.
Explanation:
The ‘–add-service=https’ argument adds the ‘https’ service to the specified zone, which opens port 443 for incoming connections.
Example output:
No output (The command will run silently if successful)
Use case 5: Permanently close the port for a service in the specified zone (like port 80 when in the public zone)
Code:
firewall-cmd --permanent --zone=public --remove-service=http
Motivation:
Closing a port for a service in a specified zone blocks incoming connections to that service. This example closes port 80 (HTTP) in the public zone.
Explanation:
The ‘–remove-service=http’ argument removes the ‘http’ service from the specified zone, which closes port 80 for incoming connections.
Example output:
No output (The command will run silently if successful)
Use case 6: Permanently open two arbitrary ports in the specified zone
Code:
firewall-cmd --permanent --zone=public --add-port=25565/tcp --add-port=19132/udp
Motivation:
Opening arbitrary ports in a specified zone allows incoming connections to those ports. In this example, ports 25565 (TCP) and 19132 (UDP) are opened in the public zone.
Explanation:
The ‘–add-port=25565/tcp’ argument adds port 25565 (TCP) to the specified zone. Similarly, the ‘–add-port=19132/udp’ argument adds port 19132 (UDP) to the specified zone.
Example output:
No output (The command will run silently if successful)
Use case 7: Reload firewalld to force rule changes to take effect
Code:
firewall-cmd --reload
Motivation:
Reloading firewalld is necessary to apply any changes made to the firewall rules. This command ensures that the updated rules take effect immediately.
Explanation:
The ‘–reload’ option triggers the reloading of firewalld, which applies the updated rules without the need to restart the firewall service.
Example output:
No output (The command will run silently if successful)
Conclusion:
The ‘firewall-cmd’ command is a versatile tool for managing firewalld in Linux operating systems. By utilizing different options and arguments, users can view firewall zones, rules, and services, as well as add or remove ports and interfaces. Remember to use the ‘–permanent’ option to make changes persist across reboots and the ‘–reload’ option to apply the updated rules.
