Difference between revisions of "CentOS 8.x firewalld commands"
m |
m |
||
Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 8.x]] > [[CentOS 8.x System Administration|System Administration]] > [[CentOS 8.x firewalld|firewalld]] > [[CentOS 8.x firewalld commands|Commands]] | |||
==Zones== | ==Zones== | ||
Line 425: | Line 424: | ||
Article contributed by Pavan Ponamala | Article contributed by Pavan Ponamala | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 8.x]] > [[CentOS 8.x System Administration|System Administration]] > [[CentOS 8.x firewalld|firewalld]] > [[CentOS 8.x firewalld commands|Commands]] |
Latest revision as of 03:35, 19 April 2022
Home > CentOS > CentOS 8.x > System Administration > firewalld > Commands
Zones
- To get a list of the available zones
- firewall-cmd --get-zones
- To view the default zone
- firewall-cmd --get-default-zone
- To change the default zone
- firewall-cmd --set-default-zone=internal
- To view the list of active zones with a list of the interfaces
- firewall-cmd --get-active-zones
- To find out the zone that an interface, for example, em1, is currently assigned to
- firewall-cmd --get-zone-of-interface=eth0
- To find out all the interfaces assigned to a zone
- firewall-cmd --zone=public --list-interfaces
- To find out all the settings of a zone
- firewall-cmd --zone=public --list-all
- To view the zone information, use the --info-zone option.
- firewall-cmd --info-zone=public
- To view the list of services currently loaded
- firewall-cmd --get-services
- To list the custom services that have been created but not loaded
- firewall-cmd --permanent --get-services
- To show the settings of the particular service like ssh
- firewall-cmd --info-service=ssh
- Changing the Zone of an Interface for the Current Session.
- firewall-cmd --zone=work --change-interface=eth0
- To add an interface to a zone (for example, to add ens9 to the public zone)
- firewall-cmd --zone=public --add-interface=ens9
- Enable forwarding of packets between multiple interfaces between zone
- By default packets from one interface of a zone to another interface may not get accepted / forwarded. To enable such forwarding use:
- firewall-cmd --zone=internal --set-target=ACCEPT --permanent
- firewall-cmd --reload
- firewall-cmd --zone=internal --list-all
- This is required for default zones such as internal, external, etc. also.
- By default packets from one interface of a zone to another interface may not get accepted / forwarded. To enable such forwarding use:
Thus, if you want to use Linux machine as L3 switch / router (Refer Using_Linux_machine_for_BGP.2C_DHCP_and_inter-VLAN_routing) you can set most interfaces as internal with zone target set to ACCEPT and then have one interface as external for NAT to outside/internet.
- There is also other option to enable forwarding such as:
- firewall-cmd --zone=internal --add-forward
Refer: https://firewalld.org/2020/04/intra-zone-forwarding
Creating Your Own Zones
- When adding a zone, you must add it to the permanent firewall configuration. You can then reload to bring the configuration into your running session
- firewall-cmd --permanent --new-zone=testzone
- You can verify that these are present in your permanent configuration
- firewall-cmd --permanent --get-zones
- As stated before, these won't be available in the current instance of the firewall yet
- firewall-cmd --get-zones
- Reload the firewall to bring these new zones into the active configuration
- firewall-cmd --reload
- Delete zone
- firewall-cmd --permanent --delete-zone=testzone
- firewall-cmd --reload
Changing the Firewall Settings
Dropping all packets
- To start dropping all incoming and outgoing packets.
- firewall-cmd --panic-on
Active connections will be terminated after a period of inactivity
- To start passing incoming and outgoing packets again
- firewall-cmd --panic-off
- To find out if panic mode is enabled or disabled
- firewall-cmd --query-panic
Reloading the firewall
- To reload the firewall without interrupting user connections (without losing state information)
- firewall-cmd --reload
- To reload the firewall and interrupt user connections, discarding state information
- firewall-cmd --complete-reload
Opening / Closing ports in the firewall
- To list all open ports for a zone
- firewall-cmd --zone=public --list-ports
- To add a port to a zone
- firewall-cmd --zone=public --add-port=80/tcp
- To add a range of ports to a zone
- firewall-cmd --zone=public --add-port=5060-5061/udp
- To remove a port to a zone
- firewall-cmd --zone=public --remove-port=80/tcp
- To remove a range of ports to a zone
- firewall-cmd --zone=public --remove-port=5060-5061/udp
- Verify the port is open
- firewall-cmd --zone=public --query-port=80/tcp
Opening protocols
- To list all open protocols for a zone
- firewall-cmd --zone=dmz --list-protocols
- To add a protocol to a zone
- firewall-cmd --zone=dmz --add-protocol=esp
Opening source ports
- To list all open source ports for a zone
- firewall-cmd --zone=public --list-source-ports
- To add a source port to a zone
- firewall-cmd --zone=public --add-source-port=8080/tcp
- To add a range of source ports to a zone
- firewall-cmd --zone=public --add-source-port=5060-5061/udp
Adding / Removing service (mapped to TCP/UDP ports) to a zone
- To add a service to a zone
- firewall-cmd --zone=public --add-service=smtp
- To remove a service from a zone
- firewall-cmd --zone=public --remove-service=smtp
- Verify the service port has been opened
- firewall-cmd --zone=public --query-service=smtp
Configure IP address masquerading
- To check if IP masquerading is enabled
- firewall-cmd --zone=public --query-masquerade
- To enable IP masquerading
- firewall-cmd --zone=public --add-masquerade
- To disable IP masquerading
- firewall-cmd --zone=public --remove-masquerade
Configuring port forwarding
- To forward inbound network packets from one port to an alternative port or address, first enable IP address masquerading for a zone
- firewall-cmd --zone=public --add-masquerade
- To forward packets to a local port
- firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=3753
- To forward packets to another IPv4 address, without changing the destination port
- firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55
- To forward packets to another port at another IPv4 address,
- firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55
- To list forward ports
- firewall-cmd --zone=public --list-forward-ports
- To check forwarding rule
- firewall-cmd --zone=public --query-forward-port=port=22:proto=tcp:toaddr=192.168.1.161
Block and Enable ICMP
- Check the type of icmp we are using
- firewall-cmd --get-icmptypes
- To add icmp block on any zone
- firewall-cmd --zone=public --query-icmp-block=echo-reply
- firewall-cmd --zone=public --add-icmp-block=echo-reply --permanent
- Reload firewall and check
- firewall-cmd --reload
- firewall-cmd --list-all
Firewalld Lockdown Rules
It’s possible to change the firewalld rules by any local applications, which have the root privileges. To avoid making changes to firewalld rules, we have to put a lock-down to yes. This mostly used to protect the firewalld from any unwanted rules changes by any applications
- Verify whether firewalld was lockdown
- firewall-cmd --query-lockdown
- To on lockdown
- firewall-cmd --lockdown-on
- To Off lockdown
- firewall-cmd --lockdown-off
- Reload firewall and check lockdown
- firewall-cmd --reload
- firewall-cmd --query-lockdown
Miscellaneous commands
- To check version of firewalld
- firewall-cmd --version
- To get the help
- firewall-cmd --help
- state of firewalld
- firewall-cmd --state
Article contributed by Pavan Ponamala
Home > CentOS > CentOS 8.x > System Administration > firewalld > Commands