Common firewall-cmd commands with scenarios. Feel free to ask for more examples if needed.
- List all active zones.
firewall-cmd –get-active-zones
This command displays all active firewall zones on the system.
- Add a service to a zone
firewall-cmd –zone=public –add-service=http
This command adds the HTTP service to the public zone, allowing incoming HTTP traffic.
- Example 3: Remove a service from a zone
firewall-cmd –zone=public –remove-service=http
This command removes the HTTP service from the public zone, disallowing incoming HTTP traffic.
- Example 4: Add a port to a zone
firewall-cmd –zone=public –add-port=8080/tcp
This command opens port 8080/tcp in the public zone, allowing incoming TCP traffic on that port.
- Example 5: Remove a port from a zone
firewall-cmd –zone=public –remove-port=8080/tcp
This command removes the rule that allows incoming TCP traffic on port 8080 from the public zone.
- Example 6: List all services in a zone
firewall-cmd –zone=public –list-services
This command lists all services allowed in the public zone.
- Example 7: List all ports in a zone
firewall-cmd --zone=public --list-ports
This command lists all ports opened in the public zone.
- Example 8: Set a default zone
firewall-cmd –set-default-zone=public
This command sets the public zone as the default zone for incoming network connections.
- Example 9: Enable masquerading
firewall-cmd –zone=public –add-masquerade
This command enables masquerading in the public zone, allowing Network Address Translation (NAT) for outgoing traffic.
- Example 10: Reload the firewall configuration
firewall-cmd –reload
.
- Example 11: List all zones
firewall-cmd –get-zones
This command lists all available firewall zones on the system.
- Example 12: Add a source IP address to a zone
firewall-cmd –zone=public –add-source=192.168.0.10
This command adds the IP address 192.168.0.10 to the allowed sources in the public zone.
- Example 13: Remove a source IP address from a zone
firewall-cmd –zone=public –remove-source=192.168.0.10
This command removes the IP address 192.168.0.10 from the allowed sources in the public zone.
- Example 14: Set a zone as the default for network interfaces
firewall-cmd –zone=public –change-interface=eth0
This command sets the public zone as the default zone for the network interface eth0.
- Example 15: Add a rich rule to a zone
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command adds a rich rule to the public zone, allowing incoming traffic from the IP subnet 192.168.0.0/24.
- Example 16: Remove a rich rule from a zone
firewall-cmd –zone=public –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command removes a specific rich rule from the public zone.
- Example 17: Enable a specific firewall feature
firewall-cmd –permanent –enable=ipsec
This command enables the IPsec firewall feature.
- Example 18: Disable a specific firewall feature
firewall-cmd –permanent –disable=ipsec
This command disables the IPsec firewall feature.
- Example 19: Configure a zone to log packets
firewall-cmd –zone=public –set-target=LOG –log-prefix=”Firewall Log: “
This command configures the public zone to log packets with a custom log prefix.
- Example 20: Display the runtime status of the firewall
firewall-cmd –state
- Example 21: Add a custom service to a zone
firewall-cmd –permanent –zone=public –add-service=myapp
This command adds a custom service called “myapp” to the public zone, allowing incoming traffic on the defined ports for that service.
- Example 22: Remove a custom service from a zone
firewall-cmd –permanent –zone=public –remove-service=myapp
This command removes the custom service “myapp” from the public zone, disallowing incoming traffic on the defined ports for that service.
- Example 23: Reload the firewall configuration without losing established connections
firewall-cmd –reload –complete-reload
This command reloads the firewall configuration, ensuring that established connections are maintained during the reload process.
- Example 24: List all supported services
firewall-cmd –get-services
This command lists all the supported services that can be used with firewall-cmd.
- Example 25: Configure a zone to block all incoming traffic
firewall-cmd –zone=public –set-target=DROP
This command configures the public zone to drop all incoming traffic.
- Example 26: Configure a zone to block all outgoing traffic
firewall-cmd –zone=public –set-target=DROP –out-interface=eth0
This command configures the public zone to drop all outgoing traffic on the specified network interface.
- Example 27: Configure a zone to reject incoming traffic with a specific ICMP message
firewall-cmd –zone=public –set-target=REJECT –reject-with=icmp-port-unreachable
This command configures the public zone to reject incoming traffic with an ICMP “port unreachable” message.
- Example 28: Configure a zone to forward packets
firewall-cmd –zone=public –add-forward-port=port=80:proto=tcp:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080.
- Example 29: List all supported protocols
firewall-cmd –get-protocols
This command lists all the supported protocols that can be used with firewall-cmd.
- Example 30: Display the version of firewalld
firewall-cmd –version
This command displays the version of the firewalld firewall management tool installed on the system.
- Example 31: Add a source IP range to a zone
firewall-cmd –zone=public –add-source=192.168.0.0/24
This command adds the IP range 192.168.0.0/24 to the allowed sources in the public zone.
- Example 32: Remove a source IP range from a zone
firewall-cmd –zone=public –remove-source=192.168.0.0/24
This command removes the IP range 192.168.0.0/24 from the allowed sources in the public zone.
- Example 33: Configure a zone to reject all incoming traffic
firewall-cmd –zone=public –set-target=REJECT
This command configures the public zone to reject all incoming traffic.
- Example 34: Configure a zone to reject all outgoing traffic
firewall-cmd –zone=public –set-target=REJECT –out-interface=eth0
This command configures the public zone to reject all outgoing traffic on the specified network interface.
- Example 35: Configure a zone to log dropped packets
firewall-cmd –zone=public –set-target=LOG –log-prefix=”Dropped Packet: ” –log-level=notice
This command configures the public zone to log packets that are dropped with a custom log prefix and log level set to “notice”.
- Example 36: Configure a zone to limit the maximum number of connections
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ limit value=”10/s” accept’
This command configures the public zone to limit the maximum number of incoming connections to 10 per second.
- Example 37: Configure a zone to allow incoming traffic only from a specific source IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ accept’
This command configures the public zone to allow incoming traffic only from the specific source IP address 192.168.0.10.
- Example 38: Configure a zone to allow incoming traffic only on specific ports
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ port port=”80″ protocol=”tcp” accept’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ port port=”443″ protocol=”tcp” accept’
This command configures the public zone to allow incoming TCP traffic on ports 80 and 443.
- Example 39: Configure a zone to block incoming traffic from a specific source IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ reject’
This command configures the public zone
- Example 41: Configure a zone to block outgoing traffic to a specific destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block outgoing traffic to the specific destination IP address 203.0.113.100.
- Example 42: Configure a zone to allow incoming traffic on a specific interface
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ interface=”eth0″ accept’
This command configures the public zone to allow incoming traffic on the network interface eth0.
- Example 43: Configure a zone to block all IPv6 traffic
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ reject’
This command configures the public zone to block all incoming and outgoing IPv6 traffic.
- Example 44: List all runtime configurations of a zone
firewall-cmd –zone=public –list-all
This command displays all the runtime configurations of the public zone, including sources, services, ports, and rich rules.
- Example 45: Set the default action for a zone to drop incoming traffic
firewall-cmd –zone=public –set-target=DROP
This command sets the default action for the public zone to drop incoming traffic.
- Example 46: Set the default action for a zone to reject incoming traffic
firewall-cmd –zone=public –set-target=REJECT
This command sets the default action for the public zone to reject incoming traffic.
- Example 47: Configure a zone to forward specific ports to a different destination
firewall-cmd –zone=public –add-forward-port=port=80:proto=tcp:toaddr=192.168.0.10:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080 on the IP address 192.168.0.10.
- Example 48: Configure a zone to block specific ICMP packets
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”icmp” icmp-type=echo-request reject’
This command configures the public zone to block incoming ICMP echo requests.
- Example 49: Configure a zone to allow incoming traffic on a specific source port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source port=”12345″ accept’
This command configures the public zone to allow incoming traffic on the specific source port 12345.
- Example 50: Configure a zone to block incoming traffic on a specific destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination port=”22″ reject’
This command configures the public zone to block incoming traffic on the specific destination port 22 (SSH).
Certainly! Here are 10 more examples of common firewall-cmd commands with scenarios:
- Example 51: Configure a zone to allow incoming traffic on a specific source IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command configures the public zone to allow incoming traffic from the specific IP range 192.168.0.0/24.
- Example 52: Configure a zone to block incoming traffic on a specific destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination address=”192.168.0.0/24″ reject’
This command configures the public zone to block incoming traffic to the specific IP range 192.168.0.0/24.
- Example 53: Configure a zone to allow incoming traffic on a specific source MAC address
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ accept’
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55.
- Example 54: Configure a zone to block incoming traffic on a specific destination MAC address
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination mac=”00:11:22:33:44:55″ reject’
This command configures the public zone to block incoming traffic to the specific MAC address 00:11:22:33:44:55.
- Example 55: Configure a zone to allow incoming traffic on a specific source VLAN
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source vlan=”100″ accept’
This command configures the public zone to allow incoming traffic from the specific VLAN ID 100.
- Example 56: Configure a zone to block incoming traffic on a specific destination VLAN
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination vlan=”100″ reject’
This command configures the public zone to block incoming traffic to the specific VLAN ID 100.
- Example 57: Configure a zone to allow incoming traffic from a specific user
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ user name=”alice” accept’
This command configures the public zone to allow incoming traffic from the specific user “alice”.
- Example 58: Configure a zone to block incoming traffic from a specific user
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ user name=”bob” reject’
This command configures the public zone to block incoming traffic from the specific user “bob”.
- Example 59: Configure a zone to allow incoming traffic on a specific TCP flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”FIN,SYN” accept’
This command configures the public zone to allow incoming TCP traffic with the “FIN” and “SYN” flags set.
- Example 60: Configure a zone to block incoming traffic on a specific TCP flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”RST” reject’
This command configures the public zone to block incoming TCP traffic with the “RST” flag set.
- Example 61: Configure a zone to allow incoming traffic on a specific ICMP type
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”icmp” icmp-type=”echo-reply” accept’
This command configures the public zone to allow incoming ICMP echo-reply packets.
- Example 62: Configure a zone to block incoming traffic on a specific ICMP type
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”icmp” icmp-type=”destination-unreachable” reject’
This command configures the public zone to block incoming ICMP destination-unreachable packets.
- Example 63: Configure a zone to allow incoming traffic on a specific IPv6 extension header
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ protocol=”ipv6-icmp” ipv6-icmp-type=”parameter-problem” accept’
This command configures the public zone to allow incoming IPv6 packets with the parameter-problem ICMPv6 type.
- Example 64: Configure a zone to block incoming traffic on a specific IPv6 extension header
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ protocol=”ipv6-icmp” ipv6-icmp-type=”packet-too-big” reject’
This command configures the public zone to block incoming IPv6 packets with the packet-too-big ICMPv6 type.
- Example 65: Configure a zone to allow incoming traffic on a specific source port range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source port=”30000-40000″ accept’
This command configures the public zone to allow incoming traffic from the specified source port range (30000-40000).
- Example 66: Configure a zone to block incoming traffic on a specific destination port range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination port=”2000-3000″ reject’
This command configures the public zone to block incoming traffic to the specified destination port range (2000-3000).
- Example 67: Configure a zone to allow incoming traffic on a specific IP protocol number
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”112″ accept’
This command configures the public zone to allow incoming traffic with the specific IP protocol number (112).
- Example 68: Configure a zone to block incoming traffic on a specific IP protocol number
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”58″ reject’
This command configures the public zone to block incoming traffic with the specific IP protocol number (58).
- Example 69: Configure a zone to allow incoming traffic on a specific TCP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-option=”2″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific TCP option number (2).
- Example 70: Configure a zone to block incoming traffic on a specific TCP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-option=”4″ reject’
This command configures the public zone to block incoming TCP traffic with the specific TCP option number (4).
- Example 71: Configure a zone to allow incoming traffic on a specific UDP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp” udp-option=”7″ accept’
This command configures the public zone to allow incoming UDP traffic with the specific UDP option number (7).
- Example 72: Configure a zone to block incoming traffic on a specific UDP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp” udp-option=”9″ reject’
This command configures the public zone to block incoming UDP traffic with the specific UDP option number (9).
- Example 73: Configure a zone to allow incoming traffic on a specific IP fragment flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”MF” accept’
This command configures the public zone to allow incoming TCP traffic with the IP fragment flag “MF” set.
- Example 74: Configure a zone to block incoming traffic on a specific IP fragment flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”DF” reject’
This command configures the public zone to block incoming TCP traffic with the IP fragment flag “DF” set.
- Example 75: Configure a zone to allow incoming traffic on a specific IP header option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” ip-option=”4″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific IP header option number (4).
- Example 76: Configure a zone to block incoming traffic on a specific IP header option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” ip-option=”7″ reject’
This command configures the public zone to block incoming TCP traffic with the specific IP header option number (7).
- Example 77: Configure a zone to allow incoming traffic with a specific IP address range and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ port port=”8080″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
- Example 78: Configure a zone to block incoming traffic with a specific IP address range and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ port port=”22″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 on port 22 (SSH).
- Example 79: Configure a zone to allow incoming traffic from multiple IP addresses
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ accept’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.20″ accept’
This command configures the public zone to allow incoming traffic from multiple specific IP addresses.
- Example 80: Configure a zone to block incoming traffic from multiple IP addresses
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ reject’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.20″ reject’
This command configures the public zone to block incoming traffic from multiple specific IP addresses.
- Example 81: Configure a zone to allow incoming traffic on a specific network interface and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ in-interface=”eth0″ port port=”8080″ accept’
This command configures the public zone to allow incoming traffic on port 8080 only from the network interface eth0.
- Example 82: Configure a zone to block incoming traffic on a specific network interface and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ in-interface=”eth0″ port port=”22″ reject’
This command configures the public zone to block incoming SSH (port 22) traffic from the network interface eth0.
- Example 83: Configure a zone to allow incoming traffic on a specific source IP and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination port=”80″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 on port 80.
- Example 84: Configure a zone to block incoming traffic on a specific source IP and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination port=”443″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 on port 443.
- Example 85: Configure a zone to allow incoming traffic on a specific source IP range and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination port=”8080″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
- Example 86: Configure a zone to block incoming traffic on a specific source IP range and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination port=”22″ reject’
This command configures the public zone to block incoming SSH (port 22) traffic from the IP range 192.168.0.0/24.
- Example 87: Configure a zone to allow incoming traffic on a specific source IP and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
- Example 88: Configure a zone to block incoming traffic on a specific source IP and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
- Example 89: Configure a zone to allow incoming traffic on a specific source IP range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
- Example 90: Configure a zone to block incoming traffic on a specific source IP range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
- Example 91: Configure a zone to allow incoming traffic on a specific source IP and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.0/24″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
- Example 92: Configure a zone to block incoming traffic on a specific source IP and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.0/24″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
- Example 93: Configure a zone to allow incoming traffic on a specific source IP range and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.0/24″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
- Example 94: Configure a zone to block incoming traffic on a specific source IP range and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.0/24″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
- Example 95: Configure a zone to allow incoming traffic on a specific source MAC and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
- Example 96: Configure a zone to block incoming traffic on a specific source MAC and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
- Example 97: Configure a zone to allow incoming traffic on a specific source MAC range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:00:00:00/FF:FF:FF:00:00:00″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
- Example 98: Configure a zone to block incoming traffic on a specific source MAC range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:00:00:00/FF:FF:FF:00:00:00″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
- Example 99: Configure a zone to allow incoming traffic on a specific protocol and source port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” source port=”12345″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific source port 12345.
- Example 100: Configure a zone to block incoming traffic on a specific protocol and source port
“`bash
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp
Examples of examples of common firewall-cmd commands with scenarios. Feel free to ask for more examples if needed.
- List all active zones.
firewall-cmd –get-active-zones
This command displays all active firewall zones on the system.
- Add a service to a zone
firewall-cmd –zone=public –add-service=http
This command adds the HTTP service to the public zone, allowing incoming HTTP traffic.
- Example 3: Remove a service from a zone
firewall-cmd –zone=public –remove-service=http
This command removes the HTTP service from the public zone, disallowing incoming HTTP traffic.
- Example 4: Add a port to a zone
firewall-cmd –zone=public –add-port=8080/tcp
This command opens port 8080/tcp in the public zone, allowing incoming TCP traffic on that port.
- Example 5: Remove a port from a zone
firewall-cmd –zone=public –remove-port=8080/tcp
This command removes the rule that allows incoming TCP traffic on port 8080 from the public zone.
- Example 6: List all services in a zone
firewall-cmd –zone=public –list-services
This command lists all services allowed in the public zone.
- Example 7: List all ports in a zone
firewall-cmd –zone=public –list-ports
This command lists all ports opened in the public zone.
- Example 8: Set a default zone
firewall-cmd –set-default-zone=public
This command sets the public zone as the default zone for incoming network connections.
- Example 9: Enable masquerading
firewall-cmd –zone=public –add-masquerade
This command enables masquerading in the public zone, allowing Network Address Translation (NAT) for outgoing traffic.
- Example 10: Reload the firewall configuration
firewall-cmd –reload
.
- Example 11: List all zones
firewall-cmd –get-zones
This command lists all available firewall zones on the system.
- Example 12: Add a source IP address to a zone
firewall-cmd –zone=public –add-source=192.168.0.10
This command adds the IP address 192.168.0.10 to the allowed sources in the public zone.
- Example 13: Remove a source IP address from a zone
firewall-cmd –zone=public –remove-source=192.168.0.10
This command removes the IP address 192.168.0.10 from the allowed sources in the public zone.
- Example 14: Set a zone as the default for network interfaces
firewall-cmd –zone=public –change-interface=eth0
This command sets the public zone as the default zone for the network interface eth0.
- Example 15: Add a rich rule to a zone
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command adds a rich rule to the public zone, allowing incoming traffic from the IP subnet 192.168.0.0/24.
- Example 16: Remove a rich rule from a zone
firewall-cmd –zone=public –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command removes a specific rich rule from the public zone.
- Example 17: Enable a specific firewall feature
firewall-cmd –permanent –enable=ipsec
This command enables the IPsec firewall feature.
- Example 18: Disable a specific firewall feature
firewall-cmd –permanent –disable=ipsec
This command disables the IPsec firewall feature.
- Example 19: Configure a zone to log packets
firewall-cmd –zone=public –set-target=LOG –log-prefix=”Firewall Log: “
This command configures the public zone to log packets with a custom log prefix.
- Example 20: Display the runtime status of the firewall
firewall-cmd –state
- Example 21: Add a custom service to a zone
firewall-cmd –permanent –zone=public –add-service=myapp
This command adds a custom service called “myapp” to the public zone, allowing incoming traffic on the defined ports for that service.
- Example 22: Remove a custom service from a zone
firewall-cmd –permanent –zone=public –remove-service=myapp
This command removes the custom service “myapp” from the public zone, disallowing incoming traffic on the defined ports for that service.
- Example 23: Reload the firewall configuration without losing established connections
firewall-cmd –reload –complete-reload
This command reloads the firewall configuration, ensuring that established connections are maintained during the reload process.
- Example 24: List all supported services
firewall-cmd –get-services
This command lists all the supported services that can be used with firewall-cmd.
- Example 25: Configure a zone to block all incoming traffic
firewall-cmd –zone=public –set-target=DROP
This command configures the public zone to drop all incoming traffic.
- Example 26: Configure a zone to block all outgoing traffic
firewall-cmd –zone=public –set-target=DROP –out-interface=eth0
This command configures the public zone to drop all outgoing traffic on the specified network interface.
- Example 27: Configure a zone to reject incoming traffic with a specific ICMP message
firewall-cmd –zone=public –set-target=REJECT –reject-with=icmp-port-unreachable
This command configures the public zone to reject incoming traffic with an ICMP “port unreachable” message.
- Example 28: Configure a zone to forward packets
firewall-cmd –zone=public –add-forward-port=port=80:proto=tcp:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080.
- Example 29: List all supported protocols
firewall-cmd –get-protocols
This command lists all the supported protocols that can be used with firewall-cmd.
- Example 30: Display the version of firewalld
firewall-cmd –version
This command displays the version of the firewalld firewall management tool installed on the system.
- Example 31: Add a source IP range to a zone
firewall-cmd –zone=public –add-source=192.168.0.0/24
This command adds the IP range 192.168.0.0/24 to the allowed sources in the public zone.
- Example 32: Remove a source IP range from a zone
firewall-cmd –zone=public –remove-source=192.168.0.0/24
This command removes the IP range 192.168.0.0/24 from the allowed sources in the public zone.
- Example 33: Configure a zone to reject all incoming traffic
firewall-cmd –zone=public –set-target=REJECT
This command configures the public zone to reject all incoming traffic.
- Example 34: Configure a zone to reject all outgoing traffic
firewall-cmd –zone=public –set-target=REJECT –out-interface=eth0
This command configures the public zone to reject all outgoing traffic on the specified network interface.
- Example 35: Configure a zone to log dropped packets
firewall-cmd –zone=public –set-target=LOG –log-prefix=”Dropped Packet: ” –log-level=notice
This command configures the public zone to log packets that are dropped with a custom log prefix and log level set to “notice”.
- Example 36: Configure a zone to limit the maximum number of connections
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ limit value=”10/s” accept’
This command configures the public zone to limit the maximum number of incoming connections to 10 per second.
- Example 37: Configure a zone to allow incoming traffic only from a specific source IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ accept’
This command configures the public zone to allow incoming traffic only from the specific source IP address 192.168.0.10.
- Example 38: Configure a zone to allow incoming traffic only on specific ports
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ port port=”80″ protocol=”tcp” accept’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ port port=”443″ protocol=”tcp” accept’
This command configures the public zone to allow incoming TCP traffic on ports 80 and 443.
- Example 39: Configure a zone to block incoming traffic from a specific source IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ reject’
This command configures the public zone
- Example 41: Configure a zone to block outgoing traffic to a specific destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block outgoing traffic to the specific destination IP address 203.0.113.100.
- Example 42: Configure a zone to allow incoming traffic on a specific interface
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ interface=”eth0″ accept’
This command configures the public zone to allow incoming traffic on the network interface eth0.
- Example 43: Configure a zone to block all IPv6 traffic
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ reject’
This command configures the public zone to block all incoming and outgoing IPv6 traffic.
- Example 44: List all runtime configurations of a zone
firewall-cmd –zone=public –list-all
This command displays all the runtime configurations of the public zone, including sources, services, ports, and rich rules.
- Example 45: Set the default action for a zone to drop incoming traffic
firewall-cmd –zone=public –set-target=DROP
This command sets the default action for the public zone to drop incoming traffic.
- Example 46: Set the default action for a zone to reject incoming traffic
firewall-cmd –zone=public –set-target=REJECT
This command sets the default action for the public zone to reject incoming traffic.
- Example 47: Configure a zone to forward specific ports to a different destination
firewall-cmd –zone=public –add-forward-port=port=80:proto=tcp:toaddr=192.168.0.10:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080 on the IP address 192.168.0.10.
- Example 48: Configure a zone to block specific ICMP packets
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”icmp” icmp-type=echo-request reject’
This command configures the public zone to block incoming ICMP echo requests.
- Example 49: Configure a zone to allow incoming traffic on a specific source port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source port=”12345″ accept’
This command configures the public zone to allow incoming traffic on the specific source port 12345.
- Example 50: Configure a zone to block incoming traffic on a specific destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination port=”22″ reject’
This command configures the public zone to block incoming traffic on the specific destination port 22 (SSH).
Certainly! Here are 10 more examples of common firewall-cmd commands with scenarios:
- Example 51: Configure a zone to allow incoming traffic on a specific source IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command configures the public zone to allow incoming traffic from the specific IP range 192.168.0.0/24.
- Example 52: Configure a zone to block incoming traffic on a specific destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination address=”192.168.0.0/24″ reject’
This command configures the public zone to block incoming traffic to the specific IP range 192.168.0.0/24.
- Example 53: Configure a zone to allow incoming traffic on a specific source MAC address
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ accept’
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55.
- Example 54: Configure a zone to block incoming traffic on a specific destination MAC address
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination mac=”00:11:22:33:44:55″ reject’
This command configures the public zone to block incoming traffic to the specific MAC address 00:11:22:33:44:55.
- Example 55: Configure a zone to allow incoming traffic on a specific source VLAN
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source vlan=”100″ accept’
This command configures the public zone to allow incoming traffic from the specific VLAN ID 100.
- Example 56: Configure a zone to block incoming traffic on a specific destination VLAN
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination vlan=”100″ reject’
This command configures the public zone to block incoming traffic to the specific VLAN ID 100.
- Example 57: Configure a zone to allow incoming traffic from a specific user
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ user name=”alice” accept’
This command configures the public zone to allow incoming traffic from the specific user “alice”.
- Example 58: Configure a zone to block incoming traffic from a specific user
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ user name=”bob” reject’
This command configures the public zone to block incoming traffic from the specific user “bob”.
- Example 59: Configure a zone to allow incoming traffic on a specific TCP flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”FIN,SYN” accept’
This command configures the public zone to allow incoming TCP traffic with the “FIN” and “SYN” flags set.
- Example 60: Configure a zone to block incoming traffic on a specific TCP flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”RST” reject’
This command configures the public zone to block incoming TCP traffic with the “RST” flag set.
- Example 61: Configure a zone to allow incoming traffic on a specific ICMP type
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”icmp” icmp-type=”echo-reply” accept’
This command configures the public zone to allow incoming ICMP echo-reply packets.
- Example 62: Configure a zone to block incoming traffic on a specific ICMP type
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”icmp” icmp-type=”destination-unreachable” reject’
This command configures the public zone to block incoming ICMP destination-unreachable packets.
- Example 63: Configure a zone to allow incoming traffic on a specific IPv6 extension header
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ protocol=”ipv6-icmp” ipv6-icmp-type=”parameter-problem” accept’
This command configures the public zone to allow incoming IPv6 packets with the parameter-problem ICMPv6 type.
- Example 64: Configure a zone to block incoming traffic on a specific IPv6 extension header
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ protocol=”ipv6-icmp” ipv6-icmp-type=”packet-too-big” reject’
This command configures the public zone to block incoming IPv6 packets with the packet-too-big ICMPv6 type.
- Example 65: Configure a zone to allow incoming traffic on a specific source port range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source port=”30000-40000″ accept’
This command configures the public zone to allow incoming traffic from the specified source port range (30000-40000).
- Example 66: Configure a zone to block incoming traffic on a specific destination port range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination port=”2000-3000″ reject’
This command configures the public zone to block incoming traffic to the specified destination port range (2000-3000).
- Example 67: Configure a zone to allow incoming traffic on a specific IP protocol number
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”112″ accept’
This command configures the public zone to allow incoming traffic with the specific IP protocol number (112).
- Example 68: Configure a zone to block incoming traffic on a specific IP protocol number
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”58″ reject’
This command configures the public zone to block incoming traffic with the specific IP protocol number (58).
- Example 69: Configure a zone to allow incoming traffic on a specific TCP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-option=”2″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific TCP option number (2).
- Example 70: Configure a zone to block incoming traffic on a specific TCP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-option=”4″ reject’
This command configures the public zone to block incoming TCP traffic with the specific TCP option number (4).
- Example 71: Configure a zone to allow incoming traffic on a specific UDP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp” udp-option=”7″ accept’
This command configures the public zone to allow incoming UDP traffic with the specific UDP option number (7).
- Example 72: Configure a zone to block incoming traffic on a specific UDP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp” udp-option=”9″ reject’
This command configures the public zone to block incoming UDP traffic with the specific UDP option number (9).
- Example 73: Configure a zone to allow incoming traffic on a specific IP fragment flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”MF” accept’
This command configures the public zone to allow incoming TCP traffic with the IP fragment flag “MF” set.
- Example 74: Configure a zone to block incoming traffic on a specific IP fragment flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”DF” reject’
This command configures the public zone to block incoming TCP traffic with the IP fragment flag “DF” set.
- Example 75: Configure a zone to allow incoming traffic on a specific IP header option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” ip-option=”4″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific IP header option number (4).
- Example 76: Configure a zone to block incoming traffic on a specific IP header option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” ip-option=”7″ reject’
This command configures the public zone to block incoming TCP traffic with the specific IP header option number (7).
- Example 77: Configure a zone to allow incoming traffic with a specific IP address range and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ port port=”8080″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
- Example 78: Configure a zone to block incoming traffic with a specific IP address range and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ port port=”22″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 on port 22 (SSH).
- Example 79: Configure a zone to allow incoming traffic from multiple IP addresses
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ accept’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.20″ accept’
This command configures the public zone to allow incoming traffic from multiple specific IP addresses.
- Example 80: Configure a zone to block incoming traffic from multiple IP addresses
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ reject’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.20″ reject’
This command configures the public zone to block incoming traffic from multiple specific IP addresses.
- Example 81: Configure a zone to allow incoming traffic on a specific network interface and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ in-interface=”eth0″ port port=”8080″ accept’
This command configures the public zone to allow incoming traffic on port 8080 only from the network interface eth0.
- Example 82: Configure a zone to block incoming traffic on a specific network interface and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ in-interface=”eth0″ port port=”22″ reject’
This command configures the public zone to block incoming SSH (port 22) traffic from the network interface eth0.
- Example 83: Configure a zone to allow incoming traffic on a specific source IP and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination port=”80″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 on port 80.
- Example 84: Configure a zone to block incoming traffic on a specific source IP and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination port=”443″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 on port 443.
- Example 85: Configure a zone to allow incoming traffic on a specific source IP range and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination port=”8080″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
- Example 86: Configure a zone to block incoming traffic on a specific source IP range and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination port=”22″ reject’
This command configures the public zone to block incoming SSH (port 22) traffic from the IP range 192.168.0.0/24.
- Example 87: Configure a zone to allow incoming traffic on a specific source IP and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
- Example 88: Configure a zone to block incoming traffic on a specific source IP and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
- Example 89: Configure a zone to allow incoming traffic on a specific source IP range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
- Example 90: Configure a zone to block incoming traffic on a specific source IP range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
- Example 91: Configure a zone to allow incoming traffic on a specific source IP and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.0/24″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
- Example 92: Configure a zone to block incoming traffic on a specific source IP and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.0/24″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
- Example 93: Configure a zone to allow incoming traffic on a specific source IP range and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.0/24″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
- Example 94: Configure a zone to block incoming traffic on a specific source IP range and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.0/24″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
- Example 95: Configure a zone to allow incoming traffic on a specific source MAC and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
- Example 96: Configure a zone to block incoming traffic on a specific source MAC and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
- Example 97: Configure a zone to allow incoming traffic on a specific source MAC range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:00:00:00/FF:FF:FF:00:00:00″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
- Example 98: Configure a zone to block incoming traffic on a specific source MAC range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:00:00:00/FF:FF:FF:00:00:00″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
- Example 99: Configure a zone to allow incoming traffic on a specific protocol and source port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” source port=”12345″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific source port 12345.
- Example 100: Configure a zone to block incoming traffic on a specific protocol and source port
“`bash
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp
. Feel free to ask for more examples if needed.
List all active zones.
firewall-cmd –get-active-zones
This command displays all active firewall zones on the system.
Add a service to a zone
firewall-cmd –zone=public –add-service=http
This command adds the HTTP service to the public zone, allowing incoming HTTP traffic.
3: Remove a service from a zone
firewall-cmd –zone=public –remove-service=http
This command removes the HTTP service from the public zone, disallowing incoming HTTP traffic.
Example 4: Add a port to a zone
firewall-cmd –zone=public –add-port=8080/tcp
This command opens port 8080/tcp in the public zone, allowing incoming TCP traffic on that port.
Example 5: Remove a port from a zone
firewall-cmd –zone=public –remove-port=8080/tcp
This command removes the rule that allows incoming TCP traffic on port 8080 from the public zone.
Example 6: List all services in a zone
firewall-cmd –zone=public –list-services
This command lists all services allowed in the public zone.
- Example 7: List all ports in a zone
firewall-cmd –zone=public –list-ports
This command lists all ports opened in the public zone.
- Example 8: Set a default zone
firewall-cmd –set-default-zone=public
This command sets the public zone as the default zone for incoming network connections.
- Example 9: Enable masquerading
firewall-cmd –zone=public –add-masquerade
This command enables masquerading in the public zone, allowing Network Address Translation (NAT) for outgoing traffic.
- Example 10: Reload the firewall configuration
firewall-cmd –reload
.
- Example 11: List all zones
firewall-cmd –get-zones
This command lists all available firewall zones on the system.
- Example 12: Add a source IP address to a zone
firewall-cmd –zone=public –add-source=192.168.0.10
This command adds the IP address 192.168.0.10 to the allowed sources in the public zone.
- Example 13: Remove a source IP address from a zone
firewall-cmd –zone=public –remove-source=192.168.0.10
This command removes the IP address 192.168.0.10 from the allowed sources in the public zone.
- Example 14: Set a zone as the default for network interfaces
firewall-cmd –zone=public –change-interface=eth0
This command sets the public zone as the default zone for the network interface eth0.
- Example 15: Add a rich rule to a zone
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command adds a rich rule to the public zone, allowing incoming traffic from the IP subnet 192.168.0.0/24.
- Example 16: Remove a rich rule from a zone
firewall-cmd –zone=public –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command removes a specific rich rule from the public zone.
- Example 17: Enable a specific firewall feature
firewall-cmd –permanent –enable=ipsec
This command enables the IPsec firewall feature.
- Example 18: Disable a specific firewall feature
firewall-cmd –permanent –disable=ipsec
This command disables the IPsec firewall feature.
- Example 19: Configure a zone to log packets
firewall-cmd –zone=public –set-target=LOG –log-prefix=”Firewall Log: “
This command configures the public zone to log packets with a custom log prefix.
- Example 20: Display the runtime status of the firewall
firewall-cmd –state
- Example 21: Add a custom service to a zone
firewall-cmd –permanent –zone=public –add-service=myapp
This command adds a custom service called “myapp” to the public zone, allowing incoming traffic on the defined ports for that service.
- Example 22: Remove a custom service from a zone
firewall-cmd –permanent –zone=public –remove-service=myapp
This command removes the custom service “myapp” from the public zone, disallowing incoming traffic on the defined ports for that service.
- Example 23: Reload the firewall configuration without losing established connections
firewall-cmd –reload –complete-reload
This command reloads the firewall configuration, ensuring that established connections are maintained during the reload process.
- Example 24: List all supported services
firewall-cmd –get-services
This command lists all the supported services that can be used with firewall-cmd.
- Example 25: Configure a zone to block all incoming traffic
firewall-cmd –zone=public –set-target=DROP
This command configures the public zone to drop all incoming traffic.
- Example 26: Configure a zone to block all outgoing traffic
firewall-cmd –zone=public –set-target=DROP –out-interface=eth0
This command configures the public zone to drop all outgoing traffic on the specified network interface.
- Example 27: Configure a zone to reject incoming traffic with a specific ICMP message
firewall-cmd –zone=public –set-target=REJECT –reject-with=icmp-port-unreachable
This command configures the public zone to reject incoming traffic with an ICMP “port unreachable” message.
- Example 28: Configure a zone to forward packets
firewall-cmd –zone=public –add-forward-port=port=80:proto=tcp:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080.
- Example 29: List all supported protocols
firewall-cmd –get-protocols
This command lists all the supported protocols that can be used with firewall-cmd.
- Example 30: Display the version of firewalld
firewall-cmd –version
This command displays the version of the firewalld firewall management tool installed on the system.
- Example 31: Add a source IP range to a zone
firewall-cmd –zone=public –add-source=192.168.0.0/24
This command adds the IP range 192.168.0.0/24 to the allowed sources in the public zone.
- Example 32: Remove a source IP range from a zone
firewall-cmd –zone=public –remove-source=192.168.0.0/24
This command removes the IP range 192.168.0.0/24 from the allowed sources in the public zone.
- Example 33: Configure a zone to reject all incoming traffic
firewall-cmd –zone=public –set-target=REJECT
This command configures the public zone to reject all incoming traffic.
- Example 34: Configure a zone to reject all outgoing traffic
firewall-cmd –zone=public –set-target=REJECT –out-interface=eth0
This command configures the public zone to reject all outgoing traffic on the specified network interface.
- Example 35: Configure a zone to log dropped packets
firewall-cmd –zone=public –set-target=LOG –log-prefix=”Dropped Packet: ” –log-level=notice
This command configures the public zone to log packets that are dropped with a custom log prefix and log level set to “notice”.
- Example 36: Configure a zone to limit the maximum number of connections
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ limit value=”10/s” accept’
This command configures the public zone to limit the maximum number of incoming connections to 10 per second.
- Example 37: Configure a zone to allow incoming traffic only from a specific source IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ accept’
This command configures the public zone to allow incoming traffic only from the specific source IP address 192.168.0.10.
- Example 38: Configure a zone to allow incoming traffic only on specific ports
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ port port=”80″ protocol=”tcp” accept’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ port port=”443″ protocol=”tcp” accept’
This command configures the public zone to allow incoming TCP traffic on ports 80 and 443.
- Example 39: Configure a zone to block incoming traffic from a specific source IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ reject’
This command configures the public zone
- Example 41: Configure a zone to block outgoing traffic to a specific destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block outgoing traffic to the specific destination IP address 203.0.113.100.
- Example 42: Configure a zone to allow incoming traffic on a specific interface
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ interface=”eth0″ accept’
This command configures the public zone to allow incoming traffic on the network interface eth0.
- Example 43: Configure a zone to block all IPv6 traffic
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ reject’
This command configures the public zone to block all incoming and outgoing IPv6 traffic.
- Example 44: List all runtime configurations of a zone
firewall-cmd –zone=public –list-all
This command displays all the runtime configurations of the public zone, including sources, services, ports, and rich rules.
- Example 45: Set the default action for a zone to drop incoming traffic
firewall-cmd –zone=public –set-target=DROP
This command sets the default action for the public zone to drop incoming traffic.
- Example 46: Set the default action for a zone to reject incoming traffic
firewall-cmd –zone=public –set-target=REJECT
This command sets the default action for the public zone to reject incoming traffic.
- Example 47: Configure a zone to forward specific ports to a different destination
firewall-cmd –zone=public –add-forward-port=port=80:proto=tcp:toaddr=192.168.0.10:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080 on the IP address 192.168.0.10.
- Example 48: Configure a zone to block specific ICMP packets
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”icmp” icmp-type=echo-request reject’
This command configures the public zone to block incoming ICMP echo requests.
- Example 49: Configure a zone to allow incoming traffic on a specific source port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source port=”12345″ accept’
This command configures the public zone to allow incoming traffic on the specific source port 12345.
- Example 50: Configure a zone to block incoming traffic on a specific destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination port=”22″ reject’
This command configures the public zone to block incoming traffic on the specific destination port 22 (SSH).
Certainly! Here are 10 more examples of common firewall-cmd commands with scenarios:
- Example 51: Configure a zone to allow incoming traffic on a specific source IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command configures the public zone to allow incoming traffic from the specific IP range 192.168.0.0/24.
- Example 52: Configure a zone to block incoming traffic on a specific destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination address=”192.168.0.0/24″ reject’
This command configures the public zone to block incoming traffic to the specific IP range 192.168.0.0/24.
- Example 53: Configure a zone to allow incoming traffic on a specific source MAC address
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ accept’
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55.
- Example 54: Configure a zone to block incoming traffic on a specific destination MAC address
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination mac=”00:11:22:33:44:55″ reject’
This command configures the public zone to block incoming traffic to the specific MAC address 00:11:22:33:44:55.
- Example 55: Configure a zone to allow incoming traffic on a specific source VLAN
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source vlan=”100″ accept’
This command configures the public zone to allow incoming traffic from the specific VLAN ID 100.
- Example 56: Configure a zone to block incoming traffic on a specific destination VLAN
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination vlan=”100″ reject’
This command configures the public zone to block incoming traffic to the specific VLAN ID 100.
- Example 57: Configure a zone to allow incoming traffic from a specific user
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ user name=”alice” accept’
This command configures the public zone to allow incoming traffic from the specific user “alice”.
- Example 58: Configure a zone to block incoming traffic from a specific user
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ user name=”bob” reject’
This command configures the public zone to block incoming traffic from the specific user “bob”.
- Example 59: Configure a zone to allow incoming traffic on a specific TCP flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”FIN,SYN” accept’
This command configures the public zone to allow incoming TCP traffic with the “FIN” and “SYN” flags set.
- Example 60: Configure a zone to block incoming traffic on a specific TCP flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”RST” reject’
This command configures the public zone to block incoming TCP traffic with the “RST” flag set.
- Example 61: Configure a zone to allow incoming traffic on a specific ICMP type
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”icmp” icmp-type=”echo-reply” accept’
This command configures the public zone to allow incoming ICMP echo-reply packets.
- Example 62: Configure a zone to block incoming traffic on a specific ICMP type
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”icmp” icmp-type=”destination-unreachable” reject’
This command configures the public zone to block incoming ICMP destination-unreachable packets.
- Example 63: Configure a zone to allow incoming traffic on a specific IPv6 extension header
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ protocol=”ipv6-icmp” ipv6-icmp-type=”parameter-problem” accept’
This command configures the public zone to allow incoming IPv6 packets with the parameter-problem ICMPv6 type.
- Example 64: Configure a zone to block incoming traffic on a specific IPv6 extension header
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ protocol=”ipv6-icmp” ipv6-icmp-type=”packet-too-big” reject’
This command configures the public zone to block incoming IPv6 packets with the packet-too-big ICMPv6 type.
- Example 65: Configure a zone to allow incoming traffic on a specific source port range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source port=”30000-40000″ accept’
This command configures the public zone to allow incoming traffic from the specified source port range (30000-40000).
- Example 66: Configure a zone to block incoming traffic on a specific destination port range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination port=”2000-3000″ reject’
This command configures the public zone to block incoming traffic to the specified destination port range (2000-3000).
- Example 67: Configure a zone to allow incoming traffic on a specific IP protocol number
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”112″ accept’
This command configures the public zone to allow incoming traffic with the specific IP protocol number (112).
- Example 68: Configure a zone to block incoming traffic on a specific IP protocol number
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”58″ reject’
This command configures the public zone to block incoming traffic with the specific IP protocol number (58).
- Example 69: Configure a zone to allow incoming traffic on a specific TCP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-option=”2″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific TCP option number (2).
- Example 70: Configure a zone to block incoming traffic on a specific TCP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-option=”4″ reject’
This command configures the public zone to block incoming TCP traffic with the specific TCP option number (4).
- Example 71: Configure a zone to allow incoming traffic on a specific UDP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp” udp-option=”7″ accept’
This command configures the public zone to allow incoming UDP traffic with the specific UDP option number (7).
- Example 72: Configure a zone to block incoming traffic on a specific UDP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp” udp-option=”9″ reject’
This command configures the public zone to block incoming UDP traffic with the specific UDP option number (9).
- Example 73: Configure a zone to allow incoming traffic on a specific IP fragment flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”MF” accept’
This command configures the public zone to allow incoming TCP traffic with the IP fragment flag “MF” set.
- Example 74: Configure a zone to block incoming traffic on a specific IP fragment flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”DF” reject’
This command configures the public zone to block incoming TCP traffic with the IP fragment flag “DF” set.
- Example 75: Configure a zone to allow incoming traffic on a specific IP header option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” ip-option=”4″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific IP header option number (4).
- Example 76: Configure a zone to block incoming traffic on a specific IP header option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” ip-option=”7″ reject’
This command configures the public zone to block incoming TCP traffic with the specific IP header option number (7).
- Example 77: Configure a zone to allow incoming traffic with a specific IP address range and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ port port=”8080″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
- Example 78: Configure a zone to block incoming traffic with a specific IP address range and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ port port=”22″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 on port 22 (SSH).
- Example 79: Configure a zone to allow incoming traffic from multiple IP addresses
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ accept’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.20″ accept’
This command configures the public zone to allow incoming traffic from multiple specific IP addresses.
- Example 80: Configure a zone to block incoming traffic from multiple IP addresses
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ reject’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.20″ reject’
This command configures the public zone to block incoming traffic from multiple specific IP addresses.
- Example 81: Configure a zone to allow incoming traffic on a specific network interface and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ in-interface=”eth0″ port port=”8080″ accept’
This command configures the public zone to allow incoming traffic on port 8080 only from the network interface eth0.
- Example 82: Configure a zone to block incoming traffic on a specific network interface and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ in-interface=”eth0″ port port=”22″ reject’
This command configures the public zone to block incoming SSH (port 22) traffic from the network interface eth0.
- Example 83: Configure a zone to allow incoming traffic on a specific source IP and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination port=”80″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 on port 80.
- Example 84: Configure a zone to block incoming traffic on a specific source IP and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination port=”443″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 on port 443.
- Example 85: Configure a zone to allow incoming traffic on a specific source IP range and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination port=”8080″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
- Example 86: Configure a zone to block incoming traffic on a specific source IP range and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination port=”22″ reject’
This command configures the public zone to block incoming SSH (port 22) traffic from the IP range 192.168.0.0/24.
- Example 87: Configure a zone to allow incoming traffic on a specific source IP and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
- Example 88: Configure a zone to block incoming traffic on a specific source IP and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
- Example 89: Configure a zone to allow incoming traffic on a specific source IP range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
- Example 90: Configure a zone to block incoming traffic on a specific source IP range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
- Example 91: Configure a zone to allow incoming traffic on a specific source IP and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.0/24″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
- Example 92: Configure a zone to block incoming traffic on a specific source IP and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.0/24″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
- Example 93: Configure a zone to allow incoming traffic on a specific source IP range and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.0/24″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
- Example 94: Configure a zone to block incoming traffic on a specific source IP range and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.0/24″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
- Example 95: Configure a zone to allow incoming traffic on a specific source MAC and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
- Example 96: Configure a zone to block incoming traffic on a specific source MAC and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
- Example 97: Configure a zone to allow incoming traffic on a specific source MAC range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22
Common firewall-cmd commands with scenarios. Feel free to ask for more examples if needed.
- List all active zones.
firewall-cmd –get-active-zones
This command displays all active firewall zones on the system.
- Add a service to a zone
firewall-cmd –zone=public –add-service=http
This command adds the HTTP service to the public zone, allowing incoming HTTP traffic.
- Example 3: Remove a service from a zone
firewall-cmd –zone=public –remove-service=http
This command removes the HTTP service from the public zone, disallowing incoming HTTP traffic.
- Example 4: Add a port to a zone
firewall-cmd –zone=public –add-port=8080/tcp
This command opens port 8080/tcp in the public zone, allowing incoming TCP traffic on that port.
- Example 5: Remove a port from a zone
firewall-cmd –zone=public –remove-port=8080/tcp
This command removes the rule that allows incoming TCP traffic on port 8080 from the public zone.
- Example 6: List all services in a zone
firewall-cmd –zone=public –list-services
This command lists all services allowed in the public zone.
- Example 7: List all ports in a zone
firewall-cmd –zone=public –list-ports
This command lists all ports opened in the public zone.
- Example 8: Set a default zone
firewall-cmd –set-default-zone=public
This command sets the public zone as the default zone for incoming network connections.
- Example 9: Enable masquerading
firewall-cmd –zone=public –add-masquerade
This command enables masquerading in the public zone, allowing Network Address Translation (NAT) for outgoing traffic.
- Example 10: Reload the firewall configuration
firewall-cmd –reload
.
- Example 11: List all zones
firewall-cmd –get-zones
This command lists all available firewall zones on the system.
- Example 12: Add a source IP address to a zone
firewall-cmd –zone=public –add-source=192.168.0.10
This command adds the IP address 192.168.0.10 to the allowed sources in the public zone.
- Example 13: Remove a source IP address from a zone
firewall-cmd –zone=public –remove-source=192.168.0.10
This command removes the IP address 192.168.0.10 from the allowed sources in the public zone.
- Example 14: Set a zone as the default for network interfaces
firewall-cmd –zone=public –change-interface=eth0
This command sets the public zone as the default zone for the network interface eth0.
- Example 15: Add a rich rule to a zone
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command adds a rich rule to the public zone, allowing incoming traffic from the IP subnet 192.168.0.0/24.
- Example 16: Remove a rich rule from a zone
firewall-cmd –zone=public –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command removes a specific rich rule from the public zone.
- Example 17: Enable a specific firewall feature
firewall-cmd –permanent –enable=ipsec
This command enables the IPsec firewall feature.
- Example 18: Disable a specific firewall feature
firewall-cmd –permanent –disable=ipsec
This command disables the IPsec firewall feature.
- Example 19: Configure a zone to log packets
firewall-cmd –zone=public –set-target=LOG –log-prefix=”Firewall Log: “
This command configures the public zone to log packets with a custom log prefix.
- Example 20: Display the runtime status of the firewall
firewall-cmd –state
- Example 21: Add a custom service to a zone
firewall-cmd –permanent –zone=public –add-service=myapp
This command adds a custom service called “myapp” to the public zone, allowing incoming traffic on the defined ports for that service.
- Example 22: Remove a custom service from a zone
firewall-cmd –permanent –zone=public –remove-service=myapp
This command removes the custom service “myapp” from the public zone, disallowing incoming traffic on the defined ports for that service.
- Example 23: Reload the firewall configuration without losing established connections
firewall-cmd –reload –complete-reload
This command reloads the firewall configuration, ensuring that established connections are maintained during the reload process.
- Example 24: List all supported services
firewall-cmd –get-services
This command lists all the supported services that can be used with firewall-cmd.
- Example 25: Configure a zone to block all incoming traffic
firewall-cmd –zone=public –set-target=DROP
This command configures the public zone to drop all incoming traffic.
- Example 26: Configure a zone to block all outgoing traffic
firewall-cmd –zone=public –set-target=DROP –out-interface=eth0
This command configures the public zone to drop all outgoing traffic on the specified network interface.
- Example 27: Configure a zone to reject incoming traffic with a specific ICMP message
firewall-cmd –zone=public –set-target=REJECT –reject-with=icmp-port-unreachable
This command configures the public zone to reject incoming traffic with an ICMP “port unreachable” message.
- Example 28: Configure a zone to forward packets
firewall-cmd –zone=public –add-forward-port=port=80:proto=tcp:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080.
- Example 29: List all supported protocols
firewall-cmd –get-protocols
This command lists all the supported protocols that can be used with firewall-cmd.
- Example 30: Display the version of firewalld
firewall-cmd –version
This command displays the version of the firewalld firewall management tool installed on the system.
- Example 31: Add a source IP range to a zone
firewall-cmd –zone=public –add-source=192.168.0.0/24
This command adds the IP range 192.168.0.0/24 to the allowed sources in the public zone.
- Example 32: Remove a source IP range from a zone
firewall-cmd –zone=public –remove-source=192.168.0.0/24
This command removes the IP range 192.168.0.0/24 from the allowed sources in the public zone.
- Example 33: Configure a zone to reject all incoming traffic
firewall-cmd –zone=public –set-target=REJECT
This command configures the public zone to reject all incoming traffic.
- Example 34: Configure a zone to reject all outgoing traffic
firewall-cmd –zone=public –set-target=REJECT –out-interface=eth0
This command configures the public zone to reject all outgoing traffic on the specified network interface.
- Example 35: Configure a zone to log dropped packets
firewall-cmd –zone=public –set-target=LOG –log-prefix=”Dropped Packet: ” –log-level=notice
This command configures the public zone to log packets that are dropped with a custom log prefix and log level set to “notice”.
- Example 36: Configure a zone to limit the maximum number of connections
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ limit value=”10/s” accept’
This command configures the public zone to limit the maximum number of incoming connections to 10 per second.
- Example 37: Configure a zone to allow incoming traffic only from a specific source IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ accept’
This command configures the public zone to allow incoming traffic only from the specific source IP address 192.168.0.10.
- Example 38: Configure a zone to allow incoming traffic only on specific ports
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ port port=”80″ protocol=”tcp” accept’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ port port=”443″ protocol=”tcp” accept’
This command configures the public zone to allow incoming TCP traffic on ports 80 and 443.
- Example 39: Configure a zone to block incoming traffic from a specific source IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ reject’
This command configures the public zone
- Example 41: Configure a zone to block outgoing traffic to a specific destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block outgoing traffic to the specific destination IP address 203.0.113.100.
- Example 42: Configure a zone to allow incoming traffic on a specific interface
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ interface=”eth0″ accept’
This command configures the public zone to allow incoming traffic on the network interface eth0.
- Example 43: Configure a zone to block all IPv6 traffic
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ reject’
This command configures the public zone to block all incoming and outgoing IPv6 traffic.
- Example 44: List all runtime configurations of a zone
firewall-cmd –zone=public –list-all
This command displays all the runtime configurations of the public zone, including sources, services, ports, and rich rules.
- Example 45: Set the default action for a zone to drop incoming traffic
firewall-cmd –zone=public –set-target=DROP
This command sets the default action for the public zone to drop incoming traffic.
- Example 46: Set the default action for a zone to reject incoming traffic
firewall-cmd –zone=public –set-target=REJECT
This command sets the default action for the public zone to reject incoming traffic.
- Example 47: Configure a zone to forward specific ports to a different destination
firewall-cmd –zone=public –add-forward-port=port=80:proto=tcp:toaddr=192.168.0.10:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080 on the IP address 192.168.0.10.
- Example 48: Configure a zone to block specific ICMP packets
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”icmp” icmp-type=echo-request reject’
This command configures the public zone to block incoming ICMP echo requests.
- Example 49: Configure a zone to allow incoming traffic on a specific source port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source port=”12345″ accept’
This command configures the public zone to allow incoming traffic on the specific source port 12345.
- Example 50: Configure a zone to block incoming traffic on a specific destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination port=”22″ reject’
This command configures the public zone to block incoming traffic on the specific destination port 22 (SSH).
Certainly! Here are 10 more examples of common firewall-cmd commands with scenarios:
- Example 51: Configure a zone to allow incoming traffic on a specific source IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command configures the public zone to allow incoming traffic from the specific IP range 192.168.0.0/24.
- Example 52: Configure a zone to block incoming traffic on a specific destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination address=”192.168.0.0/24″ reject’
This command configures the public zone to block incoming traffic to the specific IP range 192.168.0.0/24.
- Example 53: Configure a zone to allow incoming traffic on a specific source MAC address
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ accept’
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55.
- Example 54: Configure a zone to block incoming traffic on a specific destination MAC address
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination mac=”00:11:22:33:44:55″ reject’
This command configures the public zone to block incoming traffic to the specific MAC address 00:11:22:33:44:55.
- Example 55: Configure a zone to allow incoming traffic on a specific source VLAN
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source vlan=”100″ accept’
This command configures the public zone to allow incoming traffic from the specific VLAN ID 100.
- Example 56: Configure a zone to block incoming traffic on a specific destination VLAN
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination vlan=”100″ reject’
This command configures the public zone to block incoming traffic to the specific VLAN ID 100.
- Example 57: Configure a zone to allow incoming traffic from a specific user
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ user name=”alice” accept’
This command configures the public zone to allow incoming traffic from the specific user “alice”.
- Example 58: Configure a zone to block incoming traffic from a specific user
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ user name=”bob” reject’
This command configures the public zone to block incoming traffic from the specific user “bob”.
- Example 59: Configure a zone to allow incoming traffic on a specific TCP flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”FIN,SYN” accept’
This command configures the public zone to allow incoming TCP traffic with the “FIN” and “SYN” flags set.
- Example 60: Configure a zone to block incoming traffic on a specific TCP flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”RST” reject’
This command configures the public zone to block incoming TCP traffic with the “RST” flag set.
- Example 61: Configure a zone to allow incoming traffic on a specific ICMP type
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”icmp” icmp-type=”echo-reply” accept’
This command configures the public zone to allow incoming ICMP echo-reply packets.
- Example 62: Configure a zone to block incoming traffic on a specific ICMP type
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”icmp” icmp-type=”destination-unreachable” reject’
This command configures the public zone to block incoming ICMP destination-unreachable packets.
- Example 63: Configure a zone to allow incoming traffic on a specific IPv6 extension header
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ protocol=”ipv6-icmp” ipv6-icmp-type=”parameter-problem” accept’
This command configures the public zone to allow incoming IPv6 packets with the parameter-problem ICMPv6 type.
- Example 64: Configure a zone to block incoming traffic on a specific IPv6 extension header
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ protocol=”ipv6-icmp” ipv6-icmp-type=”packet-too-big” reject’
This command configures the public zone to block incoming IPv6 packets with the packet-too-big ICMPv6 type.
- Example 65: Configure a zone to allow incoming traffic on a specific source port range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source port=”30000-40000″ accept’
This command configures the public zone to allow incoming traffic from the specified source port range (30000-40000).
- Example 66: Configure a zone to block incoming traffic on a specific destination port range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination port=”2000-3000″ reject’
This command configures the public zone to block incoming traffic to the specified destination port range (2000-3000).
- Example 67: Configure a zone to allow incoming traffic on a specific IP protocol number
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”112″ accept’
This command configures the public zone to allow incoming traffic with the specific IP protocol number (112).
- Example 68: Configure a zone to block incoming traffic on a specific IP protocol number
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”58″ reject’
This command configures the public zone to block incoming traffic with the specific IP protocol number (58).
- Example 69: Configure a zone to allow incoming traffic on a specific TCP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-option=”2″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific TCP option number (2).
- Example 70: Configure a zone to block incoming traffic on a specific TCP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-option=”4″ reject’
This command configures the public zone to block incoming TCP traffic with the specific TCP option number (4).
- Example 71: Configure a zone to allow incoming traffic on a specific UDP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp” udp-option=”7″ accept’
This command configures the public zone to allow incoming UDP traffic with the specific UDP option number (7).
- Example 72: Configure a zone to block incoming traffic on a specific UDP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp” udp-option=”9″ reject’
This command configures the public zone to block incoming UDP traffic with the specific UDP option number (9).
- Example 73: Configure a zone to allow incoming traffic on a specific IP fragment flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”MF” accept’
This command configures the public zone to allow incoming TCP traffic with the IP fragment flag “MF” set.
- Example 74: Configure a zone to block incoming traffic on a specific IP fragment flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”DF” reject’
This command configures the public zone to block incoming TCP traffic with the IP fragment flag “DF” set.
- Example 75: Configure a zone to allow incoming traffic on a specific IP header option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” ip-option=”4″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific IP header option number (4).
- Example 76: Configure a zone to block incoming traffic on a specific IP header option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” ip-option=”7″ reject’
This command configures the public zone to block incoming TCP traffic with the specific IP header option number (7).
- Example 77: Configure a zone to allow incoming traffic with a specific IP address range and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ port port=”8080″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
- Example 78: Configure a zone to block incoming traffic with a specific IP address range and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ port port=”22″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 on port 22 (SSH).
- Example 79: Configure a zone to allow incoming traffic from multiple IP addresses
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ accept’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.20″ accept’
This command configures the public zone to allow incoming traffic from multiple specific IP addresses.
- Example 80: Configure a zone to block incoming traffic from multiple IP addresses
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ reject’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.20″ reject’
This command configures the public zone to block incoming traffic from multiple specific IP addresses.
- Example 81: Configure a zone to allow incoming traffic on a specific network interface and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ in-interface=”eth0″ port port=”8080″ accept’
This command configures the public zone to allow incoming traffic on port 8080 only from the network interface eth0.
- Example 82: Configure a zone to block incoming traffic on a specific network interface and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ in-interface=”eth0″ port port=”22″ reject’
This command configures the public zone to block incoming SSH (port 22) traffic from the network interface eth0.
- Example 83: Configure a zone to allow incoming traffic on a specific source IP and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination port=”80″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 on port 80.
- Example 84: Configure a zone to block incoming traffic on a specific source IP and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination port=”443″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 on port 443.
- Example 85: Configure a zone to allow incoming traffic on a specific source IP range and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination port=”8080″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
- Example 86: Configure a zone to block incoming traffic on a specific source IP range and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination port=”22″ reject’
This command configures the public zone to block incoming SSH (port 22) traffic from the IP range 192.168.0.0/24.
- Example 87: Configure a zone to allow incoming traffic on a specific source IP and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
- Example 88: Configure a zone to block incoming traffic on a specific source IP and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
- Example 89: Configure a zone to allow incoming traffic on a specific source IP range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
- Example 90: Configure a zone to block incoming traffic on a specific source IP range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
- Example 91: Configure a zone to allow incoming traffic on a specific source IP and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.0/24″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
- Example 92: Configure a zone to block incoming traffic on a specific source IP and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.0/24″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
- Example 93: Configure a zone to allow incoming traffic on a specific source IP range and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.0/24″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
- Example 94: Configure a zone to block incoming traffic on a specific source IP range and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.0/24″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
- Example 95: Configure a zone to allow incoming traffic on a specific source MAC and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
- Example 96: Configure a zone to block incoming traffic on a specific source MAC and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
- Example 97: Configure a zone to allow incoming traffic on a specific source MAC range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:00:00:00/FF:FF:FF:00:00:00″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
- Example 98: Configure a zone to block incoming traffic on a specific source MAC range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:00:00:00/FF:FF:FF:00:00:00″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
- Example 99: Configure a zone to allow incoming traffic on a specific protocol and source port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” source port=”12345″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific source port 12345.
- Example 100: Configure a zone to block incoming traffic on a specific protocol and source port
“`bash
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp
Examples of examples of common firewall-cmd commands with scenarios. Feel free to ask for more examples if needed.
- List all active zones.
firewall-cmd –get-active-zones
This command displays all active firewall zones on the system.
- Add a service to a zone
firewall-cmd –zone=public –add-service=http
This command adds the HTTP service to the public zone, allowing incoming HTTP traffic.
- Example 3: Remove a service from a zone
firewall-cmd –zone=public –remove-service=http
This command removes the HTTP service from the public zone, disallowing incoming HTTP traffic.
- Example 4: Add a port to a zone
firewall-cmd –zone=public –add-port=8080/tcp
This command opens port 8080/tcp in the public zone, allowing incoming TCP traffic on that port.
- Example 5: Remove a port from a zone
firewall-cmd –zone=public –remove-port=8080/tcp
This command removes the rule that allows incoming TCP traffic on port 8080 from the public zone.
- Example 6: List all services in a zone
firewall-cmd –zone=public –list-services
This command lists all services allowed in the public zone.
- Example 7: List all ports in a zone
firewall-cmd –zone=public –list-ports
This command lists all ports opened in the public zone.
- Example 8: Set a default zone
firewall-cmd –set-default-zone=public
This command sets the public zone as the default zone for incoming network connections.
- Example 9: Enable masquerading
firewall-cmd –zone=public –add-masquerade
This command enables masquerading in the public zone, allowing Network Address Translation (NAT) for outgoing traffic.
- Example 10: Reload the firewall configuration
firewall-cmd –reload
.
- Example 11: List all zones
firewall-cmd –get-zones
This command lists all available firewall zones on the system.
- Example 12: Add a source IP address to a zone
firewall-cmd –zone=public –add-source=192.168.0.10
This command adds the IP address 192.168.0.10 to the allowed sources in the public zone.
- Example 13: Remove a source IP address from a zone
firewall-cmd –zone=public –remove-source=192.168.0.10
This command removes the IP address 192.168.0.10 from the allowed sources in the public zone.
- Example 14: Set a zone as the default for network interfaces
firewall-cmd –zone=public –change-interface=eth0
This command sets the public zone as the default zone for the network interface eth0.
- Example 15: Add a rich rule to a zone
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command adds a rich rule to the public zone, allowing incoming traffic from the IP subnet 192.168.0.0/24.
- Example 16: Remove a rich rule from a zone
firewall-cmd –zone=public –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command removes a specific rich rule from the public zone.
- Example 17: Enable a specific firewall feature
firewall-cmd –permanent –enable=ipsec
This command enables the IPsec firewall feature.
- Example 18: Disable a specific firewall feature
firewall-cmd –permanent –disable=ipsec
This command disables the IPsec firewall feature.
- Example 19: Configure a zone to log packets
firewall-cmd –zone=public –set-target=LOG –log-prefix=”Firewall Log: “
This command configures the public zone to log packets with a custom log prefix.
- Example 20: Display the runtime status of the firewall
firewall-cmd –state
- Example 21: Add a custom service to a zone
firewall-cmd –permanent –zone=public –add-service=myapp
This command adds a custom service called “myapp” to the public zone, allowing incoming traffic on the defined ports for that service.
- Example 22: Remove a custom service from a zone
firewall-cmd –permanent –zone=public –remove-service=myapp
This command removes the custom service “myapp” from the public zone, disallowing incoming traffic on the defined ports for that service.
- Example 23: Reload the firewall configuration without losing established connections
firewall-cmd –reload –complete-reload
This command reloads the firewall configuration, ensuring that established connections are maintained during the reload process.
- Example 24: List all supported services
firewall-cmd –get-services
This command lists all the supported services that can be used with firewall-cmd.
- Example 25: Configure a zone to block all incoming traffic
firewall-cmd –zone=public –set-target=DROP
This command configures the public zone to drop all incoming traffic.
- Example 26: Configure a zone to block all outgoing traffic
firewall-cmd –zone=public –set-target=DROP –out-interface=eth0
This command configures the public zone to drop all outgoing traffic on the specified network interface.
- Example 27: Configure a zone to reject incoming traffic with a specific ICMP message
firewall-cmd –zone=public –set-target=REJECT –reject-with=icmp-port-unreachable
This command configures the public zone to reject incoming traffic with an ICMP “port unreachable” message.
- Example 28: Configure a zone to forward packets
firewall-cmd –zone=public –add-forward-port=port=80:proto=tcp:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080.
- Example 29: List all supported protocols
firewall-cmd –get-protocols
This command lists all the supported protocols that can be used with firewall-cmd.
- Example 30: Display the version of firewalld
firewall-cmd –version
This command displays the version of the firewalld firewall management tool installed on the system.
- Example 31: Add a source IP range to a zone
firewall-cmd –zone=public –add-source=192.168.0.0/24
This command adds the IP range 192.168.0.0/24 to the allowed sources in the public zone.
- Example 32: Remove a source IP range from a zone
firewall-cmd –zone=public –remove-source=192.168.0.0/24
This command removes the IP range 192.168.0.0/24 from the allowed sources in the public zone.
- Example 33: Configure a zone to reject all incoming traffic
firewall-cmd –zone=public –set-target=REJECT
This command configures the public zone to reject all incoming traffic.
- Example 34: Configure a zone to reject all outgoing traffic
firewall-cmd –zone=public –set-target=REJECT –out-interface=eth0
This command configures the public zone to reject all outgoing traffic on the specified network interface.
- Example 35: Configure a zone to log dropped packets
firewall-cmd –zone=public –set-target=LOG –log-prefix=”Dropped Packet: ” –log-level=notice
This command configures the public zone to log packets that are dropped with a custom log prefix and log level set to “notice”.
- Example 36: Configure a zone to limit the maximum number of connections
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ limit value=”10/s” accept’
This command configures the public zone to limit the maximum number of incoming connections to 10 per second.
- Example 37: Configure a zone to allow incoming traffic only from a specific source IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ accept’
This command configures the public zone to allow incoming traffic only from the specific source IP address 192.168.0.10.
- Example 38: Configure a zone to allow incoming traffic only on specific ports
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ port port=”80″ protocol=”tcp” accept’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ port port=”443″ protocol=”tcp” accept’
This command configures the public zone to allow incoming TCP traffic on ports 80 and 443.
- Example 39: Configure a zone to block incoming traffic from a specific source IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ reject’
This command configures the public zone
- Example 41: Configure a zone to block outgoing traffic to a specific destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block outgoing traffic to the specific destination IP address 203.0.113.100.
- Example 42: Configure a zone to allow incoming traffic on a specific interface
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ interface=”eth0″ accept’
This command configures the public zone to allow incoming traffic on the network interface eth0.
- Example 43: Configure a zone to block all IPv6 traffic
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ reject’
This command configures the public zone to block all incoming and outgoing IPv6 traffic.
- Example 44: List all runtime configurations of a zone
firewall-cmd –zone=public –list-all
This command displays all the runtime configurations of the public zone, including sources, services, ports, and rich rules.
- Example 45: Set the default action for a zone to drop incoming traffic
firewall-cmd –zone=public –set-target=DROP
This command sets the default action for the public zone to drop incoming traffic.
- Example 46: Set the default action for a zone to reject incoming traffic
firewall-cmd –zone=public –set-target=REJECT
This command sets the default action for the public zone to reject incoming traffic.
- Example 47: Configure a zone to forward specific ports to a different destination
firewall-cmd –zone=public –add-forward-port=port=80:proto=tcp:toaddr=192.168.0.10:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080 on the IP address 192.168.0.10.
- Example 48: Configure a zone to block specific ICMP packets
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”icmp” icmp-type=echo-request reject’
This command configures the public zone to block incoming ICMP echo requests.
- Example 49: Configure a zone to allow incoming traffic on a specific source port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source port=”12345″ accept’
This command configures the public zone to allow incoming traffic on the specific source port 12345.
- Example 50: Configure a zone to block incoming traffic on a specific destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination port=”22″ reject’
This command configures the public zone to block incoming traffic on the specific destination port 22 (SSH).
Certainly! Here are 10 more examples of common firewall-cmd commands with scenarios:
- Example 51: Configure a zone to allow incoming traffic on a specific source IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command configures the public zone to allow incoming traffic from the specific IP range 192.168.0.0/24.
- Example 52: Configure a zone to block incoming traffic on a specific destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination address=”192.168.0.0/24″ reject’
This command configures the public zone to block incoming traffic to the specific IP range 192.168.0.0/24.
- Example 53: Configure a zone to allow incoming traffic on a specific source MAC address
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ accept’
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55.
- Example 54: Configure a zone to block incoming traffic on a specific destination MAC address
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination mac=”00:11:22:33:44:55″ reject’
This command configures the public zone to block incoming traffic to the specific MAC address 00:11:22:33:44:55.
- Example 55: Configure a zone to allow incoming traffic on a specific source VLAN
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source vlan=”100″ accept’
This command configures the public zone to allow incoming traffic from the specific VLAN ID 100.
- Example 56: Configure a zone to block incoming traffic on a specific destination VLAN
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination vlan=”100″ reject’
This command configures the public zone to block incoming traffic to the specific VLAN ID 100.
- Example 57: Configure a zone to allow incoming traffic from a specific user
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ user name=”alice” accept’
This command configures the public zone to allow incoming traffic from the specific user “alice”.
- Example 58: Configure a zone to block incoming traffic from a specific user
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ user name=”bob” reject’
This command configures the public zone to block incoming traffic from the specific user “bob”.
- Example 59: Configure a zone to allow incoming traffic on a specific TCP flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”FIN,SYN” accept’
This command configures the public zone to allow incoming TCP traffic with the “FIN” and “SYN” flags set.
- Example 60: Configure a zone to block incoming traffic on a specific TCP flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”RST” reject’
This command configures the public zone to block incoming TCP traffic with the “RST” flag set.
- Example 61: Configure a zone to allow incoming traffic on a specific ICMP type
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”icmp” icmp-type=”echo-reply” accept’
This command configures the public zone to allow incoming ICMP echo-reply packets.
- Example 62: Configure a zone to block incoming traffic on a specific ICMP type
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”icmp” icmp-type=”destination-unreachable” reject’
This command configures the public zone to block incoming ICMP destination-unreachable packets.
- Example 63: Configure a zone to allow incoming traffic on a specific IPv6 extension header
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ protocol=”ipv6-icmp” ipv6-icmp-type=”parameter-problem” accept’
This command configures the public zone to allow incoming IPv6 packets with the parameter-problem ICMPv6 type.
- Example 64: Configure a zone to block incoming traffic on a specific IPv6 extension header
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ protocol=”ipv6-icmp” ipv6-icmp-type=”packet-too-big” reject’
This command configures the public zone to block incoming IPv6 packets with the packet-too-big ICMPv6 type.
- Example 65: Configure a zone to allow incoming traffic on a specific source port range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source port=”30000-40000″ accept’
This command configures the public zone to allow incoming traffic from the specified source port range (30000-40000).
- Example 66: Configure a zone to block incoming traffic on a specific destination port range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination port=”2000-3000″ reject’
This command configures the public zone to block incoming traffic to the specified destination port range (2000-3000).
- Example 67: Configure a zone to allow incoming traffic on a specific IP protocol number
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”112″ accept’
This command configures the public zone to allow incoming traffic with the specific IP protocol number (112).
- Example 68: Configure a zone to block incoming traffic on a specific IP protocol number
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”58″ reject’
This command configures the public zone to block incoming traffic with the specific IP protocol number (58).
- Example 69: Configure a zone to allow incoming traffic on a specific TCP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-option=”2″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific TCP option number (2).
- Example 70: Configure a zone to block incoming traffic on a specific TCP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-option=”4″ reject’
This command configures the public zone to block incoming TCP traffic with the specific TCP option number (4).
- Example 71: Configure a zone to allow incoming traffic on a specific UDP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp” udp-option=”7″ accept’
This command configures the public zone to allow incoming UDP traffic with the specific UDP option number (7).
- Example 72: Configure a zone to block incoming traffic on a specific UDP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp” udp-option=”9″ reject’
This command configures the public zone to block incoming UDP traffic with the specific UDP option number (9).
- Example 73: Configure a zone to allow incoming traffic on a specific IP fragment flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”MF” accept’
This command configures the public zone to allow incoming TCP traffic with the IP fragment flag “MF” set.
- Example 74: Configure a zone to block incoming traffic on a specific IP fragment flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”DF” reject’
This command configures the public zone to block incoming TCP traffic with the IP fragment flag “DF” set.
- Example 75: Configure a zone to allow incoming traffic on a specific IP header option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” ip-option=”4″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific IP header option number (4).
- Example 76: Configure a zone to block incoming traffic on a specific IP header option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” ip-option=”7″ reject’
This command configures the public zone to block incoming TCP traffic with the specific IP header option number (7).
- Example 77: Configure a zone to allow incoming traffic with a specific IP address range and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ port port=”8080″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
- Example 78: Configure a zone to block incoming traffic with a specific IP address range and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ port port=”22″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 on port 22 (SSH).
- Example 79: Configure a zone to allow incoming traffic from multiple IP addresses
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ accept’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.20″ accept’
This command configures the public zone to allow incoming traffic from multiple specific IP addresses.
- Example 80: Configure a zone to block incoming traffic from multiple IP addresses
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ reject’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.20″ reject’
This command configures the public zone to block incoming traffic from multiple specific IP addresses.
- Example 81: Configure a zone to allow incoming traffic on a specific network interface and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ in-interface=”eth0″ port port=”8080″ accept’
This command configures the public zone to allow incoming traffic on port 8080 only from the network interface eth0.
- Example 82: Configure a zone to block incoming traffic on a specific network interface and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ in-interface=”eth0″ port port=”22″ reject’
This command configures the public zone to block incoming SSH (port 22) traffic from the network interface eth0.
- Example 83: Configure a zone to allow incoming traffic on a specific source IP and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination port=”80″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 on port 80.
- Example 84: Configure a zone to block incoming traffic on a specific source IP and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination port=”443″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 on port 443.
- Example 85: Configure a zone to allow incoming traffic on a specific source IP range and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination port=”8080″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
- Example 86: Configure a zone to block incoming traffic on a specific source IP range and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination port=”22″ reject’
This command configures the public zone to block incoming SSH (port 22) traffic from the IP range 192.168.0.0/24.
- Example 87: Configure a zone to allow incoming traffic on a specific source IP and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
- Example 88: Configure a zone to block incoming traffic on a specific source IP and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
- Example 89: Configure a zone to allow incoming traffic on a specific source IP range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
- Example 90: Configure a zone to block incoming traffic on a specific source IP range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
- Example 91: Configure a zone to allow incoming traffic on a specific source IP and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.0/24″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
- Example 92: Configure a zone to block incoming traffic on a specific source IP and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.0/24″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
- Example 93: Configure a zone to allow incoming traffic on a specific source IP range and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.0/24″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
- Example 94: Configure a zone to block incoming traffic on a specific source IP range and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.0/24″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
- Example 95: Configure a zone to allow incoming traffic on a specific source MAC and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
- Example 96: Configure a zone to block incoming traffic on a specific source MAC and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
- Example 97: Configure a zone to allow incoming traffic on a specific source MAC range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:00:00:00/FF:FF:FF:00:00:00″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
- Example 98: Configure a zone to block incoming traffic on a specific source MAC range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:00:00:00/FF:FF:FF:00:00:00″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
- Example 99: Configure a zone to allow incoming traffic on a specific protocol and source port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” source port=”12345″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific source port 12345.
- Example 100: Configure a zone to block incoming traffic on a specific protocol and source port
“`bash
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp
. Feel free to ask for more examples if needed.
List all active zones.
firewall-cmd –get-active-zones
This command displays all active firewall zones on the system.
Add a service to a zone
firewall-cmd –zone=public –add-service=http
This command adds the HTTP service to the public zone, allowing incoming HTTP traffic.
3: Remove a service from a zone
firewall-cmd –zone=public –remove-service=http
This command removes the HTTP service from the public zone, disallowing incoming HTTP traffic.
Example 4: Add a port to a zone
firewall-cmd –zone=public –add-port=8080/tcp
This command opens port 8080/tcp in the public zone, allowing incoming TCP traffic on that port.
Example 5: Remove a port from a zone
firewall-cmd –zone=public –remove-port=8080/tcp
This command removes the rule that allows incoming TCP traffic on port 8080 from the public zone.
Example 6: List all services in a zone
firewall-cmd –zone=public –list-services
This command lists all services allowed in the public zone.
- Example 7: List all ports in a zone
firewall-cmd –zone=public –list-ports
This command lists all ports opened in the public zone.
- Example 8: Set a default zone
firewall-cmd –set-default-zone=public
This command sets the public zone as the default zone for incoming network connections.
- Example 9: Enable masquerading
firewall-cmd –zone=public –add-masquerade
This command enables masquerading in the public zone, allowing Network Address Translation (NAT) for outgoing traffic.
- Example 10: Reload the firewall configuration
firewall-cmd –reload
.
- Example 11: List all zones
firewall-cmd –get-zones
This command lists all available firewall zones on the system.
- Example 12: Add a source IP address to a zone
firewall-cmd –zone=public –add-source=192.168.0.10
This command adds the IP address 192.168.0.10 to the allowed sources in the public zone.
- Example 13: Remove a source IP address from a zone
firewall-cmd –zone=public –remove-source=192.168.0.10
This command removes the IP address 192.168.0.10 from the allowed sources in the public zone.
- Example 14: Set a zone as the default for network interfaces
firewall-cmd –zone=public –change-interface=eth0
This command sets the public zone as the default zone for the network interface eth0.
- Example 15: Add a rich rule to a zone
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command adds a rich rule to the public zone, allowing incoming traffic from the IP subnet 192.168.0.0/24.
- Example 16: Remove a rich rule from a zone
firewall-cmd –zone=public –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command removes a specific rich rule from the public zone.
- Example 17: Enable a specific firewall feature
firewall-cmd –permanent –enable=ipsec
This command enables the IPsec firewall feature.
- Example 18: Disable a specific firewall feature
firewall-cmd –permanent –disable=ipsec
This command disables the IPsec firewall feature.
- Example 19: Configure a zone to log packets
firewall-cmd –zone=public –set-target=LOG –log-prefix=”Firewall Log: “
This command configures the public zone to log packets with a custom log prefix.
- Example 20: Display the runtime status of the firewall
firewall-cmd –state
- Example 21: Add a custom service to a zone
firewall-cmd –permanent –zone=public –add-service=myapp
This command adds a custom service called “myapp” to the public zone, allowing incoming traffic on the defined ports for that service.
- Example 22: Remove a custom service from a zone
firewall-cmd –permanent –zone=public –remove-service=myapp
This command removes the custom service “myapp” from the public zone, disallowing incoming traffic on the defined ports for that service.
- Example 23: Reload the firewall configuration without losing established connections
firewall-cmd –reload –complete-reload
This command reloads the firewall configuration, ensuring that established connections are maintained during the reload process.
- Example 24: List all supported services
firewall-cmd –get-services
This command lists all the supported services that can be used with firewall-cmd.
- Example 25: Configure a zone to block all incoming traffic
firewall-cmd –zone=public –set-target=DROP
This command configures the public zone to drop all incoming traffic.
- Example 26: Configure a zone to block all outgoing traffic
firewall-cmd –zone=public –set-target=DROP –out-interface=eth0
This command configures the public zone to drop all outgoing traffic on the specified network interface.
- Example 27: Configure a zone to reject incoming traffic with a specific ICMP message
firewall-cmd –zone=public –set-target=REJECT –reject-with=icmp-port-unreachable
This command configures the public zone to reject incoming traffic with an ICMP “port unreachable” message.
- Example 28: Configure a zone to forward packets
firewall-cmd –zone=public –add-forward-port=port=80:proto=tcp:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080.
- Example 29: List all supported protocols
firewall-cmd –get-protocols
This command lists all the supported protocols that can be used with firewall-cmd.
- Example 30: Display the version of firewalld
firewall-cmd –version
This command displays the version of the firewalld firewall management tool installed on the system.
- Example 31: Add a source IP range to a zone
firewall-cmd –zone=public –add-source=192.168.0.0/24
This command adds the IP range 192.168.0.0/24 to the allowed sources in the public zone.
- Example 32: Remove a source IP range from a zone
firewall-cmd –zone=public –remove-source=192.168.0.0/24
This command removes the IP range 192.168.0.0/24 from the allowed sources in the public zone.
- Example 33: Configure a zone to reject all incoming traffic
firewall-cmd –zone=public –set-target=REJECT
This command configures the public zone to reject all incoming traffic.
- Example 34: Configure a zone to reject all outgoing traffic
firewall-cmd –zone=public –set-target=REJECT –out-interface=eth0
This command configures the public zone to reject all outgoing traffic on the specified network interface.
- Example 35: Configure a zone to log dropped packets
firewall-cmd –zone=public –set-target=LOG –log-prefix=”Dropped Packet: ” –log-level=notice
This command configures the public zone to log packets that are dropped with a custom log prefix and log level set to “notice”.
- Example 36: Configure a zone to limit the maximum number of connections
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ limit value=”10/s” accept’
This command configures the public zone to limit the maximum number of incoming connections to 10 per second.
- Example 37: Configure a zone to allow incoming traffic only from a specific source IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ accept’
This command configures the public zone to allow incoming traffic only from the specific source IP address 192.168.0.10.
- Example 38: Configure a zone to allow incoming traffic only on specific ports
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ port port=”80″ protocol=”tcp” accept’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ port port=”443″ protocol=”tcp” accept’
This command configures the public zone to allow incoming TCP traffic on ports 80 and 443.
- Example 39: Configure a zone to block incoming traffic from a specific source IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ reject’
This command configures the public zone
- Example 41: Configure a zone to block outgoing traffic to a specific destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block outgoing traffic to the specific destination IP address 203.0.113.100.
- Example 42: Configure a zone to allow incoming traffic on a specific interface
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ interface=”eth0″ accept’
This command configures the public zone to allow incoming traffic on the network interface eth0.
- Example 43: Configure a zone to block all IPv6 traffic
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ reject’
This command configures the public zone to block all incoming and outgoing IPv6 traffic.
- Example 44: List all runtime configurations of a zone
firewall-cmd –zone=public –list-all
This command displays all the runtime configurations of the public zone, including sources, services, ports, and rich rules.
- Example 45: Set the default action for a zone to drop incoming traffic
firewall-cmd –zone=public –set-target=DROP
This command sets the default action for the public zone to drop incoming traffic.
- Example 46: Set the default action for a zone to reject incoming traffic
firewall-cmd –zone=public –set-target=REJECT
This command sets the default action for the public zone to reject incoming traffic.
- Example 47: Configure a zone to forward specific ports to a different destination
firewall-cmd –zone=public –add-forward-port=port=80:proto=tcp:toaddr=192.168.0.10:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080 on the IP address 192.168.0.10.
- Example 48: Configure a zone to block specific ICMP packets
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”icmp” icmp-type=echo-request reject’
This command configures the public zone to block incoming ICMP echo requests.
- Example 49: Configure a zone to allow incoming traffic on a specific source port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source port=”12345″ accept’
This command configures the public zone to allow incoming traffic on the specific source port 12345.
- Example 50: Configure a zone to block incoming traffic on a specific destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination port=”22″ reject’
This command configures the public zone to block incoming traffic on the specific destination port 22 (SSH).
Certainly! Here are 10 more examples of common firewall-cmd commands with scenarios:
- Example 51: Configure a zone to allow incoming traffic on a specific source IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ accept’
This command configures the public zone to allow incoming traffic from the specific IP range 192.168.0.0/24.
- Example 52: Configure a zone to block incoming traffic on a specific destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination address=”192.168.0.0/24″ reject’
This command configures the public zone to block incoming traffic to the specific IP range 192.168.0.0/24.
- Example 53: Configure a zone to allow incoming traffic on a specific source MAC address
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ accept’
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55.
- Example 54: Configure a zone to block incoming traffic on a specific destination MAC address
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination mac=”00:11:22:33:44:55″ reject’
This command configures the public zone to block incoming traffic to the specific MAC address 00:11:22:33:44:55.
- Example 55: Configure a zone to allow incoming traffic on a specific source VLAN
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source vlan=”100″ accept’
This command configures the public zone to allow incoming traffic from the specific VLAN ID 100.
- Example 56: Configure a zone to block incoming traffic on a specific destination VLAN
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination vlan=”100″ reject’
This command configures the public zone to block incoming traffic to the specific VLAN ID 100.
- Example 57: Configure a zone to allow incoming traffic from a specific user
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ user name=”alice” accept’
This command configures the public zone to allow incoming traffic from the specific user “alice”.
- Example 58: Configure a zone to block incoming traffic from a specific user
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ user name=”bob” reject’
This command configures the public zone to block incoming traffic from the specific user “bob”.
- Example 59: Configure a zone to allow incoming traffic on a specific TCP flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”FIN,SYN” accept’
This command configures the public zone to allow incoming TCP traffic with the “FIN” and “SYN” flags set.
- Example 60: Configure a zone to block incoming traffic on a specific TCP flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”RST” reject’
This command configures the public zone to block incoming TCP traffic with the “RST” flag set.
- Example 61: Configure a zone to allow incoming traffic on a specific ICMP type
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”icmp” icmp-type=”echo-reply” accept’
This command configures the public zone to allow incoming ICMP echo-reply packets.
- Example 62: Configure a zone to block incoming traffic on a specific ICMP type
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”icmp” icmp-type=”destination-unreachable” reject’
This command configures the public zone to block incoming ICMP destination-unreachable packets.
- Example 63: Configure a zone to allow incoming traffic on a specific IPv6 extension header
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ protocol=”ipv6-icmp” ipv6-icmp-type=”parameter-problem” accept’
This command configures the public zone to allow incoming IPv6 packets with the parameter-problem ICMPv6 type.
- Example 64: Configure a zone to block incoming traffic on a specific IPv6 extension header
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv6″ protocol=”ipv6-icmp” ipv6-icmp-type=”packet-too-big” reject’
This command configures the public zone to block incoming IPv6 packets with the packet-too-big ICMPv6 type.
- Example 65: Configure a zone to allow incoming traffic on a specific source port range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source port=”30000-40000″ accept’
This command configures the public zone to allow incoming traffic from the specified source port range (30000-40000).
- Example 66: Configure a zone to block incoming traffic on a specific destination port range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ destination port=”2000-3000″ reject’
This command configures the public zone to block incoming traffic to the specified destination port range (2000-3000).
- Example 67: Configure a zone to allow incoming traffic on a specific IP protocol number
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”112″ accept’
This command configures the public zone to allow incoming traffic with the specific IP protocol number (112).
- Example 68: Configure a zone to block incoming traffic on a specific IP protocol number
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol value=”58″ reject’
This command configures the public zone to block incoming traffic with the specific IP protocol number (58).
- Example 69: Configure a zone to allow incoming traffic on a specific TCP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-option=”2″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific TCP option number (2).
- Example 70: Configure a zone to block incoming traffic on a specific TCP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-option=”4″ reject’
This command configures the public zone to block incoming TCP traffic with the specific TCP option number (4).
- Example 71: Configure a zone to allow incoming traffic on a specific UDP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp” udp-option=”7″ accept’
This command configures the public zone to allow incoming UDP traffic with the specific UDP option number (7).
- Example 72: Configure a zone to block incoming traffic on a specific UDP option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp” udp-option=”9″ reject’
This command configures the public zone to block incoming UDP traffic with the specific UDP option number (9).
- Example 73: Configure a zone to allow incoming traffic on a specific IP fragment flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”MF” accept’
This command configures the public zone to allow incoming TCP traffic with the IP fragment flag “MF” set.
- Example 74: Configure a zone to block incoming traffic on a specific IP fragment flag
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” tcp-flags=”DF” reject’
This command configures the public zone to block incoming TCP traffic with the IP fragment flag “DF” set.
- Example 75: Configure a zone to allow incoming traffic on a specific IP header option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” ip-option=”4″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific IP header option number (4).
- Example 76: Configure a zone to block incoming traffic on a specific IP header option
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” ip-option=”7″ reject’
This command configures the public zone to block incoming TCP traffic with the specific IP header option number (7).
- Example 77: Configure a zone to allow incoming traffic with a specific IP address range and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ port port=”8080″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
- Example 78: Configure a zone to block incoming traffic with a specific IP address range and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ port port=”22″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 on port 22 (SSH).
- Example 79: Configure a zone to allow incoming traffic from multiple IP addresses
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ accept’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.20″ accept’
This command configures the public zone to allow incoming traffic from multiple specific IP addresses.
- Example 80: Configure a zone to block incoming traffic from multiple IP addresses
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ reject’
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.20″ reject’
This command configures the public zone to block incoming traffic from multiple specific IP addresses.
- Example 81: Configure a zone to allow incoming traffic on a specific network interface and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ in-interface=”eth0″ port port=”8080″ accept’
This command configures the public zone to allow incoming traffic on port 8080 only from the network interface eth0.
- Example 82: Configure a zone to block incoming traffic on a specific network interface and port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ in-interface=”eth0″ port port=”22″ reject’
This command configures the public zone to block incoming SSH (port 22) traffic from the network interface eth0.
- Example 83: Configure a zone to allow incoming traffic on a specific source IP and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination port=”80″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 on port 80.
- Example 84: Configure a zone to block incoming traffic on a specific source IP and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination port=”443″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 on port 443.
- Example 85: Configure a zone to allow incoming traffic on a specific source IP range and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination port=”8080″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
- Example 86: Configure a zone to block incoming traffic on a specific source IP range and destination port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination port=”22″ reject’
This command configures the public zone to block incoming SSH (port 22) traffic from the IP range 192.168.0.0/24.
- Example 87: Configure a zone to allow incoming traffic on a specific source IP and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
- Example 88: Configure a zone to block incoming traffic on a specific source IP and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
- Example 89: Configure a zone to allow incoming traffic on a specific source IP range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
- Example 90: Configure a zone to block incoming traffic on a specific source IP range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
- Example 91: Configure a zone to allow incoming traffic on a specific source IP and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.0/24″ accept’
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
- Example 92: Configure a zone to block incoming traffic on a specific source IP and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.10″ destination address=”203.0.113.0/24″ reject’
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
- Example 93: Configure a zone to allow incoming traffic on a specific source IP range and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.0/24″ accept’
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
- Example 94: Configure a zone to block incoming traffic on a specific source IP range and destination IP range
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/24″ destination address=”203.0.113.0/24″ reject’
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
- Example 95: Configure a zone to allow incoming traffic on a specific source MAC and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
- Example 96: Configure a zone to block incoming traffic on a specific source MAC and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:33:44:55″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
- Example 97: Configure a zone to allow incoming traffic on a specific source MAC range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:00:00:00/FF:FF:FF:00:00:00″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
- Example 98: Configure a zone to block incoming traffic on a specific source MAC range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:00:00:00/FF:FF:FF:00:00:00″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
- Example 99: Configure a zone to allow incoming traffic on a specific protocol and source port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” source port=”12345″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific source port 12345.
- Example 100: Configure a zone to block incoming traffic on a specific protocol and source port
“`bash
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp
:00:00:00/FF:FF:FF:00:00:00″ destination address=”203.0.113.100″ accept’
This command configures the public zone to allow incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
- Example 98: Configure a zone to block incoming traffic on a specific source MAC range and destination IP
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source mac=”00:11:22:00:00:00/FF:FF:FF:00:00:00″ destination address=”203.0.113.100″ reject’
This command configures the public zone to block incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
- Example 99: Configure a zone to allow incoming traffic on a specific protocol and source port
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”tcp” source port=”12345″ accept’
This command configures the public zone to allow incoming TCP traffic with the specific source port 12345.
- Example 100: Configure a zone to block incoming traffic on a specific protocol and source port
“`bash
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp