firewall-cmd --zone=public --add-service=http
This command adds the HTTP service to the public zone, allowing incoming HTTP traffic.
-
- Remove a service from a zone
firewall-cmd --zone=public --remove-service=http
This command removes the HTTP service from the public zone, disallowing incoming HTTP traffic.
-
- Add a port to a zone
firewall-cmd --zone=public --add-port=8080/tcp
This command opens port 8080/tcp in the public zone, allowing incoming TCP traffic on that port.
-
- Remove a port from a zone
firewall-cmd --zone=public --remove-port=8080/tcp
This command removes the rule that allows incoming TCP traffic on port 8080 from the public zone.
6. List all services in a zone
firewall-cmd --zone=public --list-services
This command lists all services allowed in the public zone.
-
- List all ports in a zone
firewall-cmd --zone=public --list-ports
This command lists all ports opened in the public zone.
-
- Set a default zone
firewall-cmd --set-default-zone=public
This command sets the public zone as the default zone for incoming network connections.
-
- Enable masquerading
firewall-cmd --zone=public --add-masquerade
This command enables masquerading in the public zone, allowing Network Address Translation (NAT) for outgoing traffic.
-
- Reload the firewall configuration
firewall-cmd --reload
.
-
- List all zones
firewall-cmd --get-zones
This command lists all available firewall zones on the system.
-
- Add a source IP address to a zone
firewall-cmd --zone=public --add-source=192.168.0.10
This command adds the IP address 192.168.0.10 to the allowed sources in the public zone.
-
- Remove a source IP address from a zone
firewall-cmd --zone=public --remove-source=192.168.0.10
This command removes the IP address 192.168.0.10 from the allowed sources in the public zone.
-
- Set a zone as the default for network interfaces
firewall-cmd --zone=public --change-interface=eth0
This command sets the public zone as the default zone for the network interface eth0.
-
- : Add a rich rule to a zone
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" accept'
This command adds a rich rule to the public zone, allowing incoming traffic from the IP subnet 192.168.0.0/24.
-
- Remove a rich rule from a zone
firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.0/24" accept'
This command removes a specific rich rule from the public zone.
-
- Enable a specific firewall feature
firewall-cmd --permanent --enable=ipsec
This command enables the IPsec firewall feature.
-
- Disable a specific firewall feature
firewall-cmd --permanent --disable=ipsec
This command disables the IPsec firewall feature.
-
- Configure a zone to log packets
firewall-cmd --zone=public --set-target=LOG --log-prefix="Firewall Log: "
This command configures the public zone to log packets with a custom log prefix.
-
- Display the runtime status of the firewall
firewall-cmd --state
-
- Add a custom service to a zone
firewall-cmd --permanent --zone=public --add-service=myapp
This command adds a custom service called “myapp” to the public zone, allowing incoming traffic on the defined ports for that service.
-
- : Remove a custom service from a zone
firewall-cmd --permanent --zone=public --remove-service=myapp
This command removes the custom service “myapp” from the public zone, disallowing incoming traffic on the defined ports for that service.
-
- Reload the firewall configuration without losing established connections
firewall-cmd --reload --complete-reload
This command reloads the firewall configuration, ensuring that established connections are maintained during the reload process.
-
- List all supported services
firewall-cmd --get-services
This command lists all the supported services that can be used with firewall-cmd
.
-
- Configure a zone to block all incoming traffic
firewall-cmd --zone=public --set-target=DROP
This command configures the public zone to drop all incoming traffic.
-
- Configure a zone to block all outgoing traffic
firewall-cmd --zone=public --set-target=DROP --out-interface=eth0
This command configures the public zone to drop all outgoing traffic on the specified network interface.
-
- Configure a zone to reject incoming traffic with a specific ICMP message
firewall-cmd --zone=public --set-target=REJECT --reject-with=icmp-port-unreachable
This command configures the public zone to reject incoming traffic with an ICMP “port unreachable” message.
-
- Configure a zone to forward packets
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080.
-
- List all supported protocols
firewall-cmd --get-protocols
This command lists all the supported protocols that can be used with firewall-cmd
.
-
- Display the version of
firewalld
- Display the version of
firewall-cmd --version
This command displays the version of the firewalld
firewall management tool installed on the system.
-
- Add a source IP range to a zone
firewall-cmd --zone=public --add-source=192.168.0.0/24
This command adds the IP range 192.168.0.0/24 to the allowed sources in the public zone.
-
- Example 32: Remove a source IP range from a zone
firewall-cmd --zone=public --remove-source=192.168.0.0/24
This command removes the IP range 192.168.0.0/24 from the allowed sources in the public zone.
-
- Example 33: Configure a zone to reject all incoming traffic
firewall-cmd --zone=public --set-target=REJECT
This command configures the public zone to reject all incoming traffic.
-
- Example 34: Configure a zone to reject all outgoing traffic
firewall-cmd --zone=public --set-target=REJECT --out-interface=eth0
This command configures the public zone to reject all outgoing traffic on the specified network interface.
-
- Example 35: Configure a zone to log dropped packets
firewall-cmd --zone=public --set-target=LOG --log-prefix="Dropped Packet: " --log-level=notice
This command configures the public zone to log packets that are dropped with a custom log prefix and log level set to “notice”.
-
- Example 36: Configure a zone to limit the maximum number of connections
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" limit value="10/s" accept'
This command configures the public zone to limit the maximum number of incoming connections to 10 per second.
-
- Example 37: Configure a zone to allow incoming traffic only from a specific source IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.10" accept'
This command configures the public zone to allow incoming traffic only from the specific source IP address 192.168.0.10.
-
- Example 38: Configure a zone to allow incoming traffic only on specific ports
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" port port="80" protocol="tcp" accept' firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" port port="443" protocol="tcp" accept'
This command configures the public zone to allow incoming TCP traffic on ports 80 and 443.
-
- Example 39: Configure a zone to block incoming traffic from a specific source IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.10" reject'
This command configures the public zone
-
- Example 41: Configure a zone to block outgoing traffic to a specific destination IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="203.0.113.100" reject'
This command configures the public zone to block outgoing traffic to the specific destination IP address 203.0.113.100.
-
- Example 42: Configure a zone to allow incoming traffic on a specific interface
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" interface="eth0" accept'
This command configures the public zone to allow incoming traffic on the network interface eth0.
-
- Example 43: Configure a zone to block all IPv6 traffic
firewall-cmd --zone=public --add-rich-rule='rule family="ipv6" reject'
This command configures the public zone to block all incoming and outgoing IPv6 traffic.
-
- Example 44: List all runtime configurations of a zone
firewall-cmd --zone=public --list-all
This command displays all the runtime configurations of the public zone, including sources, services, ports, and rich rules.
-
- Example 45: Set the default action for a zone to drop incoming traffic
firewall-cmd --zone=public --set-target=DROP
This command sets the default action for the public zone to drop incoming traffic.
-
- Example 46: Set the default action for a zone to reject incoming traffic
firewall-cmd --zone=public --set-target=REJECT
This command sets the default action for the public zone to reject incoming traffic.
-
- Example 47: Configure a zone to forward specific ports to a different destination
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toaddr=192.168.0.10:toport=8080
This command configures the public zone to forward incoming TCP traffic from port 80 to port 8080 on the IP address 192.168.0.10.
-
- Example 48: Configure a zone to block specific ICMP packets
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol value="icmp" icmp-type=echo-request reject'
This command configures the public zone to block incoming ICMP echo requests.
-
- Example 49: Configure a zone to allow incoming traffic on a specific source port
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source port="12345" accept'
This command configures the public zone to allow incoming traffic on the specific source port 12345.
-
- Example 50: Configure a zone to block incoming traffic on a specific destination port
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination port="22" reject'
This command configures the public zone to block incoming traffic on the specific destination port 22 (SSH).
Certainly! Here are 10 more examples of common firewall-cmd
commands with scenarios:
-
- Example 51: Configure a zone to allow incoming traffic on a specific source IP range
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" accept'
This command configures the public zone to allow incoming traffic from the specific IP range 192.168.0.0/24.
-
- Example 52: Configure a zone to block incoming traffic on a specific destination IP range
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="192.168.0.0/24" reject'
This command configures the public zone to block incoming traffic to the specific IP range 192.168.0.0/24.
-
- Example 53: Configure a zone to allow incoming traffic on a specific source MAC address
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source mac="00:11:22:33:44:55" accept'
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55.
-
- Example 54: Configure a zone to block incoming traffic on a specific destination MAC address
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination mac="00:11:22:33:44:55" reject'
This command configures the public zone to block incoming traffic to the specific MAC address 00:11:22:33:44:55.
-
- Example 55: Configure a zone to allow incoming traffic on a specific source VLAN
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source vlan="100" accept'
This command configures the public zone to allow incoming traffic from the specific VLAN ID 100.
-
- Example 56: Configure a zone to block incoming traffic on a specific destination VLAN
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination vlan="100" reject'
This command configures the public zone to block incoming traffic to the specific VLAN ID 100.
-
- Example 57: Configure a zone to allow incoming traffic from a specific user
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" user name="alice" accept'
This command configures the public zone to allow incoming traffic from the specific user “alice”.
-
- Example 58: Configure a zone to block incoming traffic from a specific user
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" user name="bob" reject'
This command configures the public zone to block incoming traffic from the specific user “bob”.
-
- Example 59: Configure a zone to allow incoming traffic on a specific TCP flag
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="tcp" tcp-flags="FIN,SYN" accept'
This command configures the public zone to allow incoming TCP traffic with the “FIN” and “SYN” flags set.
-
- Example 60: Configure a zone to block incoming traffic on a specific TCP flag
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="tcp" tcp-flags="RST" reject'
This command configures the public zone to block incoming TCP traffic with the “RST” flag set.
-
- Example 61: Configure a zone to allow incoming traffic on a specific ICMP type
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="icmp" icmp-type="echo-reply" accept'
This command configures the public zone to allow incoming ICMP echo-reply packets.
-
- Example 62: Configure a zone to block incoming traffic on a specific ICMP type
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="icmp" icmp-type="destination-unreachable" reject'
This command configures the public zone to block incoming ICMP destination-unreachable packets.
-
- Example 63: Configure a zone to allow incoming traffic on a specific IPv6 extension header
firewall-cmd --zone=public --add-rich-rule='rule family="ipv6" protocol="ipv6-icmp" ipv6-icmp-type="parameter-problem" accept'
This command configures the public zone to allow incoming IPv6 packets with the parameter-problem ICMPv6 type.
-
- Example 64: Configure a zone to block incoming traffic on a specific IPv6 extension header
firewall-cmd --zone=public --add-rich-rule='rule family="ipv6" protocol="ipv6-icmp" ipv6-icmp-type="packet-too-big" reject'
This command configures the public zone to block incoming IPv6 packets with the packet-too-big ICMPv6 type.
-
- Example 65: Configure a zone to allow incoming traffic on a specific source port range
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source port="30000-40000" accept'
This command configures the public zone to allow incoming traffic from the specified source port range (30000-40000).
-
- Example 66: Configure a zone to block incoming traffic on a specific destination port range
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination port="2000-3000" reject'
This command configures the public zone to block incoming traffic to the specified destination port range (2000-3000).
-
- Example 67: Configure a zone to allow incoming traffic on a specific IP protocol number
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol value="112" accept'
This command configures the public zone to allow incoming traffic with the specific IP protocol number (112).
-
- Example 68: Configure a zone to block incoming traffic on a specific IP protocol number
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol value="58" reject'
This command configures the public zone to block incoming traffic with the specific IP protocol number (58).
-
- Example 69: Configure a zone to allow incoming traffic on a specific TCP option
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="tcp" tcp-option="2" accept'
This command configures the public zone to allow incoming TCP traffic with the specific TCP option number (2).
-
- Example 70: Configure a zone to block incoming traffic on a specific TCP option
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="tcp" tcp-option="4" reject'
This command configures the public zone to block incoming TCP traffic with the specific TCP option number (4).
-
- Example 71: Configure a zone to allow incoming traffic on a specific UDP option
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="udp" udp-option="7" accept'
This command configures the public zone to allow incoming UDP traffic with the specific UDP option number (7).
-
- Example 72: Configure a zone to block incoming traffic on a specific UDP option
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="udp" udp-option="9" reject'
This command configures the public zone to block incoming UDP traffic with the specific UDP option number (9).
-
- Example 73: Configure a zone to allow incoming traffic on a specific IP fragment flag
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="tcp" tcp-flags="MF" accept'
This command configures the public zone to allow incoming TCP traffic with the IP fragment flag “MF” set.
-
- Example 74: Configure a zone to block incoming traffic on a specific IP fragment flag
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="tcp" tcp-flags="DF" reject'
This command configures the public zone to block incoming TCP traffic with the IP fragment flag “DF” set.
-
- Example 75: Configure a zone to allow incoming traffic on a specific IP header option
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="tcp" ip-option="4" accept'
This command configures the public zone to allow incoming TCP traffic with the specific IP header option number (4).
-
- Example 76: Configure a zone to block incoming traffic on a specific IP header option
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="tcp" ip-option="7" reject'
This command configures the public zone to block incoming TCP traffic with the specific IP header option number (7).
-
- Example 77: Configure a zone to allow incoming traffic with a specific IP address range and port
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" port port="8080" accept'
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
-
- Example 78: Configure a zone to block incoming traffic with a specific IP address range and port
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" port port="22" reject'
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 on port 22 (SSH).
-
- Example 79: Configure a zone to allow incoming traffic from multiple IP addresses
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.10" accept' firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.20" accept'
This command configures the public zone to allow incoming traffic from multiple specific IP addresses.
-
- Example 80: Configure a zone to block incoming traffic from multiple IP addresses
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.10" reject' firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.20" reject'
This command configures the public zone to block incoming traffic from multiple specific IP addresses.
-
- Example 81: Configure a zone to allow incoming traffic on a specific network interface and port
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" in-interface="eth0" port port="8080" accept'
This command configures the public zone to allow incoming traffic on port 8080 only from the network interface eth0.
-
- Example 82: Configure a zone to block incoming traffic on a specific network interface and port
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" in-interface="eth0" port port="22" reject'
This command configures the public zone to block incoming SSH (port 22) traffic from the network interface eth0.
-
- Example 83: Configure a zone to allow incoming traffic on a specific source IP and destination port
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.10" destination port="80" accept'
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 on port 80.
-
- Example 84: Configure a zone to block incoming traffic on a specific source IP and destination port
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.10" destination port="443" reject'
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 on port 443.
-
- Example 85: Configure a zone to allow incoming traffic on a specific source IP range and destination port
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" destination port="8080" accept'
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 on port 8080.
-
- Example 86: Configure a zone to block incoming traffic on a specific source IP range and destination port
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" destination port="22" reject'
This command configures the public zone to block incoming SSH (port 22) traffic from the IP range 192.168.0.0/24.
-
- Example 87: Configure a zone to allow incoming traffic on a specific source IP and destination IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.10" destination address="203.0.113.100" accept'
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
-
- Example 88: Configure a zone to block incoming traffic on a specific source IP and destination IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.10" destination address="203.0.113.100" reject'
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP address 203.0.113.100.
-
- Example 89: Configure a zone to allow incoming traffic on a specific source IP range and destination IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" destination address="203.0.113.100" accept'
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
-
- Example 90: Configure a zone to block incoming traffic on a specific source IP range and destination IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" destination address="203.0.113.100" reject'
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP address 203.0.113.100.
-
- Example 91: Configure a zone to allow incoming traffic on a specific source IP and destination IP range
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.10" destination address="203.0.113.0/24" accept'
This command configures the public zone to allow incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
-
- Example 92: Configure a zone to block incoming traffic on a specific source IP and destination IP range
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.10" destination address="203.0.113.0/24" reject'
This command configures the public zone to block incoming traffic from the IP address 192.168.0.10 to the IP range 203.0.113.0/24.
-
- Example 93: Configure a zone to allow incoming traffic on a specific source IP range and destination IP range
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" destination address="203.0.113.0/24" accept'
This command configures the public zone to allow incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
-
- Example 94: Configure a zone to block incoming traffic on a specific source IP range and destination IP range
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" destination address="203.0.113.0/24" reject'
This command configures the public zone to block incoming traffic from the IP range 192.168.0.0/24 to the IP range 203.0.113.0/24.
-
- Example 95: Configure a zone to allow incoming traffic on a specific source MAC and destination IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source mac="00:11:22:33:44:55" destination address="203.0.113.100" accept'
This command configures the public zone to allow incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
-
- Example 96: Configure a zone to block incoming traffic on a specific source MAC and destination IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source mac="00:11:22:33:44:55" destination address="203.0.113.100" reject'
This command configures the public zone to block incoming traffic from the specific MAC address 00:11:22:33:44:55 to the IP address 203.0.113.100.
-
- Example 97: Configure a zone to allow incoming traffic on a specific source MAC range and destination IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source mac="00:11:22:00:00:00/FF:FF:FF:00:00:00" destination address="203.0.113.100" accept'
This command configures the public zone to allow incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
-
- Example 98: Configure a zone to block incoming traffic on a specific source MAC range and destination IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source mac="00:11:22:00:00:00/FF:FF:FF:00:00:00" destination address="203.0.113.100" reject'
This command configures the public zone to block incoming traffic from the MAC range 00:11:22:00:00:00 to FF:FF:FF:00:00:00 to the IP address 203.0.113.100.
-
- Example 99: Configure a zone to allow incoming traffic on a specific protocol and source port
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" protocol="tcp" source port="12345" accept'
This command configures the public zone to allow incoming TCP traffic with the specific source port 12345.
-
- Example 100: Configure a zone to block incoming traffic on a specific protocol and source port
“`bash
firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ protocol=”udp
- Example 100: Configure a zone to block incoming traffic on a specific protocol and source port
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.