HomeCentos 7Some Simple FirewallD Examples

Some Simple FirewallD Examples

Software Effect Enterprises, Inc Posted on by

Using Firewall-cmd to check firewall current state

If you want to verify the current state of firewall then you need to use --state option with firewall-cmd command to check that. As you can see from below output, firewalld is currently in running state.

[root@localhost ~]# firewall-cmd --state
running

Using Firewall cmd list allowed services 

If you want to check all the allowed services for the default zone through firewall then you need to use --list-services option with firewall-cmd commad to list that. As you can see, currently hdcpv6-client , http , https and ssh services are allowed for public zone through firewall.

[root@localhost ~]# firewall-cmd --list-services
dhcpv6-client http https ssh

--list-services : List services added for zone as a space separated list. If zone is omitted, default zone will be used.

Using Firewall cmd list allowed ports

To check all the allowed ports through firewall zones you need to use --list-ports option as shown below. Here you can see all the allowed ports through firewall for deafult public zone.

[root@localhost ~]# firewall-cmd --list-ports
6443/tcp 2379-2380/tcp 10250/tcp 10251/tcp 10252/tcp 10255/tcp 3456/tcp 4800/tcp

--list-ports : List ports added for zone as a space separated list. If zone is omitted, default zone will be used.

List Active Zones Using Firewall cmd

If you want to check current active zones and interfaces associated with that active zone then you need to use --get-active-zones option with firewall-cmd to check that.

[root@localhost ~]# firewall-cmd --get-active-zones
public
interfaces: enp0s3

--get-active-zones : Print currently active zones altogether with interfaces and sources used in these zones.

Permit a block of addresses to access ssh

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" service name="ssh" accept'

Remove the above rule

firewall-cmd --remove-rich-rule='rule family="ipv4" source address="10.0.0.0/8" service name="ssh" accept'

Permit a block of addresses to access a non-standard service port

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" port port=8443 protocol=tcp accept'

Remove above rule

firewall-cmd --remove-rich-rule='rule family="ipv4" source address="10.0.0.0/8" port port=8443 protocol=tcp accept'

Permit ssh connections from anywhere

firewall-cmd --zone=public --add-service=ssh --permanent

Remove a single service

firewall-cmd --zone=public --remove-service=ssh --permanent

Permit access to a selected port

firewall-cmd --zone=public --add-port=2443 --permanent

Permit snmp from a selected address range

firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="10.254.253.0/24" port port=161 protocol=udp accept'

All the above commands need to be followed by

firewall-cmd --reload

in order for them to take effect

 

 

For more see here

Comments are closed.