Manage and Configure Linux FirewallD ( firewall-cmd )

By on November 29th, 2016

FirewallD is the default method in Rhel7 for managing host-level firewalls. Started from the firewalld.service, firewalld manages the Linux kernel net filter subsystem using the low-level iptables, ip6tables, and ebtables commands. FirewallD separates all incoming traffic into zones, with each zone having its own set of rules. To check which zone to use for an incoming connection, firewalld uses the logic, where the first rule that matches wins:

1) If the source address of an incoming packet matches a source rule setup for a zone, that packet will be routed through that zone.

2) If the incoming interface for a packet matches a filter setup for a zone, that zone will be used.

3) Otherwise, the default zone is used. The default zone is not a separate zone: instead, it points to one of the other zones defined on the system.

Unless overridden by an administrator or a Network Manager configuration, the default zone for any new network interface will be set to the public zone.

A number of predefined zones are shipped with firewalld, each with other own intended usage.


Managing FirewallD

FirewallD can be managed in three ways:

1) Using the command-line tool firewall-cmd

2) Using the graphical tool firewall-config

3) Using the configuration files in /etc/firewalld/.

In most cases, editing the configuration files in not recommended, but it can be useful to copy configurations in this way when using configuration management tools.


Configure firewall settings with firewall-cmd

FirewallD using the command-line tool firewall-cmd. firewall-cmd is installed as part of the main firewalld package. firewall-cmd commands, along with an explanation. Note that unless otherwise specified, almost all commands will work on the runtime configuration, unless the permanent option is specified. Many of the commands listed take the –zone=<zone> option to determine which zone they affect. If –zone is omitted from those commands, the default zone is used. While configuring a firewall, an administrator will normally apply all changes to the –permanent configuration, and then activate those changes with firewall-cmd –reload. While testing out new, and possibly dangerous, rules, an administrator can choose to work on the run-time configuration by omitting the –permanent option. In those cases, an extra option can be used to automatically remove a rule after a certain amount of time, preventing an administrator from accidentally locking out a system: –timeout=<TIMEINSECONDS>


firewall-cmd commands  

–get-defaults-zone : Query the current default zone

–set-default-zone=<zone> : Set the default zone. This changes both the run-time and the permanent configuration.

–get-zones : List all available zones

–get-services : List all predefined zones

–get-active-zones : List all zones currently in use along with their interface and source  information.

–add-source=<CIDR> : Remove the rule routing all traffic coming from the IP address

–add-interface=<interface> : Route all traffic coming from interface to the specified zone.

–change-interface=<interface> : Associate the interface with <zone> instead of its current zone.

–list-all : List all configured interfaces, sources, services, and ports for <zone>. If no –zone=option is provided, the default zone will be used.

–list-all-zones : Retrieve all information for all zones

–add-service=<service> : Allow traffic to <service>. If no –zone= option is  provided, the default zone will be used.

–add-port=<port/protocol> : Allow traffic to the <port/protocol>

–remove-service=<service> : Remove service from allowed list for the zone.

–remove-port<port/protocol> : Remove the <port/protocol> from the allowed list for the zone.

–reload : Drop the runtime configuration and apply the persistent configuration.


firewall-cmd example

The following examples show the default zone being set to dmz, all traffic comig from the network being assigned to the internal zone, and the network ports for mysql being opened on the internal zone.

[root@pc~]# firewall-cmd  –set-default-zone=dmz

[root@pc~]# firewall-cmd –permanent –zone=internal –add-source=

[root@pc~]# firewall-cmd –permanent –zone=internal –add-service=mysql

[root@pc~]# firewall-cmd –reload


firewalld configuration files

firewalld configuration files are stored in two places: /etc/firewalld and /usr/lib/firewalld. If a configuration file with the same name is stored in both locations, the version from /etc/firewalld/ will be used. This allows administrator to override default zones and settings without fear of their changes being wiped out by a package update.


If you need any further assistance please contact our support department.



Leave a Reply