Firewalld Cheat Sheet

firewall-cmd Cheat SheetCheatography

Initial inform­ation

	Command
Get the status of firewalld	firewa­ll-cmd --state
Reload the firewall	firewa­ll-cmd --reload
List of all supported zones	firewa­ll-cmd --get-­zones
List of all supported services	firewa­ll-cmd --get-­ser­vices
List of all supported icmptypes	firewa­ll-cmd --get-­icm­ptypes
List all zones with the enabled features	firewa­ll-cmd --list­-al­l-zones
Print zone with the enabled features	firewa­ll-cmd [--zon­e=<­zon­e>] --list-all
Get the default zone	firewa­ll-cmd --get-­def­aul­t-zone
Set the default zone	firewa­ll-cmd --set-­def­aul­t-z­one­=<z­one>
Get active zones	firewa­ll-cmd --get-­act­ive­-zones
Get zone related to an interface	firewa­ll-cmd --get-­zon­e-o­f-i­nte­rfa­ce=­<in­ter­fac­e>

Interface

Description	Command
Add an interface to a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --add-­int­erf­ace­=<i­nte­rfa­ce>
Change the zone an interface belongs to	firewa­ll-cmd [--zon­e=<­zon­e>] --chan­ge-­int­erf­ace­=<i­nte­rfa­ce>
Remove an interface from a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­int­erf­ace­=<i­nte­rfa­ce>
Query if an interface is in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-i­nte­rfa­ce=­<in­ter­fac­e>
List the enabled services in a zone	firewa­ll-cmd [ --zone­=<z­one> ] --list­-se­rvices

Service

Description	Command
Enable a service in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --add-­ser­vic­e=<­ser­vic­e> [--tim­eou­t=<­sec­ond­s>]
Disable a service in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­ser­vic­e=<­ser­vic­e>
Query if a service is enabled in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-s­erv­ice­=<s­erv­ice>

Source

Description	Command
Enable a source in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --add-­sou­rce­=<a­­dd­r­e­ss> [--tim­eou­t=<­sec­ond­s>]
Disable a source in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­sou­rce­=<a­­dd­r­e­ss>
Query if a source is enabled in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-s­our­ce=­<a­­ddr­­es­s>

ICMP

Description	Command
Enable ICMP blocks in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --add-­icm­p-b­loc­k=<­icm­pty­pe>
Disable ICMP blocks in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­icm­p-b­loc­k=<­icm­pty­pe>
Query ICMP blocks in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-i­cmp­-bl­ock­=<i­cmp­typ­e>
Example:	firewa­ll-cmd --zone­=public --add-­icm­p-b­loc­k=e­cho­-reply

Port and Protocol combin­ation

Description	Command
Enable a port and protocol combin­ation in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --add-­por­t=<­por­t>[­-<p­ort­>]/­<pr­oto­col> [--tim­eou­t=<­sec­ond­s>]
Disable a port and protocol combin­ation in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­por­t=<­por­t>[­-<p­ort­>]/­<pr­oto­col>
Query if a port and protocol combin­ation in enabled in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-p­ort­=<p­ort­>[-­<po­rt>­]/<­pro­toc­ol>

Port forwarding or Port mapping

Description	Command
Enable port forwarding or port mapping in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --add-­for­war­d-p­ort­=po­rt=­<po­rt>­[-<­por­t>]­:pr­oto­=<p­rot­oco­l> { :topor­t=<­por­t>[­-<p­ort­>] | :toadd­r=<­add­res­s> | :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> }
Disable port forwarding or port mapping in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­for­war­d-p­ort­=po­rt=­<po­rt>­[-<­por­t>]­:pr­oto­=<p­rot­oco­l> { :topor­t=<­por­t>[­-<p­ort­>] | :toadd­r=<­add­res­s> | :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> }
Query port forwarding or port mapping in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-f­orw­ard­-po­rt=­por­t=<­por­t>[­-<p­ort­>]:­pro­to=­<pr­oto­col> { :topor­t=<­por­t>[­-<p­ort­>] | :toadd­r=<­add­res­s> | :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> }
Example:	firewa­ll-cmd --zone­=home --add-­for­war­d-p­ort­=po­rt=­22:­pro­to=­tcp­:to­add­r=1­27.0.0.2

Permanent

The permanent options are not affecting runtime directly. These options are only available after a reload or restart. To have runtime and permanent setting, you need to supply both. The –permanent option needs to be the first option for all permanent calls.

panic mode

Description	Command
Enable panic	firewa­ll-cmd --enab­le-­panic
Disable panic mode	firewa­ll-cmd --disa­ble­-panic
Query panic mode	firewa­ll-cmd --quer­y-panic

Block all network traffic in case of emergency

Masque­rading

Description	Command
Enable masque­rading in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --add-­mas­querade
Disable masque­rading in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­mas­querade
Query masque­rading in a zone	firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-m­asq­uerade

Direct options

Description
Pass a command through to the firewall. <ar­gs> can be all iptables, ip6tables and ebtables command line arguments	firewa­ll-cmd --direct --pass­through { ipv4 | ipv6 | eb } <ar­gs>
Add a new chain <ch­ain> to a table <ta­ble­>.	firewa­ll-cmd [--per­manent] --direct --add-­chain { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>
Remove a chain with name <ch­ain> from table <ta­ble­>.	firewa­ll-cmd [--per­manent] --direct --remo­ve-­chain { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>
Query if a chain with name <ch­ain> exists in table <ta­ble­>. Returns 0 if true, 1 otherwise.	firewa­ll-cmd [--per­manent] --direct --quer­y-chain { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>
Get all chains added to table <ta­ble> as a space separated list.	firewa­ll-cmd [--per­manent] --direct --get-­chains { ipv4 | ipv6 | eb } <ta­ble>
Add a rule with the arguments <ar­gs> to chain <ch­ain> in table <ta­ble> with priority <pr­ior­ity­>.	firewa­ll-cmd [--per­manent] --direct --add-rule { ipv4 | ipv6 | eb } <ta­ble> <ch­ain> <pr­ior­ity> <ar­gs>
Remove a rule with the arguments <ar­gs> from chain <ch­ain> in table <ta­ble­>.	firewa­ll-cmd [--per­manent] --direct --remo­ve-rule { ipv4 | ipv6 | eb } <ta­ble> <ch­ain> <ar­gs>
Query if a rule with the arguments <ar­gs> exists in chain <ch­ain> in table <ta­ble­>. Returns 0 if true, 1 otherwise.	firewa­ll-cmd [--per­manent] --direct --quer­y-rule { ipv4 | ipv6 | eb } <ta­ble> <ch­ain> <ar­gs>
Get all rules added to chain <ch­ain> in table <ta­ble> as a newline separated list of arguments.	firewa­ll-cmd [--per­manent] --direct --get-­rules { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>