HomeTech JournalsPersonal ProjectsSysadmin Wiki

Firewalld Cheat Sheet

Logofirewall-cmd Cheat SheetCheatography

Initial inform­ation

Command

Get the status of firewalld

firewa­ll-cmd --state

Reload the firewall

firewa­ll-cmd --reload

List of all supported zones

firewa­ll-cmd --get-­zones

List of all supported services

firewa­ll-cmd --get-­ser­vices

List of all supported icmptypes

firewa­ll-cmd --get-­icm­ptypes

List all zones with the enabled features

firewa­ll-cmd --list­-al­l-zones

Print zone with the enabled features

firewa­ll-cmd [--zon­e=<­zon­e>] --list-all

Get the default zone

firewa­ll-cmd --get-­def­aul­t-zone

Set the default zone

firewa­ll-cmd --set-­def­aul­t-z­one­=<z­one>

Get active zones

firewa­ll-cmd --get-­act­ive­-zones

Get zone related to an interface

firewa­ll-cmd --get-­zon­e-o­f-i­nte­rfa­ce=­<in­ter­fac­e>

Interface

Description
Command

Add an interface to a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --add-­int­erf­ace­=<i­nte­rfa­ce>

Change the zone an interface belongs to

firewa­ll-cmd [--zon­e=<­zon­e>] --chan­ge-­int­erf­ace­=<i­nte­rfa­ce>

Remove an interface from a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­int­erf­ace­=<i­nte­rfa­ce>

Query if an interface is in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-i­nte­rfa­ce=­<in­ter­fac­e>

List the enabled services in a zone

firewa­ll-cmd [ --zone­=<z­one> ] --list­-se­rvices

Service

Description
Command

Enable a service in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --add-­ser­vic­e=<­ser­vic­e> [--tim­eou­t=<­sec­ond­s>]

Disable a service in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­ser­vic­e=<­ser­vic­e>

Query if a service is enabled in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-s­erv­ice­=<s­erv­ice>

Source

Description
Command

Enable a source in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --add-­sou­rce­=<a­­dd­r­e­ss> [--tim­eou­t=<­sec­ond­s>]

Disable a source in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­sou­rce­=<a­­dd­r­e­ss>

Query if a source is enabled in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-s­our­ce=­<a­­ddr­­es­s>

ICMP

Description
Command

Enable ICMP blocks in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --add-­icm­p-b­loc­k=<­icm­pty­pe>

Disable ICMP blocks in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­icm­p-b­loc­k=<­icm­pty­pe>

Query ICMP blocks in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-i­cmp­-bl­ock­=<i­cmp­typ­e>

Example:

firewa­ll-cmd --zone­=public --add-­icm­p-b­loc­k=e­cho­-reply

Port and Protocol combin­ation

Description
Command

Enable a port and protocol combin­ation in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --add-­por­t=<­por­t>[­-<p­ort­>]/­<pr­oto­col> [--tim­eou­t=<­sec­ond­s>]

Disable a port and protocol combin­ation in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­por­t=<­por­t>[­-<p­ort­>]/­<pr­oto­col>

Query if a port and protocol combin­ation in enabled in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-p­ort­=<p­ort­>[-­<po­rt>­]/<­pro­toc­ol>

Port forwarding or Port mapping

Description
Command

Enable port forwarding or port mapping in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --add-­for­war­d-p­ort­=po­rt=­<po­rt>­[-<­por­t>]­:pr­oto­=<p­rot­oco­l> { :topor­t=<­por­t>[­-<p­ort­>] | :toadd­r=<­add­res­s> | :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> }

Disable port forwarding or port mapping in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­for­war­d-p­ort­=po­rt=­<po­rt>­[-<­por­t>]­:pr­oto­=<p­rot­oco­l> { :topor­t=<­por­t>[­-<p­ort­>] | :toadd­r=<­add­res­s> | :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> }

Query port forwarding or port mapping in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-f­orw­ard­-po­rt=­por­t=<­por­t>[­-<p­ort­>]:­pro­to=­<pr­oto­col> { :topor­t=<­por­t>[­-<p­ort­>] | :toadd­r=<­add­res­s> | :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> }

Example:

firewa­ll-cmd --zone­=home --add-­for­war­d-p­ort­=po­rt=­22:­pro­to=­tcp­:to­add­r=1­27.0.0.2

Permanent

The permanent options are not affecting runtime directly. These options are only available after a reload or restart. To have runtime and permanent setting, you need to supply both. The –permanent option needs to be the first option for all permanent calls.

panic mode

Description
Command

Enable panic

firewa­ll-cmd --enab­le-­panic

Disable panic mode

firewa­ll-cmd --disa­ble­-panic

Query panic mode

firewa­ll-cmd --quer­y-panic

Block all network traffic in case of emergency

Masque­rading

Description
Command

Enable masque­rading in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --add-­mas­querade

Disable masque­rading in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­mas­querade

Query masque­rading in a zone

firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-m­asq­uerade

Direct options

Description

Pass a command through to the firewall. <ar­gs> can be all iptables, ip6tables and ebtables command line arguments

firewa­ll-cmd --direct --pass­through { ipv4 | ipv6 | eb } <ar­gs>

Add a new chain <ch­ain> to a table <ta­ble­>.

firewa­ll-cmd [--per­manent] --direct --add-­chain { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>

Remove a chain with name <ch­ain> from table <ta­ble­>.

firewa­ll-cmd [--per­manent] --direct --remo­ve-­chain { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>

Query if a chain with name <ch­ain> exists in table <ta­ble­>. Returns 0 if true, 1 otherwise.

firewa­ll-cmd [--per­manent] --direct --quer­y-chain { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>

Get all chains added to table <ta­ble> as a space separated list.

firewa­ll-cmd [--per­manent] --direct --get-­chains { ipv4 | ipv6 | eb } <ta­ble>

Add a rule with the arguments <ar­gs> to chain <ch­ain> in table <ta­ble> with priority <pr­ior­ity­>.

firewa­ll-cmd [--per­manent] --direct --add-rule { ipv4 | ipv6 | eb } <ta­ble> <ch­ain> <pr­ior­ity> <ar­gs>

Remove a rule with the arguments <ar­gs> from chain <ch­ain> in table <ta­ble­>.

firewa­ll-cmd [--per­manent] --direct --remo­ve-rule { ipv4 | ipv6 | eb } <ta­ble> <ch­ain> <ar­gs>

Query if a rule with the arguments <ar­gs> exists in chain <ch­ain> in table <ta­ble­>. Returns 0 if true, 1 otherwise.

firewa­ll-cmd [--per­manent] --direct --quer­y-rule { ipv4 | ipv6 | eb } <ta­ble> <ch­ain> <ar­gs>

Get all rules added to chain <ch­ain> in table <ta­ble> as a newline separated list of arguments.

firewa­ll-cmd [--per­manent] --direct --get-­rules { ipv4 | ipv6 | eb } <ta­ble> <ch­ain>

NextTips and Tricks

Last updated