Cheatsheet & Examples: firewall-cmd
firewall-cmd is a command-line tool for managing firewalld, a dynamic firewall manager for Linux systems. It allows users to configure firewall zones, services, ports, and other rules to control network traffic and security policies.
Check if firewalld is running
Example Usage:
firewall-cmd --state
What it does: Determines whether the firewalld service is currently active and running.
Command-line Arguments Explained:
--state: Checks the status of the firewalld service, outputting "running" or "not running".
Add a Port to the Current Zone
Example Usage:
firewall-cmd --add-port=80/tcp
What it does: Adds a specified port (e.g., 80 for HTTP) and protocol (TCP/UDP) to the active zone.
Command-line Arguments Explained:
--add-port=80/tcp: Adds a port (80) with the specified protocol (tcp) to the current zone.
Add a Service to the Current Zone
Example Usage:
firewall-cmd --add-service=http
What it does: Enables a predefined service (e.g., HTTP, HTTPS) in the active zone.
Command-line Arguments Explained:
--add-service=http: Adds the HTTP service to the active zone, allowing traffic for that service.
List Active Zones and Their Interfaces
Example Usage:
firewall-cmd --get-active-zones
What it does: Displays the active zones and the network interfaces associated with them.
Command-line Arguments Explained:
--get-active-zones: Outputs information about active zones and their interface assignments.
Check if a Port is Open in the Current Zone
Example Usage:
firewall-cmd --query-port=80/tcp
What it does: Verifies if a specific port (e.g., 80) and protocol (tcp) are currently allowed in the active zone.
Command-line Arguments Explained:
--query-port=80/tcp: Checks if the port and protocol are open in the active zone.
Set the Default Zone
Example Usage:
firewall-cmd --set-default-zone=public
What it does: Changes the default zone for network interfaces to a specified zone (e.g., public).
Command-line Arguments Explained:
--set-default-zone=public: Sets the default zone for network interfaces to "public".
Add a Service Permanently
Example Usage:
firewall-cmd --add-service=http --permanent
What it does: Adds a service (e.g., HTTP) to the default zone and makes the change persistent across reboots.
Command-line Arguments Explained:
--add-service=http: Adds the HTTP service to the default zone.--permanent: Ensures the rule remains after the system reboots.
Reload Firewalld Configuration
Example Usage:
firewall-cmd --reload
What it does: Applies changes to the firewall configuration without restarting the firewalld service.
Command-line Arguments Explained:
--reload: Reloads the firewall configuration to apply pending changes.
Remove a Port from the Current Zone
Example Usage:
firewall-cmd --remove-port=80/tcp
What it does: Removes a specific port (e.g., 80) and protocol (tcp) from the active zone.
Command-line Arguments Explained:
--remove-port=80/tcp: Deletes the specified port and protocol from the active zone.
Check if a Service is Allowed
Example Usage:
firewall-cmd --query-service=http
What it does: Checks if a specific service (e.g., HTTP) is currently allowed in the active zone.
Command-line Arguments Explained:
--query-service=http: Confirms whether the HTTP service is permitted in the active zone.
Allow Traffic from a Specific IP
Example Usage:
firewall-cmd --add-source=192.168.1.100
What it does: Adds a source IP address (e.g., 192.168.1.100) to the active zone's allowed sources.
Command-line Arguments Explained:
--add-source=192.168.1.100: Whitelists the specified IP address for traffic in the active zone.
Set Zone to Trusted
Example Usage:
firewall-cmd --set-zone=trusted
What it does: Switches the active zone to "trusted," which allows all traffic.
Command-line Arguments Explained:
--set-zone=trusted: Changes the active zone to "trusted," disabling firewall restrictions for that zone.
