Working with Firewalld
Working with Firewalld
firewall-cmd
Exercise 22.1 Managing the Firewall with Firewall-cmd
Exercise 22.1 Managing the Firewall with Firewall-cmd
- Open a root shell. Type firewall-cmd --get-default-zone . This shows the current default zone. You’ll see the current default zone, which is by default set to public.
- To see which zones are available, type firewall-cmd --get-zones .
- Now show the services that are available on your server by using firewall-cmd --get-services . Notice that the firewall-cmd --get options show what is avail- able on your server.
- To see which services are available in the current zone, type firewall-cmd --list-services . You’ll see a short list containing a Dynamic Host Configuration Protocol (DHCP) client as well as Secure Shell (SSH).
- Now type firewall-cmd --list-all . Look at the output and compare the output to the result of firewall-cmd --list-all --zone=public . Both commands show a complete overview of the current firewall configuration, as shown in Listing 22.3 . Notice that you see much more than just the zone and services that are configured in that zone; you also see information about the interfaces and more advanced items.
- Type firewall-cmd --add-service=vnc-server to add the VNC server to the configuration of the firewall. Verify using firewall-cmd --list-all .
- Type systemctl restart firewalld and repeat firewall-cmd --list-all . Notice that the vnc-server service is no longer listed.
- Add the vnc-server service again, but make it permanent this time, using firewall-cmd --add-service vnc-server --permanent .
- Type firewall-cmd --list-all again to verify. You’ll see that VNC server is not listed. Services that have been added to the on-disk configuration are not added automatically to the runtime configuration. Type firewall-cmd --reload to reload the on-disk configuration into runtime configuration.
- Type firewall-cmd --addport=2022/tcp --permanent , followed by firewall- cmd --reload . Verify using firewall-cmd --list-all . You’ll see that a port has now been added to the firewalld configuration.
Common firewall-cmd Options
| Firewall-cmd Options | Explanation |
|---|---|
| --get-zones | Lists all available zones |
| --get-default-zone | Shows the zone currently set as default zone |
| --set-default-zone= |
Changes the default zone |
| --get-services | Shows all available services |
| --list-services | Shows services currently in use |
| --add-service= |
Adds a service to the current default zone or the zone that is specified |
| --remove-service=<\service-name> | Removes a service from the configuration |
| --list-all [--zone=<\ZONE>] | Lists all configurations in a zone |
| --add-port=<\port/protocol>[--zone=<\ZONE>] | Adds a port and protocol |
| --remove-port=<\port/protocol>[--zone=<\ZONE>] | Removes a port from the configuration |
| --add-interface=<\INTERFACE>[--zone=<\ZONE>] | Adds an interface to the default zone or a specific zone that is specified |
| --remove-interface=<\INTERFACE> [--zone=<\ZONE>] | Removes an interface from a specific zone |
| --add-source=<\ipaddress/netmask>[--zone=<\ZONE>] | Adds a specific IP address |
| --remove-source=<\ipaddress/netmask>[--zone=<\ZONE>] | Removes an IP address from the configuration |
| --permanent | Writes configuration to disk and not to run-time |
| --reload | Reloads the on-disk configuration |
| --reload | Reloads the on-disk configuration |