See Also
Chapter 4. Hardening Your System with Tools and Services
4.5. Using Firewalls
4.5.14. Configuring t he Firewall
4.5.14.4. Change the Firewall Settings Using the Command Line Interf ace (CLI)
4.5.14.4.1. Dro p All Packet s (Panic Mo de)
To s tart dropping all incoming and outgoing packe ts , e nte r the following command as root:
~]# firewall-cmd --panic-on
All incoming and outgoing packe ts will be droppe d. Active conne ctions will be te rminate d afte r a pe riod of inactivity; the time take n de pe nds on the individual s e s s ion time out value s .
To s tart pas s ing incoming and outgoing packe ts again, e nte r the following command as root:
~]# firewall-cmd --panic-off
Afte r dis abling panic mode , e s tablis he d conne ctions might work again if panic mode was e nable d for a s hort pe riod of time .
To find out if panic mode is e nable d or dis able d, e nte r the following command:
~]$ firewall-cmd --query-panic
Prints yes with e xit s tatus 0, if e nable d, prints no with e xit s tatus 1 othe rwis e . 4.5.14.4.2. Relo ad t he Firewall Using t he Co mmand Line Int erf ace (CLI)
To re load the fire wall with out inte rrupting us e r conne ctions , that is to s ay, with out los ing s tate information, e nte r the following command as root:
~]# firewall-cmd --reload
To re load the fire wall and inte rrupt us e r conne ctions , that is to s ay, to dis card s tate information, e nte r the following command as root:
~]# firewall-cmd --complete-reload
This command s hould normally only be us e d in cas e of s e ve re fire wall proble ms . For e xample , if the re are s tate information proble ms and no conne ction can be e s tablis he d but the fire wall rule s are corre ct.
4.5.14.4.3. Add an Int erf ace t o a Zo ne Using t he Co mmand Line Int erf ace (CLI) To add an inte rface to a zone , for e xample to add e m1 to the public zone , e nte r the following command as root:
~]# firewall-cmd --zone=public --add-interface=em1
To make this s e tting pe rmane nt, add the --permanent option and re load the fire wall.
4.5.14.4.4. Add an Int erf ace t o a Zo ne by Edit ing t he Int erf ace Co nf igurat io n File
To add an inte rface to a zone by e diting the ifcfg-em1 configuration file , for e xample to add e m1 to the work zone , as root us e an e ditor to add the following line to ifcfg-em1:
ZONE=work
Note that if you omit the ZONE option, or us e ZONE=, or ZONE='', the n the de fault zone will be us e d.
Net wo rkManager will automatically re conne ct and the zone will be s e t accordingly.
4.5.14.4.5. Co nf igure t he Def ault Zo ne by Edit ing t he f irewalld Co nf igurat io n File
As root, ope n /etc/firewalld/firewalld.conf and e dit the file as follows : # default zone
# The default zone used if an empty zone string is used.
# Default: public DefaultZone=home
Re load the fire wall, by e nte ring the following command as root:
~]# firewall-cmd --reload
This will re load the fire wall without los ing s tate information (TCP s e s s ions will not be inte rrupte d).
4.5.14.4.6. Set t he Def ault Zo ne by Using t he Co mmand Line Int erf ace (CLI)
To s e t the de fault zone , for e xample to public, e nte r the following command as root:
~]# firewall-cmd --set-default-zone=public
This change will take imme diate e ffe ct and in this cas e it is not ne ce s s ary to re load the fire wall.
4.5.14.4.7. Open Po rt s in t he Firewall Using t he Co mmand Line Int erf ace (CLI) Lis t all ope n ports for a zone , for e xample dmz, by e nte ring the following command as root:
~]# firewall-cmd --zone=dmz --list-ports
Note that this will not s how ports ope ne d as a re s ult of the --add-services command.
To add a port to a zone , for e xample to allow TCP traffic to port 8080 to the dmz zone , e nte r the following command as root:
~]# firewall-cmd --zone=dmz --add-port=8080/tcp
To make this s e tting pe rmane nt, add the --permanent option and re load the fire wall.
To add a range of ports to a zone , for e xample to allow the ports from 5060 to 5061 to the public zone , e nte r the following command as root:
~]# firewall-cmd --zone=public --add-port=5060-5061/udp
To make this s e tting pe rmane nt, add the --permanent option and re load the fire wall.
4.5.14.4.8. Add a Service t o a Zo ne Using t he Co mmand Line Int erf ace (CLI) To add a s e rvice to a zone , for e xample to allow SMTP to the work zone , e nte r the following command as root:
~]# firewall-cmd --zone=work --add-service=smtp
To make this s e tting pe rmane nt, add the --permanent option and re load the fire wall.
4.5.14.4.9. Remo ve a Service f ro m a Zo ne Using t he Co mmand Line Int erf ace (CLI)
To re move a s e rvice from a zone , for e xample to re move SMTP from the work zone , e nte r the following command as root:
~]# firewall-cmd --zone=work --remove-service=smtp
Add the --permanent option to make the change pe rs is t afte r s ys te m boot. If us ing this option and you wis h to make the change imme diate , re load the fire wall, by e nte ring the following command as root:
~]# firewall-cmd --reload
Note , this will not bre ak e s tablis he d conne ctions . If that is your inte ntion, you could us e the --complete-reload option but this will bre ak all e s tablis he d conne ctions not jus t for the s e rvice you have re move d.
4.5.14.4.10 . Add a Service t o a Zo ne by Edit ing XML Files
To vie w the de fault zone file s , e nte r the following command as root:
~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml dmz.xml external.xml internal.xml trusted.xml
The s e file s mus t not be e dite d. The y are us e d by de fault if no e quivale nt file e xis ts in the /etc/firewalld/zones/ dire ctory.
To vie w the zone file s that have be e n change d from the de fault, e nte r the following command as root:
~]# ls /etc/firewalld/zones/
external.xml public.xml public.xml.old
In the e xample s hown above , the work zone file doe s not e xis t. To add the work zone file , e nte r the following command as root:
~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
You can now e dit the file in the /etc/firewalld/zones/ dire ctory. If you de le te the file , firewalld will fall back to us ing the de fault file in /usr/lib/firewalld/zones/.
To add a s e rvice to a zone , for e xample to allow SMTP to the work zone , us e an e ditor with root privile ge s to e dit the /etc/firewalld/zones/work.xml file to include the following line :
<service name="smtp"/>
4.5.14.4.11. Remo ve a Service f ro m a Zo ne by Edit ing XML f iles
An e ditor running with root privile ge s is re quire d to e dit the XML zone file s . To vie w the file s for pre vious ly configure d zone s , e nte r the following command as root:
~]# ls /etc/firewalld/zones/
external.xml public.xml work.xml
To re move a s e rvice from a zone , for e xample to re move SMTP from the work zone , us e an e ditor with root privile ge s to e dit the /etc/firewalld/zones/work.xml file to re move the following line :
<service name="smtp"/>
If no othe r change s have be e n made to the work.xml file , it can be re move d and firewalld will us e the de fault /usr/lib/firewalld/zones/work.xml configuration file afte r the ne xt re load or s ys te m boot.
4.5.14.4.12. Co nf igure IP Address Masquerading
To che ck if IP mas que rading is e nable d, for e xample for the e xte rnal zone , e nte r the following command as root:
~]# firewall-cmd --zone=external --query-masquerade
Prints yes with e xit s tatus 0, if e nable d, prints no with e xit s tatus 1 othe rwis e . If zone is omitte d, the de fault zone will be us e d.
To e nable IP mas que rading, e nte r the following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To make this s e tting pe rmane nt, add the --permanent option and re load the fire wall.
To dis able IP mas que rading, e nte r the following command as root:
~]# firewall-cmd --zone=external --remove-masquerade
To make this s e tting pe rmane nt, add the --permanent option and re load the fire wall.
4.5.14.4.13. Co nf igure Po rt Fo rwarding Using t he Co mmand Line Int erf ace (CLI) To forward inbound ne twork packe ts from one port to an alte rnative port or addre s s , firs t e nable IP addre s s mas que rading for a zone , for e xample e xte rnal, by e nte ring the
following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To forward packe ts to a local port, that is to s ay to a port on the s ame s ys te m, e nte r the following command as root:
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to port 3753. The original de s tination port is s pe cifie d with the port option. This option can be a port, or port range , toge the r with a protocol. The protocol, if s pe cifie d, mus t be one of e ithe r tcp or udp. The ne w local port, the port or range of ports to which the traffic is be ing forwarde d to, is s pe cifie d with the toport option. To make this s e tting pe rmane nt, add the --permanent option and re load the fire wall.
To forward packe ts to anothe r IPv4 addre s s , us ually an inte rnal addre s s , without changing the de s tination port, e nte r the following command as root:
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55
In this e xample , the packe ts inte nde d for port 22 are now forwarde d to the s ame port at the addre s s give n with the toaddr. The original de s tination port is s pe cifie d with the port.
This option can be a port, or port range , toge the r with a protocol. The protocol, if s pe cifie d, mus t be one of e ithe r tcp or udp. The ne w de s tination port, the port or range of ports to which the traffic is be ing forwarde d to, is s pe cifie d with the toport. To make this s e tting pe rmane nt, add the --permanent option and re load the fire wall.
To forward packe ts to anothe r port at anothe r IPv4 addre s s , us ually an inte rnal addre s s , e nte r the following command as root:
~]# firewall-cmd --zone=external /
--add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55 In this e xample , the packe ts inte nde d for port 22 are now forwarde d to port 2055 at the addre s s give n with the toaddr option. The original de s tination port is s pe cifie d with the port option. This option can be a port, or port range , toge the r with a protocol. The protocol, if s pe cifie d, mus t be one of e ithe r tcp or udp. The ne w de s tination port, the port or range of ports to which the traffic is be ing forwarde d to, is s pe cifie d with the toport. To make this s e tting pe rmane nt, add the --permanent option and re load the fire wall.