firewalld
(2016-12-06)
God help me, this is firewalld
After you make a change, reload the firewall to make it active:
# firewall-cmd --reload
To make the current running state of the firewall permanent (ie to be used at the next boot:
# firewall-cmd --runtime-to-permanent
Status:
# systemctl status firewalld
Active zones:
# firewall-cmd --get-active-zones
Defined services:
# firewall-cmd --list-services
Add a new service by service name (beware the active zone):
# firewall-cmd --zone=FedoraWorkstation --add-service=smtp --permanent
Add a port number:
# firewall-cmd --zone=FedoraWorkstation --add-port=80/tcp --permanent
Add a range of port numbers:
# firewall-cmd --zone=FedoraWorkstation --add-port=6000-6050/udp --permanent
List open services:
# # firewall-cmd --zone=FedoraWorkstation --list-services
List open ports that are not defined as services:
# firewall-cmd --zone=FedoraWorkstation --list-ports
Add Masquarading:
# firewall-cmd --zone=external --add-masquerade --permanent
Port forwarding:
# firewall-cmd --zone=external --add-forward-port=port=2022:proto=tcp:toport=22:toaddr=192.168.0.2
- The options --toport and --toaddr are implied as being the same as the original destination if not specified
Change interface zone membership:
# firewall-cmd --permanent --zone=home --change-interface=p2p1
# firewall-cmd --permanent --zone=public --change-interface=p1p1
# firewall-cmd --reload
...although that hasn't actually helped for me. I had to edit /etc/sysconfig/network-scripts/ifcfg-$INTERFACE and add a
ZONE=$zone
Intra-zone traffic:
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens256 -o ens192 -j ACCEPT
Blocking subnets:
# firewall-cmd --add-rich-rule="rule family='ipv4' source address='185.222.209.0/24' drop" --permanent
# firewall-cmd --add-rich-rule="rule family='ipv4' source address='185.222.209.0/24' drop"
You can change the subnet for a specific IP (the /32 is not required in that case) to block a particular host.