For When You Can't Have The Real Thing
[ start | index | login ]
start > Fedora > Server > 25 > firewalld

firewalld

Created by dave. Last edited by dave, 4 years and 293 days ago. Viewed 2,445 times. #10
[diff] [history] [edit] [rdf]
labels
attachments
(2016-12-06)

God help me, this is firwealld

After you make a change, reload the firewall to make it active:

# firewall-cmd --reload

To make the current running state of the firewall permanent (ie to be used at the next boot:

# firewall-cmd --runtime-to-permanent

Status:

# systemctl status firewalld

Active zones:

# firewall-cmd --get-active-zones

Defined services:

# firewall-cmd --list-services

Add a new service by service name (beware the active zone):

# firewall-cmd --zone=FedoraWorkstation --add-service=smtp --permanent

Add a port number:

# firewall-cmd --zone=FedoraWorkstation --add-port=80/tcp --permanent

Add a range of port numbers:

# firewall-cmd --zone=FedoraWorkstation --add-port=6000-6050/udp --permanent

List open services:

# # firewall-cmd --zone=FedoraWorkstation --list-services

List open ports that are not defined as services:

# firewall-cmd --zone=FedoraWorkstation --list-ports

Add Masquarading:

# firewall-cmd --zone=external --add-masquerade --permanent

Port forwarding:

# firewall-cmd --zone=external --add-forward-port=port=2022:proto=tcp:toport=22:toaddr=192.168.0.2
  • The options --toport and --toaddr are implied as being the same as the original destination if not specified
Change interface zone membership:
# firewall-cmd --permanent --zone=home --change-interface=p2p1
# firewall-cmd --permanent --zone=public --change-interface=p1p1
# firewall-cmd --reload
...although that hasn't actually helped for me. I had to edit /etc/sysconfig/network-scripts/ifcfg-$INTERFACE and add a
ZONE=$zone

Intra-zone traffic:

firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i ens256 -o ens192 -j ACCEPT

Blocking subnets:

# firewall-cmd --add-rich-rule="rule family='ipv4' source address='185.222.209.0/24' drop" --permanent
# firewall-cmd --add-rich-rule="rule family='ipv4' source address='185.222.209.0/24' drop"

You can change the subnet for a specific IP (the /32 is not required in that case) to block a particular host.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt