firewall-cmd
Manage the system firewall (firewalld)
TLDR
View all available firewall zones and rules in their runtime configuration state
Permanently move the interface into the block zone, effectively blocking all communication
Permanently open the port for a service in the specified zone (like port 443 when in the public zone)
Permanently close the port for a service in the specified zone (like port 80 when in the public zone)
Permanently forward a port for incoming packets in the specified zone (like port 443 to 8443 when entering the public zone)
Reload firewalld to lose any runtime changes and force the permanent configuration to take effect immediately
Save the runtime configuration state to the permanent configuration
Enable panic mode in case of Emergency. All traffic is dropped, any active connection will be terminated
SYNOPSIS
firewall-cmd [OPTIONS]
PARAMETERS
--state Changes made without the Zones are predefined sets of rules that determine what traffic is allowed or denied. Common zones include 'public', 'private', 'home', 'trusted', 'drop', and 'block'. You can assign network interfaces to zones to apply specific firewall rules to those interfaces. Services are predefined sets of ports and protocols that are commonly used by applications. Using services simplifies firewall configuration by allowing you to enable or disable access to a service by name rather than specifying individual ports and protocols. firewalld supports a rich language that allows you to create more complex firewall rules based on source/destination addresses, ports, services, and other criteria. This provides a flexible way to create customized firewall configurations to meet specific security requirements. firewalld(1), iptables(8)
Check if firewalld is running.
--reload
Reload firewalld configuration. This removes all runtime configuration options.
--complete-reload
Complete reload of firewalld. This also removes and recreates all firewall objects.
--runtime-to-permanent
Make runtime configuration permanent.
--get-default-zone
Get the default zone.
--set-default-zone=
Set the default zone.
--get-active-zones
List active zones.
--get-zones
List all available zones.
--get-services
List all available services.
--get-ports
List all ports currently open.
--list-all
List all settings for default zone.
--list-all-zones
List all settings for all zones.
--zone=
List all settings for the given zone.
--zone=
Add a service to a zone.
--zone=
Remove a service from a zone.
--zone=
Add a port to a zone. protocol is either tcp or udp.
--zone=
Remove a port from a zone. protocol is either tcp or udp.
--panic-on
Enable panic mode (blocks all traffic).
--panic-off
Disable panic mode.
--query-panic
Check if panic mode is enabled.
--permanent
Make changes persistent (applied on reboot). Without this option, changes are runtime only.
--direct --add-rule ipv4|ipv6
Add a direct iptables rule.
--direct --remove-rule ipv4|ipv6
Remove a direct iptables rule.
--get-log-denied
Get the log denied option. This option defines if log denied rules are added.
--set-log-denied={all|unicast|broadcast|multicast|off}
Set the log denied option.
--add-forward-port port=
Forward a port.
DESCRIPTION
firewall-cmd
is a command-line client interface to firewalld, the dynamic firewall manager. It's used to configure and manage the firewall rules. It allows you to add, remove, and modify rules, services, ports, and other firewall settings without requiring a restart of the firewall service. This makes it ideal for dynamic environments where the firewall configuration needs to adapt quickly to changing network conditions. firewall-cmd
interacts with firewalld through the D-Bus interface.
The primary goal of firewalld is to provide a dynamic firewall solution that separates the configuration of the firewall from the actual firewall rules. This makes it easier to manage and maintain the firewall configuration. Key features include support for network zones (e.g., public, private, home), services, ports, and rich language rules. The command can be used to manage permanent configurations (which are applied on reboot) and runtime configurations (which are lost on reboot).
Using firewall-cmd
simplifies complex iptables
rules by providing a higher-level abstraction.CAVEATS
--permanent
flag are temporary and will be lost upon reboot. Direct rules require a good understanding of iptables.ZONES
SERVICES
RICH LANGUAGE
EXIT CODES
firewall-cmd
usually returns 0 for success and non-zero for failure. However, parsing the standard output is the best way to confirm correct execution.HISTORY
firewall-cmd
was developed as part of the firewalld project to provide a user-friendly interface for managing the Linux firewall. Prior to firewalld, system administrators often relied directly on iptables
or nftables
, which could be complex to configure and manage. firewalld and firewall-cmd
abstract away much of this complexity, offering a more intuitive and dynamic way to manage firewall rules. The development focused on creating a dynamic firewall solution that could adapt to changing network conditions without requiring a full restart of the firewall service.SEE ALSO