Monday, June 5, 2017

basic commands for firewalld RHEL 7.2

1. Check firewall is installed or not

rpm -aq | grep firewalld

2. Check config file of firewall

rpm -qc firewalld

3. check status of firewall service

systemctl status firewalld

4. Check the health state of firewall
firewall-cmd --state

5. Get the list of zones avaliable in firewall

firewall-cmd --get-zones

6. Get default zone of firewall
firewall-cmd --get-default-zone

7. Set default zone
firewall-cmd --set-default-zone=internal

NOTE: Internal is zone name, you can replace with your zone

8. Add port to firewall(ex : 3306 mysql port) permanently, too see the changes reaload the firewall and list it agian.
 firewall-cmd --add-port=3306/tcp --permanent
NOTE: 3306 is mysql port & tcp is protocal, if we do reload with out permanently attribute, port will be opened tempararly

9. List the firewall ports and see the opened port is in list or not.
firewall-cmd --list-all

[root@10 ~]# firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3 enp0s8
  services: dhcpv6-client ssh
  ports: 80/tcp 6250/tcp 61002/tcp 8123/tcp 62503/tcp 53/tcp 62053/tcp 8181/tcp 1050/tcp 2181/tcp 8080/tcp 61003/tcp 61420/tcp 64000/tcp 62501/tcp 62080/tcp 9990/tcp 5050/tcp 61421/tcp 15055/tcp 61001/tcp 443/tcp 7070/tcp 15101/tcp 15201/tcp 62502/tcp 61053/tcp 5051/tcp 1801/tcp
  masquerade: no
  rich rules:

10. Removeing port from the list

firewall-cmd --remove-port=3306/tcp

11. Open the ports range from 3000 to 3100 and reload the firewall to see the changes

firewall-cmd --add-port=3000-3100/tcp

12. Open multipule ports and reaload to see the changes.
firewall-cmd --add-port={3000/tcp, 3000/tcp,9000/http,9005/tcp} --permanent

13. Reaload the firewall
 firewall-cmd --reload

14. Add service to the firewall and to see the changes realod the list all services
firewall-cmd --add-service=mysql --perminent
firewall-cmd --reload
firewall-cmd --list-all

15. Add multiple services to firewall
firewall-cmd --add-service={mysql,http,https} --perminent
NOTE: will give warning if its already in enabled list and we have remove from the list of service then execute.

16. Remove services from firewall and multiple services as well.
firewall-cmd --add-service=mysql
firewall-cmd --add-service={mysql,http,https}

17. Add Port forward from 8080 to 80 (80 is not enabled in firewall)
Assuming 8080 enabled, if not please enable it first.

firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80 --perminent

forward to another machine and port
firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=IP of another machine

18. Remove the port forwarding
firewall-cmd --remove-forward-port=port=8080:proto=tcp:toport=80

19. Adding Rich rules:

Use case: We have 3 machines
m1, IP:
m2, IP:
m3, IP:

Accept all trafic/requests from m2, and block traffic/requests from m3 to m1.

firewall-cmd --add-rich-rule='rule family="ipv4" source address="" accept'

firewall-cmd --add-rich-rule='rule family="ipv4" source address="" drop'

And check by ping from m2 & m3 to m1. Can't able to ping from m3 to m1.

20. Creating new Services and add it to firewalld

 Create a simple service file under /usr/lib/firewalld/services/my-app.xml with the following content.

<?xml version="1.0" encoding="utf-8"?>
  <short>My application</short>
  <description>My application has to run on 9000 port</description>
  <port protocol="tcp" port="9000"/>

restart the firewall
firewall-cmd --reload
Add & list the firewall services
firewall-cmd --add-service=my-app
firewall-cmd --get-services
you should see the newly created services

Advanced firewall-cmd commands:

1. Panic on : If the system get hacked we can enable panic mode, meaning all existing, new traffic(incoming and outgoing) will be dropped. and expire the established connected,  we can use this in emergency like system get hacked.
We can disable panic and query as well following below commands.

firewall-cmd --query-panic
firewall-cmd --panic-on
firewall-cmd --panic-off

check Panic on for firewall
firewall-cmd --query-panic

2. Get the zone of particular interface, we can have multiple interfaces, to zones.
NOTE: Check your interface name(eth0)

firewall-cmd --get-zone-of-interface eth0

3. Get the list of interfaces under particular zone.

firewall-cmd --zone=public --list-interfaces

4.Change the zone of interface
firewall-cmd --zone=internal --change-interface=eth0