Home / RHEL7 / How to configure the firewall using firewall-cmd ?

How to configure the firewall using firewall-cmd ?

In the last article, we have opened the port (80) for http service using firewall-config graphical utility in Redhat Enterprise Linux  7.  As a Unix/Linux admin , would you prefer to use “GUI” over “command line” ? I don’t think so. Most of the Unix/Linux system administrators will go with the command line. firewall-cmd is a command line utility which interact with netfiler to configure the firewall rules on RHEL-7. In this article ,we will be doing the same work what we have done using firewall-config in the last article by using firewall-cmd command for different ports and services.

1. Get the default firewall zone on the server.

[root@server1-UA ~]#firewall-cmd --get-default-zone
public
[root@server1-UA ~]#

2. Get the currently active zone .

[root@server1-UA ~]#firewall-cmd --get-active-zones
public
  interfaces: eth0
[root@server1-UA ~]#

3.List all configured interfaces , sources, services, and ports for specific zone. If you didn’t specify the zone , it will provide the information for the currently active zone.

[root@server1-UA ~]#firewall-cmd --list-all --zone=public
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client http ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

[root@server1-UA ~]#

In the above command output, you can see that dhcpv6-client, http and ssh ports are curretnly opened.

You need to follow the below procedure, if there is a requirement to open a new port called 8090/tcp on the system.

1. Assume that currently active and default firewall zone is public.

2. Let me open the port 8090 using firewall-cmd.

[root@server1-UA ~]#firewall-cmd --permanent --add-port=8090/tcp --zone=public
success
[root@server1-UA ~]#

3. Re-load the firewalld.
[root@server1-UA ~]#firewall-cmd –reload
success
[root@server1-UA ~]#

4. Verify the changes using firewall-cmd.

[root@server1-UA ~]#firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client http ssh
  ports: 8090/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

[root@server1-UA ~]#

In the above command output, you can see that 8090/tcp has been added.

Please follow the below procedure , if you would like to add service called ldap. ldap ports needs to defined in /etc/services file.

[root@server1-UA ~]#firewall-cmd --permanent --add-service=ldap --zone=public
success
[root@server1-UA ~]#firewall-cmd --reload
success
[root@server1-UA ~]#firewall-cmd --list-all --permanent --zone=public
public (default)
  interfaces:
  sources:
  services: dhcpv6-client http ldap ssh
  ports: 8090/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
[root@server1-UA ~]#

How to block the currently opened ports/services ?

*    In the below example, I have blocked the port 8090/tcp .

[root@server1-UA ~]#firewall-cmd --permanent --remove-port=8090/tcp --zone=public
success
[root@server1-UA ~]#firewall-cmd --list-all --permanent --zone=public
public (default)
  interfaces:
  sources:
  services: dhcpv6-client http ldap ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
[root@server1-UA ~]#firewall-cmd --reload
success
[root@server1-UA ~]#

*    In the below example, i have blocked the http service.

[root@server1-UA ~]#firewall-cmd --permanent --remove-service=http --zone=public
success
[root@server1-UA ~]#firewall-cmd --reload
success
[root@server1-UA ~]#firewall-cmd --list-all --permanent --zone=public
public (default)
  interfaces:
  sources:
  services: dhcpv6-client ldap ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
[root@server1-UA ~]#

firewall-cmd is very simple and easy to use unlike the iptables. Hope everybody loves it .

Share it ! Comment it !! Be Sociable !!!

VMTURBO-CLOUD-CAPACITY

Leave a Reply

Your email address will not be published. Required fields are marked *