In the last article, we have opened the port (80) for http service using firewall-config graphical utility in Redhat Enterprise Linux 7. As a Unix/Linux admin , would you prefer to use “GUI” over “command line” ? I don’t think so. Most of the Unix/Linux system administrators will go with the command line. firewall-cmd is a command line utility which interact with netfiler to configure the firewall rules on RHEL-7. In this article ,we will be doing the same work what we have done using firewall-config in the last article by using firewall-cmd command for different ports and services.
1. Get the default firewall zone on the server.
[root@server1-UA ~]#firewall-cmd --get-default-zone public [root@server1-UA ~]#
2. Get the currently active zone .
[root@server1-UA ~]#firewall-cmd --get-active-zones public interfaces: eth0 [root@server1-UA ~]#
3.List all configured interfaces , sources, services, and ports for specific zone. If you didn’t specify the zone , it will provide the information for the currently active zone.
[root@server1-UA ~]#firewall-cmd --list-all --zone=public public (default, active) interfaces: eth0 sources: services: dhcpv6-client http ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: [root@server1-UA ~]#
In the above command output, you can see that dhcpv6-client, http and ssh ports are curretnly opened.
You need to follow the below procedure, if there is a requirement to open a new port called 8090/tcp on the system.
1. Assume that currently active and default firewall zone is public.
2. Let me open the port 8090 using firewall-cmd.
[root@server1-UA ~]#firewall-cmd --permanent --add-port=8090/tcp --zone=public success [root@server1-UA ~]#
3. Re-load the firewalld.
[root@server1-UA ~]#firewall-cmd –reload
success
[root@server1-UA ~]#
4. Verify the changes using firewall-cmd.
[root@server1-UA ~]#firewall-cmd --list-all public (default, active) interfaces: eth0 sources: services: dhcpv6-client http ssh ports: 8090/tcp masquerade: no forward-ports: icmp-blocks: rich rules: [root@server1-UA ~]#
In the above command output, you can see that 8090/tcp has been added.
Please follow the below procedure , if you would like to add service called ldap. ldap ports needs to defined in /etc/services file.
[root@server1-UA ~]#firewall-cmd --permanent --add-service=ldap --zone=public success [root@server1-UA ~]#firewall-cmd --reload success [root@server1-UA ~]#firewall-cmd --list-all --permanent --zone=public public (default) interfaces: sources: services: dhcpv6-client http ldap ssh ports: 8090/tcp masquerade: no forward-ports: icmp-blocks: rich rules: [root@server1-UA ~]#
How to block the currently opened ports/services ?
* In the below example, I have blocked the port 8090/tcp .
[root@server1-UA ~]#firewall-cmd --permanent --remove-port=8090/tcp --zone=public success [root@server1-UA ~]#firewall-cmd --list-all --permanent --zone=public public (default) interfaces: sources: services: dhcpv6-client http ldap ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: [root@server1-UA ~]#firewall-cmd --reload success [root@server1-UA ~]#
* In the below example, i have blocked the http service.
[root@server1-UA ~]#firewall-cmd --permanent --remove-service=http --zone=public success [root@server1-UA ~]#firewall-cmd --reload success [root@server1-UA ~]#firewall-cmd --list-all --permanent --zone=public public (default) interfaces: sources: services: dhcpv6-client ldap ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: [root@server1-UA ~]#
firewall-cmd is very simple and easy to use unlike the iptables. Hope everybody loves it .
Share it ! Comment it !! Be Sociable !!!