15 powerful firewall CMD commands in Linux, Niu Niu!

Enterprises usually attach great importance to network security because of the importance of business, so a good firewall system is a powerful weapon!

In this article, we will learn about the basic principle of the new firewall service firewalld of CentOS 7. It has a very powerful filtering system called Netfilter, which is built into the kernel module to check each packet passing through the system.

This means that it can programmatically check, modify, reject or discard any network data packets, such as incoming, outgoing or forwarding, before reaching the destination. Starting from Centos-7, firewalld has become the default tool for managing host based firewall services. Firewalld's daemon is installed from firewalld package, which will be available on all basic installations of the operating system, But not available on a minimal installation.

Advantages of using FirewallD over iptables:
  • Any configuration changes made at runtime do not require reloading or restarting the firewalld service
  • Simplify firewall management by scheduling the entire network traffic into the area
  • Each system can set up multiple firewall configurations to change the network environment
  • Use the D-Bus messaging system to interact / maintain firewall settings

In CentOS 7 or later, we can still use the classic iptables. If we want to use iptables, we need to stop and disable the firewalld service. Using firewalld and iptables at the same time can confuse the system because they are incompatible with each other.

It is recommended to use firewalld to manage firewall services, unless we have some specific reasons to continue to use classic iptables.

Firewall has designed a powerful filtering system and is more flexible in dealing with firewall management. To take advantage of this design, firewalld classifies incoming traffic into areas on the interface defined by the source address.

Each area is designed to manage traffic according to specified standards. If no changes are made, the default area will be set to public, and the associated network interface will be attached to public.

All predefined area rules are stored in two locations: the area rules specified by the system are under "/ usr/lib/firewalld/zones /" and the area rules specified by the user are under / etc/firewalld/zones /. If any changes are made in the system zone configuration file, it is automatically copied to / etc/firewalld/zones /.

This article will introduce the basic knowledge of firewalld service in detail and learn how to use the firewall CMD command in RHEL/CentOS 7.

The contents of this article are as follows



  • Operating system: CentOS 7 or later
  • Package: firewalld
  • User account: root user or user account with sudo permission
  • It is recommended that you use sudo privileges instead of root to run all administrative commands

There are three ways to configure a firewall:

  • Edit directly in the "/ etc/firewalld" configuration file
  • Graphical interface "firewall config" tool
  • Command line "firewall CMD" in terminal

Note: we will focus only on the "firewall CMD" command in this article.

Install and enable firewallD service

First, update the latest current version of the package.

sudo yum update -y

Firewall is available on all basic installations of CentOS 7, but not on the minimum installation. In this case, we can use the following command to install:

$ sudo yum install firewalld -y

Start and enable the service using the following command

$ sudo systemctl start firewalld.service

$ sudo systemctl Enable firewalld.service

Verify the status of the firewall service using the following command:

$ sudo firewall-cmd --state

$ sudo systemctl status firewalld

Detailed output:

firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sat 2020-04-18 22:39:56 IST; 2h 52min ago
Main PID: 759 (firewalld)
CGroup: /system.slice/firewalld.service
└─759 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Apr 18 22:39:56 localhost.localdomain systemd[1]: Started firewalld - dynamic...

Tip: some lines are omitted. Use - l to display the complete line.


Firewall has introduced several predefined areas and services for different purposes. One of the main purposes is to handle firewalld management more easily.

Based on these regions and services, we can block any form of system incoming traffic unless it explicitly allows the use of some special rules in the region.

1. How to view all available areas in firewalld?

$ sudo firewall-cmd --get-zones

This is the default predefined area in firewalld

2. How to find out which is the default area?

$ firewall-cmd --get-default-zone


According to the above output, we can see that the public area is marked as the default area, and we can change it according to our requirements. We will discuss it further in the next example.

3. How to find the list of active areas and related network interfaces?

$ firewall-cmd --get-active-zones

interfaces: enp1s0

In the above output, you can see that the public area is active and associated with the "enp1s0" network interface. If no interface is not assigned to a specific area, it will be automatically attached to the default area.

4. How to check whether there are any rules listed in the activity public area?

$ sudo firewall-cmd --list-all --zone="public"

The above output shows that the public area is active and set to the default value. The network interface "enp1so" is associated with the active area. In this area, DHCPv6 client and ssh are allowed to serve through the firewall.

5. How to view the list of all available areas?

$ sudo firewall-cmd --list-all-zones

Similar to the previous example, the detailed configuration pages of each available area will be listed here. Please check yourself because the output list will be very long.

6. How to change the default area to a specific area?

Before changing to a new area, let's check the existing available areas.

$ sudo firewall-cmd --get-default-zone


In the output, you can see that the public area is set as the default area. Now let's try to change the area from public to working.

$ sudo firewall-cmd --set-default-zone=work


As you can see, the output of the above command is successful. Let's verify it.

$ sudo firewall-cmd --get-default-zone

work      <==

7. How to change the network interface from one region to another?

If the system has two network interfaces, such as "enp1s0 and enp1s1", by default, all interfaces will be assigned to the default area. You can change the interface to another area by using the following command.

$ sudo firewall-cmd --zone=internal --change-interface=enp1s1

You can verify with the following command:

$ sudo firewall-cmd --get-active-zones

8. How to create a custom firewalld zone?

As we know, all system specified configuration files are located in "/ usr/lib/firewalld/zones", and user specified files are located in "/ etc/firewalld/zones".

Use the following command to create a custom zone file that allows ssh and apache services using port numbers 80 and 22.

Make sure that the new file should be saved in a user-defined location in. xml format. Currently, the length of the name area file is limited to 17 characters.

$ sudo vi /etc/firewalld/zones/ linuxtecksecure .xml
<?xml version="1.0" encoding="utf-8"?>
<description>For the enterprise domain.</description>
<service name="apache"/>
<service name="ssh"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="22"/>

Save and exit.

Reload firewall service:

$ sudo firewall-cmd --reload


Now recheck the available areas in firewalld

$ sudo firewall-cmd --get-zones

block dmz drop external home internal "linuxtecksecure" public trusted work

Using the above command, we can create a new (Linux techsecure) zone to enable only apache and ssh services by default. After creating the file, we need to "reload" the firewalld service to activate the zone to firewalld

Remember: after making any changes / updates to the existing zone file, be sure to reload your firewalld service activation, otherwise the changes in the firewall will not be affected.


firewalld has another component called "services". These services can be used in the zone file to manage the traffic rules in firewall settings. Each predefined "service" is used in the default configuration of the zone file


Manage the local traffic of DHCP v6 client and use udp port 546.


Manage the local traffic of ssh server service and use tcp port 22.


Manage the local traffic of Windows FLES / printer sharing service and use 137(UDP) and 138(UDP) ports


Manage the local traffic for the print server service and use udp port 631.


Manage the multicast local link service and use udp port 5353.

1. How to list all available services in firewalld?

$ sudo firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc 
ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch 
etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre 
high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop 
kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql 
murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis 
pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client 
samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui 
synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans 
xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

2. How to list all available services in a specific area?

$ sudo firewall-cmd --zone=work --list-services

dhcpv6-client ssh

The output shows that only two services are enabled in the work area.

3. How to add an existing service to the default area?

$ sudo firewall-cmd --add-service=samba


In this example, I have added an existing service named samba to the default zone, which you can verify with the following command:

$ sudo firewall-cmd --zone=public --list-services

dhcpv6-client samba ssh

Similarly, we can add services to areas other than the default area. Use the following command:

$ sudo firewall-cmd --zone=internal --add-service=ftp

firewalld two modes

By default, firewalld supports two independent modes, permanent and runtime (immediate).

When we start the firewall, it loads all persistent configuration files into the runtime.

Any opportunity you have to add or update is applied to the runtime configuration and is not automatically enabled to the persistent configuration.

In order to make it a permanent rule, we need to use the "- permanent" parameter. In order to enable these changes in firewalld, we need to reload or restart the firewall service.

1. How to permanently add a service?

$ sudo firewall-cmd --permanent --add-service=ftp

$ sudo firewall-cmd --reload


Remember, whenever you use the "- permanent" flag, don't forget to reload the firewall service.

2. How do I migrate my runtime settings to permanent settings?

$ sudo firewall-cmd --runtime-to-permanent


Generally, we test all rules in the runtime environment. Once the rules run successfully, we use the "- permanent" option to make them permanent. We use the above command to migrate all runtime settings to the permanent mode at one time. If the firewall settings are invalid, we only need to reload / restart the firewall service to make these rules work in the permanent configuration.


firewalld allows us to handle network ports directly. The beauty is that we can open and close relevant ports in the firewall even without installing specific services in the system.

1. How to open ports for samba services in public areas?

$ sudo firewall-cmd --zone=public --add-port=137/udp

$ sudo firewall-cmd --zone=public --add-port=138/udp

$ sudo firewall-cmd --zone=public --add-port=139/tcp

$ sudo firewall-cmd --zone=public --add-port=445/tcp


Using the above command, we have successfully opened the samba service port


$ sudo firewall-cmd --list-ports

137/udp 138/udp 139/tcp 445/tcp

After the successful test, if you want to continue to use these rules as permanent rules of the firewall, use the "- permanent" flag with the above command or use the runtime as permanent command. Don't forget to reload the service.


Firewall also has an interesting feature called timeout. This feature will help many system administrators add temporary rules to their runtime settings, for example, if users want to download files from the server through the FTP service.

Since this is a one-time operation, no permanent rules are required.

Downloading a file may take only 2-5 minutes (depending on the file size).

In our example, we can allow the FTP service for 5 minutes, which will automatically disconnect after a given time.

$ sudo firewall-cmd --zone=public --add-service=ftp --timeout=5m

We can specify the timeout in seconds (s), minutes (m), or hours (h).

Thank you for taking the time to read! I hope this article can help you understand the basic usage of "firewall CMD" command through examples. If you like this article, please share it with others.

Posted by Remote4ever on Fri, 26 Nov 2021 03:30:10 -0800