Firewalld Quickstart Guide
Firewalld is the default software firewall for CentOS 7 and other modern distributions based on Red Hat or SUSE Linux. This quickstart guide outlines several useful commands and techniques to assist debugging Firewalld.
Verify firewalld is active
$ firewall-cmd --state
running
Check the zones assigned to active interfaces
$ firewall-cmd --get-active-zones
public
interfaces: ens3
Check which ports and services are allowed
Assuming your active zone is public, this quick check reveals what traffic is allowed.
$ firewall-cmd --zone=public --list-ports
7000-8000/tcp
$ firewall-cmd --zone=public --list-services
cockpit dhcpv6-client ssh
Example: Allow SSH
Assuming your active zone is public, use either of these two methods to allow SSH.
$ firewall-cmd --zone=public --add-service=ssh
or
# firewall-cmd --add-port=22/tcp
Panic Mode
Drop All Packets
As root, use the --panic-on switch.
# firewall-cmd --panic-on
All packets will be dropped. Active connections will be terminated after a period of inactivity.
Panic Mode Off
As root, use the --panic-off switch.
# firewall-cmd --panic-off
Check Panic Mode Status
firewall-cmd --query-panic && echo "enabled" || echo "Not enabled"
Permanent vs. Temporary Configuration
Temporary changes cause a common issue; the server works as expected until the next reboot. Make sure you permanently save your configuration.
To make a command permanent, add the --permanent option to all commands except --direct commands (which are temporary by nature). Setting made with the --permanent option do not take effect until the next firewall reload, service restart, or system reboot. Settings made without the --permanent option take effect immediately, but are only valid until the next firewall reload, system boot, or service restart.
Disable firewalld
As root, mask and disable the service.
# systemctl mask --now firewalld.service
# systemctl disable --now firewalld.service
For more information
Want to contribute?
You could earn up to $300 by adding new articles