Red Hat firewall

December 16, 2022 · 2 min read

Ref: Working with Zones | Red Hat

Ref: Secure your Linux network with firewall-cmd

Interface can be assigned to a zone
Policy (ACL) can apply to zone

Zone

Zone can apply to network interface or source address

List zones

firewall-cmd --get-zones

Display zone detail

Display allowed service, port

firewall-cmd --list-all [--zone=<zone name>]

Display all zone detail

firewall-cmd --list-all-zones

Get default zone

firewall-cmd --get-default-zone

Set default zone

firewall-cmd --set-default-zone <zone name>

Assign interface to a zone

firewall-cmd --zone=<zone name> --change-interface=<interface name>

Service

Service / Rule / ACL

Add service / TCP / UDP port

firewall-cmd --add-service=<service> [--zone=<zone name>] [--permanent]

Option	Description
default	add service to runtime, not permanent
`--permanent`	add service to permanent, not runtime

Allow SSH

firewall-cmd --add-service=ssh

List all service

firewall-cmd --get-services

Add port

firewall-cmd --add-port <port>/{udp|tcp}

Add TCP port 8080

firewall-cmd --add-port 8080/tcp

# save
firewall-cmd --runtime-to-permanent

Remove port

firewall-cmd --remove-port <port>/{udp|tcp}

Remove TCP port 8080

firewall-cmd --remove-port 8080/tcp

# save
firewall-cmd --runtime-to-permanent

Redirect port

firewall-cmd --add-forward-port=port=<port>:proto={udp|tcp}:toport=<to port>

Redirect TCP port 8080 to 80

firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=80

Make runtime setting persistent

Save runtime setting

firewall-cmd --runtime-to-permanent

Reload

Reload to apply permanent rule to runtime

firewall-cmd --reload

Zone​

List zones​

Display zone detail​

Display all zone detail​

Get default zone​

Set default zone​

Assign interface to a zone​

Service​

Add service / TCP / UDP port​

List all service​

Add port​

Remove port​

Redirect port​

Make runtime setting persistent​

Reload​