firewalld is the default method in Red Hat Enterprise Linux 7 for managing host-level firewalls. Started from the firewalld. service systemd service, firewalld manages the Linux kernel netfilter subsystem using the low-level iptables, ip6tables, and ebtables commands.
Default Configuration of firewalld Zones
| Zone name | Default configuration |
|---|---|
| trusted | Allow all incoming traffic. |
| home | Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client predefined services. |
| internal | Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client predefined services (same as the home zone to start with). |
| work | Reject incoming traffic unless related to outgoing traffic or matching the ssh, ipp – client, or dhcpv6 – client predefined services. |
| public | Reject incoming traffic unless related to outgoing traffic or matching the ssh or dhcpv6 – client predefined services. The default zone for newly added network interfaces |
| external | Reject incoming traffic unless related to outgoing traffic or matching the ssh predefined service. Outgoing 1Pv4 traffic forwarded through this zone is masqueraded to look like it originated from the 1Pv4 address of the outgoing network interface. |
| dmz | Reject incoming traffic unless related to outgoing traffic or matching the ssh predefined service. |
| block | Reject all incoming traffic unless related to outgoing traffic. |
| drop | Drop all incoming traffic unless related to outgoing traffic (do not even respond with ICMP errors). |
Firewalld Commandline reference
| firewall -cmd Commands | Explanation |
|---|---|
| –get-default-zone | Query the current default zone. |
| –set-default-zone=[ZONE] | Set the default zone. This changes both the runtime and the permanent configuration. |
| –get-zones | List all available zones. |
| –get-services | List all predefined services. |
| –get-active-zones | List all zones currently in use (have an interface or source tied to them), along with their interface and source information. |
| –add-source=[CIDR] [ –zone=[ZONE] | Route all traffic coming from the IP address or network/netmask [CIDR] to the specified zone. If no –zone= option is provided, the default zone will be used. |
| –remove-source=[CIDR] [ –zone=[ZONE] | Remove the rule routing all traffic coming from the IP address or network/netmask [CIDR] from the specified zone. If no –zone= option is provided, the default zone will be used. |
| –add-interface=[INTERFACE] [ –zone=[ZONE] | Route all traffic coming from [INTERFACE] to the specified zone. If no –zone= option is provided, the default zone will be used. |
| –change -interface=[INTERFACE] [–zone=[ZONE] | Associate the interface with [ZONE] instead of its current zone. If no –zone= option is provided, the default zone will be used. |
| –list-all [–zone=[ZONE]] | Listallconfiguredinterfaces, sources, services, and ports for [ZONE]. If no –zone= option is provided, the default zone will be used. |
| –list-all-zones | Retrieve all information for all zones (interfaces, sources, ports, services, etc.). |
| –add-service=[SERVICE] | Allow traffic to [SERVICE]. If no –zone= option is provided, the default zone will be used. |
| –add-port=[PORT/PROTOCOL] | Allow traffic to the [PORT/ PROTOCOL] port(s). If no –zone= option is provided, the default zone will be used. |
| –remove-service=[SERVICE] | Remove [SERVICE] from the allowed list for the zone. If no –zone= option is provided, the default zone will be used. |
| –remove-port=[PORT/PROTOCOL] | Remove the [PORT/PROTOCOL] port(s) from the allowed list for the zone. If no –zone= option is provided, the default zone will be used. |
| –reload | Drop the runtime configuration and apply the persistent configuration. |