These are rough notes from whatever I was working on, interested in or thinking about at the time. They vary greatly in quality and length, but prove useful to me, and hopefully to you too!
CentOS 7 firewalld
- software engineering
The full manual for firewalld on CentOS 7 can be found in section 5 of the RHEL 7 security guide.
Important details about when commands take effect:
- Commands issued without the
--permanentoption take effect instantly, but are lost upon
- Commands issued with the
--permanentoption do not take effect until
- If wanting a command to be permanent and take effect instantly, run it with and then without the
--permanentoption. (This is quicker than doing a
Important details about zones:
--zoneis not specified, the command automatically and silently uses the default zone.
- By default, the default zone is
- The default zone can changed through editing
/etc/firewalld/firewalld.confand then performing
Open a port (specifying the service)
Preferably, rather than allowing a port number, allow a service. This makes it more human friendly. For example, to view the currently allowed services:
$ firewall-cmd --zone=public --list-services dhcpv6-client ssh
To enable smtp:
$ firewall-cmd --zone=public --add-service=smtp
Open a port (specifying the number)
12345 on the
$ firewall-cmd --zone=public --add-port=12345/tcp --permanent
List open ports on the
$ firewall-cmd --zone=public --list-ports 12345/tcp
Port forwarding connections through an access machine
Given the following network configuration:
gateway | | public | eth0|192.168.57.138 +--------+--------+ | access machine | +--------+--------+ eth1|192.168.136.1 | | internal | ens160|192.168.136.40 +--------+--------+ | hidden machine | +-----------------+
All following commands, unless otherwise specified, are run from the access machine.
Verify that the interfaces are in the zones shown in the diagram above:
$ firewall-cmd --get-active-zones internal interfaces: eth1 public interfaces: eth0
Enable masquerade on the
$ firewall-cmd --zone=public --add-masquerade --permanent success
Check whether the
public zone has masquerade enabled.
$ firewall-cmd --zone=public --query-masquerade yes
Inbound packets on port
10022 are sent to port
22 on address
$ firewall-cmd --zone=public --add-forward-port=port=10022:proto=tcp:toport=22:toaddr=192.168.136.40
List configuration for the
$ firewall-cmd --zone=public --list-all
Reload the firewall. Any non
--permanent changes will be lost.
$ firewall-cmd --reload success
It is now possible to ssh from the gateway through to the hidden machine using port 10022.
$ ssh firstname.lastname@example.org -p10022