Firewall CLI Commands for Centos 7 Brief Reference

Centos 7 Firewall CLI Commands | This post is mostly a reference of cli commands to use on Centos 7 for working with firewall rules.


Cents 7 uses Firewalld instead of iptables. Firewalld is a complete firewall solution available by default on CentOS 7 servers. In this reference will cover how to set up various firewall rules for your server using the firewall-cmd administrative tool. You can find out more by reading the guide from DigitalOcean.


What are Zones?

The firewalld daemon manages groups of rules using entities called “zones”. Zones are basically sets of rules dictating what traffic should be allowed depending on the level of trust you have in the networks your computer is connected to. Network interfaces are assigned a zone to dictate the behavior that the firewall should allow.


Turn On Firewalld

Before we can begin to create our firewall rules, we need to actually turn the daemon on. The systemdunit file is called firewalld.service. We can start the daemon for this session by typing:

sudo systemctl start firewalld.service

We can verify that the service is running and reachable by typing:

firewall-cmd --state

This indicates that our firewall is up and running with the default configuration.


Find your Active Zone

Use this command to find your active zone(s):

firewall-cmd --get-active-zones

It will say either public, dmz, or something else. You should only apply to the zones required.

List All Firewall Zones

You can check which zone you are using with

firewall-cmd --list-all


Opening a Firewall Port

In the case of dmz try:

firewall-cmd --zone=dmz --add-port=2888/tcp --permanent

Otherwise, substitute dmz for your zone, for example, if your zone is public:

firewall-cmd --zone=public --add-port=2888/tcp --permanent

Then remember to reload the firewall for changes to take effect.

firewall-cmd --reload

but if is a known service, you can use:

firewall-cmd --permanent --zone=public --add-service=http 

and then reload the firewall

firewall-cmd --reload

Changing Zones

Again, you can check which zone you are using with firewall-cmd --list-all and change it with firewall-cmd --set-default-zone=<zone>.

You will then know what zone to allow a service (or port) on:

firewall-cmd --permanent --zone=<zone> --add-service=http
firewall-cmd --permanent --zone=<zone> --add-port=80/tcp

You can check if the port has actually be opened by running:

firewall-cmd --zone=<zone> --query-port=80/tcp
firewall-cmd --zone=<zone> --query-service=http


Banner image from – 2/15/2017

  • Add Your Comment