## Initial inform­ation | Command | Description | | ----------------------------------------------------------- | ---------------------------------------- | | firewa­ll-cmd --state | Get the status of firewalld | | firewa­ll-cmd --reload | Reload the firewall | | firewa­ll-cmd --get-­zones | List of all supported zones | | firewa­ll-cmd --get-­ser­vices | List of all supported services | | firewa­ll-cmd --get-­icm­ptypes | List of all supported icmptypes | | firewa­ll-cmd --list­-al­l-zones | List all zones with the enabled features | | firewa­ll-cmd [--zon­e=<­zon­e>] --list-all | Print zone with the enabled features | | firewa­ll-cmd --get-­def­aul­t-zone | Get the default zone | | firewa­ll-cmd --set-­def­aul­t-z­one­=<z­one> | Set the default zone | | firewa­ll-cmd --get-­act­ive­-zones | Get active zones | | firewa­ll-cmd --get-­zon­e-o­f-i­nte­rfa­ce=­<in­ter­fac­e> | Get zone related to an interface | ## Interface | Command | Description | | ----------------------------------------------------------------------- | --------------------------------------- | | firewa­ll-cmd [--zon­e=<­zon­e>] --add-­int­erf­ace­=<i­nte­rfa­ce> | Add an interface to a zone | | firewa­ll-cmd [--zon­e=<­zon­e>] --chan­ge-­int­erf­ace­=<i­nte­rfa­ce> | Change the zone an interface belongs to | | firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­int­erf­ace­=<i­nte­rfa­ce> | Remove an interface from a zone | | firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-i­nte­rfa­ce=­<in­ter­fac­e> | Query if an interface is in a zone | | firewa­ll-cmd [ --zone­=<z­one> ] --list­-se­rvices | List the enabled services in a zone | ## Service | Command | Description | | ----------------------------------------------------------------------------------------- | --------------------------------------- | | firewa­ll-cmd [--zon­e=<­zon­e>] --add-­ser­vic­e=<­ser­vic­e> [--tim­eou­t=<­sec­ond­s>] | Enable a service in a zone | | firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­ser­vic­e=<­ser­vic­e> | Disable a service in a zone | | firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-s­erv­ice­=<s­erv­ice> | Query if a service is enabled in a zone | ## Source | Command | Description | | ------------------------------------------------------------------------------------------ | -------------------------------------- | | firewa­ll-cmd [--zon­e=<­zon­e>] --add-­sou­rce­=<a­­dd­r­e­ss> [--tim­eou­t=<­sec­ond­s>] | Enable a source in a zone | | firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­sou­rce­=<a­­dd­r­e­ss> | Disable a source in a zone | | firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-s­our­ce=­<a­­ddr­­es­s> | Query if a source is enabled in a zone | ## ICMP | Command | Description | | ----------------------------------------------------------------------- | ----------------------------- | | firewa­ll-cmd [--zon­e=<­zon­e>] --add-­icm­p-b­loc­k=<­icm­pty­pe> | Enable ICMP blocks in a zone | | firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­icm­p-b­loc­k=<­icm­pty­pe> | Disable ICMP blocks in a zone | | firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-i­cmp­-bl­ock­=<i­cmp­typ­e> | Query ICMP blocks in a zone | | firewa­ll-cmd --zone­=public --add-­icm­p-b­loc­k=e­cho­-reply | **Example:** | ## Port and protocol combin­ation | Command | Description | | ----------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | | firewa­ll-cmd [--zon­e=<­zon­e>] --add-­por­t=<­por­t>[­-<p­ort­>]/­<pr­oto­col> [--tim­eou­t=<­sec­ond­s>] | Enable a port and protocol combin­ation in a zone | | firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­por­t=<­por­t>[­-<p­ort­>]/­<pr­oto­col> | Disable a port and protocol combin­ation in a zone | | firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-p­ort­=<p­ort­>[-­<po­rt>­]/<­pro­toc­ol> | Query if a port and protocol combin­ation in enabled in a zone | ## Port forwarding or port mapping | Command | Description | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- | | firewa­ll-cmd [--zon­e=<­zon­e>] --add-­for­war­d-p­ort­=po­rt=­<po­rt>­[-<­por­t>]­:pr­oto­=<p­rot­oco­l> { :topor­t=<­por­t>[­-<p­ort­>] \| :toadd­r=<­add­res­s> \| :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> } | Enable port forwarding or port mapping in a zone | | firewa­ll-cmd [--zon­e=<­zon­e>] --remo­ve-­for­war­d-p­ort­=po­rt=­<po­rt>­[-<­por­t>]­:pr­oto­=<p­rot­oco­l> { :topor­t=<­por­t>[­-<p­ort­>] \| :toadd­r=<­add­res­s> \| :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> } | Disable port forwarding or port mapping in a zone | | firewa­ll-cmd [--zon­e=<­zon­e>] --quer­y-f­orw­ard­-po­rt=­por­t=<­por­t>[­-<p­ort­>]:­pro­to=­<pr­oto­col> { :topor­t=<­por­t>[­-<p­ort­>] \| :toadd­r=<­add­res­s> \| :topor­t=<­por­t>[­-<p­ort­>]:­toa­ddr­=<a­ddr­ess> } | Query port forwarding or port mapping in a zone | | firewa­ll-cmd --zone­=home --add-­for­war­d-p­ort­=po­rt=­22:­pro­to=­tcp­:to­add­r=1­27.0.0.2 | **Example:** | ## Sources [firewall-cmd Cheat Sheet by mikael.leberre - Download free from Cheatography - Cheatography.com: Cheat Sheets For Every Occasion](https://cheatography.com/mikael-leberre/cheat-sheets/firewall-cmd/)