A minimal subset of commands available using the firewall-cmd tool for configuring the CentOS 7 firewall.

Query Commands

# Get the current state
$ sudo firewall-cmd --state

# Find interface details, ip address and mac address.
$ ip addr

# Get current zone configuration.
$ sudo firewall-cmd --list-all-zones

# Get the default zone
$ sudo firewall-cmd --get-default-zone

# Get active zones, i.e. zones with an interface assigned.
$ sudo firewall-cmd --get-active-zones

# Get services assigned to a zone
$ sudo firewall-cmd --zone=zonename --list-services

# Get ports assigned to a zone
$ sudo firewall-cmd --zone=work --list-ports

# Get all pre-defined services.  
# The default list is located at /usr/lib/firewalld
# Additional services can be defined in this location.  
# Copy the xml format used for an existing service.
# Firewalld reload required before service is available in cli.
$ sudo firewall-cmd --getservices

Assign Commands

Adding & Removing Interfaces from a Zone.
# Add an interface to a zone
$ sudo firewall-cmd --zone=work --add-interface=if-name --permanent

# Change the zone an interface is assigned to.
$ sudo firewall-cmd --zone=work --change-interface=if-name --permanent

# Remove an interface binding from a zone
$ sudo firewall-cmd --zone=work --remove-interface=if-name --permanent
Adding & Removing Services from a Zone.
# Add a service to a zone.
$ sudo firewall-cmd --zone=work --add-service=http --permanent

# Remove a service from a zone.
$ sudo firewall-cmd --zone=work --remove-service=https --permanent
Adding & Removing Ports from a Zone.
# Add a port to a zone.
$ sudo firewall-cmd --zone=work --add-port=9200/tcp --permanent

# Add a port range to a zone.
$ sudo firewall-cmd --zone=work --add-port=9300-9400/tcp --permanent

# Remove a port to a zone.
$ sudo firewall-cmd --zone=work --remove-port=9200/tcp --permanent

# Remove a port range to a zone.
$ sudo firewall-cmd --zone=work --remove-port=9300-9400/tcp --permanent

Note:

  • Unless --permanent is used, the configuration will not be retained after the firewalld service is restarted or the system rebooted.
  • Permanent changes are not visible until the service is restarted.
  • Official doco found here.