Firewall-cmd: command line tool for firewall settings in rhel7, firewall-cmdrhel7
Firewall-cmd: the command line tool for firewall settings. Syntax: firewall-cmd [OPTIONS...] common OPTIONS:-h: Print help information;-V: Print version information;-q: exit, do not print status information. Status option: -- state: Check whether the firewall process is activated. If valid, 0 is returned; otherwise, a non-0 value is returned. -- Reload: reload the firewall rules and retain the status information. The current permanent configuration information is changed to the new runtime configuration information. -- Complete-reload: Completely reload the firewall, and even the netfilter kernel modules will be reloaded. The current connection is also interrupted because the status information is lost. Permanent option: -- permanent: Make the configuration take effect permanently. The modified configuration does not take effect immediately. It takes effect only when the service is restarted, reloaded, or the system is restarted. Region option: -- get-default-zone: the default region of the connection and interface. -- Set-default-zone = zone: set the default region. -- Get-active-zones: gets the currently activated and valid region. [-- Permanent] -- get-zones: gets pre-defined regions, which are separated by spaces. [-- Permanent] -- get-services: gets predefined services, which are separated by spaces. [-- Permanent] -- get-icmptypes: gets all ICMP types. [-- Permanent] -- get-zone-of-interface = interface: output the region of the specified Nic. [-- Permanent] -- get-zone-of-source = source [/mask]: output the region of the specified source address. [-- Permanent] -- list-all-zones: lists all regions. [-- Permanent] [-- zone = zone] -- list-all: lists all regions. [-- Permanent] [-- zone = zone] -- list-services: lists all services. [-- Permanent] [-- zone = zone] -- add-service = service [-- timeout = seconds]: add a service. If the timeout parameter is set, it is valid within the timeout parameter, and expires after the time. [-- Permanent] [-- zone = zone] -- remove-service = service: removes a service from a region. [-- Permanent] [-- zone = zone] -- query-service = service: queries whether the service has been added to the region. If it has already been added, 0 is returned; otherwise, 1 is returned. [-- Permanent] [-- zone = zone] -- list-ports: all ports and protocols in the region are listed. [-- Permanent] [-- zone = zone] -- add-port = portid [-portid]/protocol [-- timeout = seconds]: add the port and protocol to the region; if the timeout parameter is set, the parameter is valid within the specified time period. [-- Permanent] [-- zone = zone] -- remove-port = portid [-portid]/protocol: remove the port and protocol. [-- Permanent] [-- zone = zone] -- query-port = portid [-portid]/protocol: query whether a port and protocol are in the region. [-- Permanent] [-- zone = zone] -- list-icmp-blocks: Lists All ICMP types in the region. [-- Permanent] [-- zone = zone] -- add-icmp-block = icmptype [-- timeout = seconds]: add the ICMP type. If timeout is specified, it is valid within the time range; after the time, it is invalid. [-- Permanent] [-- zone = zone] -- remove-icmp-block = icmptype: remove the ICMP type. [-- Permanent] [-- zone = zone] -- query-icmp-block = icmptype: query whether ICMP exists. If so, 0 is returned; otherwise, 1 is returned. [-- Permanent] [-- zone = zone] -- list-forward-ports: lists all the outbound traffic ports in IPv4. [-- Permanent] [-- zone = zone] -- add-forward-port = portid [-portid]: proto = protocol [: toport = portid [-portid] [: toaddr = address [/mask] [-- timeout = seconds]: adds the port settings for outbound traffic in IPv4. [-- Permanent] [-- zone = zone] -- remove-forward-port = portid [-portid]: proto = protocol [: toport = portid [-portid] [: toaddr = address [/mask]: removes the outbound traffic from IPv4. [-- Permanent] [-- zone = zone] -- query-forward-port = portid [-portid]: proto = protocol [: toport = portid [-portid] [: toaddr = address [/mask]: queries whether the port setting for outbound traffic exists. If yes, 0 is returned. If NO, 1 is returned. [-- Permanent] [-- zone = zone] -- add-masquerade [-- timeout = seconds]: adds a disguised address. [-- Permanent] [-- zone = zone] -- remove-masquerade: remove the disguised address. [-- Permanent] [-- zone = zone] -- query-masquerade: queries disguised addresses. [-- Permanent] [-- zone = zone] -- list-rich-rules: Lists All rich rules. [-- Permanent] [-- zone = zone] -- add-rich-rule = 'rule' [-- timeout = seconds]: add rich rules. [-- Permanent] [-- zone = zone] -- remove-rich-rule = 'rule': remove the rich rule. [-- Permanent] [-- zone = zone] -- query-rich-rule = 'rule': query rich rules. [-- Permanent] [-- zone = zone] -- list-interfaces: Lists All NICs. [-- Permanent] [-- zone = zone] -- add-interface = interface: adds a nic. [-- Zone = zone] -- change-interface = interface: Modify the NIC in the region. [-- Permanent] [-- zone = zone] -- query-interface = interface: query the NIC. [-- Permanent] [-- zone = zone] -- remove-interface = interface: remove the NIC. [-- Permanent] [-- zone = zone] -- list-sources: list all sources [-- permanent] [-- zone = zone] -- add-source = source [/mask]: add a source target. [-- Zone = zone] -- change-source = source [/mask]: Modify the source target. [-- Permanent] [-- zone = zone] -- query-source = source [/mask]: If the source target is queried, return 0. Otherwise, return 1. [-- Permanent] [-- zone = zone] -- remove-source = source [/mask]: remove the source target. [-- Permanent] -- direct -- get-all-chains: get all chains. [-- Permanent] -- direct -- get-chains {ipv4 | ipv6 | eb} table: get the chain in the data table. Data Tables are separated by spaces. [-- Permanent] -- direct -- add-chain {ipv4 | ipv6 | eb} table chain: adds a chain to the data table. [-- Permanent] -- direct -- remove-chain {ipv4 | ipv6 | eb} table chain: removes a chain from a data table. [-- Permanent] -- direct -- query-chain {ipv4 | ipv6 | eb} table chain: checks whether a chain is in a data table. If yes, 0 is returned; otherwise, 1 is returned. [-- Permanent] -- direct -- get-all-rules: get all rules. [-- Permanent] -- direct -- get-rules {ipv4 | ipv6 | eb} table chain: obtains all rules in a data table. [-- Permanent] -- direct -- add-rule {ipv4 | ipv6 | eb} table chain priority args: adds rules for the chain in the data table and defines priority. [-- Permanent] -- direct -- remove-rule {ipv4 | ipv6 | eb} table chain priority args: remove the chain rules in the data table. [-- Permanent] -- direct -- remove-rules {ipv4 | ipv6 | eb} table chain: rule for removing the data table chain. [-- Permanent] -- direct -- query-rule {ipv4 | ipv6 | eb} table chain priority args: query whether a rule is in the chain of a data table. -- Direct -- passthrough {ipv4 | ipv6 | eb} args: sends a command to the firewall. -- Permanent -- direct -- get-all-passthroughs: get all commands. -- Permanent -- direct -- get-passthroughs {ipv4 | ipv6 | eb}: Obtain the command that meets the conditions. -- Permanent -- direct -- add-passthrough {ipv4 | ipv6 | eb} args: add a qualified command. -- Permanent -- direct -- remove-passthrough {ipv4 | ipv6 | eb} args: Command to remove certain conditions. -- Permanent -- direct -- query-passthrough {ipv4 | ipv6 | eb} args: query whether commands with certain conditions exist. -- Lockdown-on: Make the lock function available. -- Lockdown-off: Make the lock function unavailable. -Query-lockdown: whether the query lock function is available. [-- Permanent] -- list-lockdown-whitelist-commands: lists the whitelists that can modify firewall rules. [-- Permanent] -- add-lockdown-whitelist-command = command: add a whitelist of subjects that can modify firewall rules. [-- Permanent] -- remove-lockdown-whitelist-command = command: removes the whitelist of subjects that can modify firewall rules. [-- Permanent] -- query-lockdown-whitelist-command = command: queries whether the whitelist is in the whitelist of subjects that can modify firewall rules. [-- Permanent] -- list-lockdown-whitelist-contexts: list all selinuxcontenxt configured in the whitelist. [-- Permanent] -- add-lockdown-whitelist-context = context: add a selinuxcontenxt. [-- Permanent] -- remove-lockdown-whitelist-context = context: remove a selinuxcontenxt. [-- Permanent] -- query-lockdown-whitelist-context = context: queries whether selinuxcontenxt exists. [-- Permanent] -- list-lockdown-whitelist-uids: lists all user IDs in the whitelist. [-- Permanent] -- add-lockdown-whitelist-uid = uid: add the user ID to the White List. [-- Permanent] -- remove-lockdown-whitelist-uid = uid: remove the user ID from the whitelist. [-- Permanent] -- query-lockdown-whitelist-uid = uid: queries whether the user ID exists in the white list. [-- Permanent] -- list-lockdown-whitelist-users: lists all user names in the whitelist. [-- Permanent] -- add-lockdown-whitelist-user = user: add the user name to the whitelist. [-- Permanent] -- remove-lockdown-whitelist-user = user: remove the user name from the whitelist. [-- Permanent] -- query-lockdown-whitelist-user = user: queries whether the user name exists in the whitelist. -- Panic-on: enable emergency mode. -- Panic-off: Disable emergency mode. -- Query-panic: query whether the emergency mode is available.