RHEL 7 / CentOS 7 / Oracle Linux 7: How to get started with Firewalld - 0

Presentation

Firewalld is the new userland interface in RHEL 7. It replaces the iptables interface and connects to the netfilter kernel code. It mainly improves the security rules management by allowing configuration changes without stopping the current connections.

To know if Firewalld is running, type:

# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago
   ...

or alternatively:

# firewall-cmd --state
running

Note: If Firewalld is not running, the command displays not running.
If you’ve got several network interfaces in IPv4, you will have to activate ip_forwarding.
To do that, paste the following line in the /etc/sysctl.conf file:

net.ipv4.ip_forward=1

Then, activate the configuration:

# sysctl -p

Although Firewalld is the RHEL 7 way to deal with firewalls and provides many improvements, iptables can still be used.

Zone management

Also, a new concept of zone appears : all network interfaces can be located in the same default zone or divided into different ones according to the levels of trust defined.
To get the default zone, type:

# firewall-cmd --get-default-zone
public

To get the list of zones where you’ve got network interfaces assigned to, type:

# firewall-cmd --get-active-zones
public
interfaces: eth0

To get the list of all the available zones, type:

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

To get all the details about the public zone, type:

# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

To change the default zone to home permanently, type:

# firewall-cmd --set-default-zone=home
success

Network interfaces can be assigned to a zone in a temporary (until the next reboot or reload) or permanent way.
To assign the eth0 network interface temporary to the internal zone, type:

# firewall-cmd --zone=internal --change-interface=eth0
success

To assign the eth0 network interface permanently to the internal zone (a file called internal.xml is created in the /etc/firewalld/zones directory), type:

# firewall-cmd --permanent --zone=internal --change-interface=eth0
success

To know which zone is associated with the eth0 interface, type:

# firewall-cmd --get-zone-of-interface=eth0
internal

Service management

After assigning each network interface to a zone, it is now possible to add services to each zone.

To allow the http service permanently in the internal zone, type:

# firewall-cmd --permanent --zone=internal --add-service=http
success
# firewall-cmd --reload

Note1: Type –remove-service=http to deny the http service.
Note2: The firewall-cmd –reload command is necessary to activate the change. Contrary to the –complete-reload option, current connections are not stopped.

To get the list of services in the default zone, type:

# firewall-cmd --list-services
dhcpv6-client ssh

Note: To get the list of the services in a particular zone, add the –zone= option.

Service firewall configuration

With the Firewalld package, the firewall configuration of the main services (ftp, httpd, etc) comes in the /usr/lib/firewalld/services directory. But it is still possible to add new ones in the /etc/firewalld/services directory. Also, if files exist at both locations for the same service, the file in the /etc/firewalld/services directory takes precedence.
For example, it is the case of the HAProxy service. There is no firewall configuration associated.
Create the /etc/firewalld/services/haproxy.xml and paste the following lines:

<?xml version="1.0" encoding="utf-8"?>
<service>
 <short>HAProxy</short>
 <description>HAProxy load-balancer</description>
 <port protocol="tcp" port="80"/>
</service>

Assign the correct SELinux context and file permissions to the haproxy.xml file:

# cd /etc/firewalld/services
# restorecon haproxy.xml
# chmod 640 haproxy.xml

Add the HAProxy service to the default zone permanently and reload the firewall configuration:

# firewall-cmd --permanent --add-service=haproxy
# firewall-cmd --reload

Port management

Port management follows the same model as service management.

To allow the 443/tcp port temporary in the internal zone, type:

# firewall-cmd --zone=internal --add-port=443/tcp
success
# firewall-cmd --reload

Note: type –remove-port=443/tcp to deny the port.

To get the list of ports open in the internal zone, type:

# firewall-cmd --zone=internal --list-ports
443/tcp

Masquerading

If your firewall is your network gateway and you don’t want everybody to know your internal addresses, you can set up two zones, one called internal, the other external, and configure masquerading on the external zone. This way, all packets will get your firewall ip address as source address.

To set up masquerading on the external zone, type:

# firewall-cmd --zone=external --add-masquerade

Note1: To remove masquerading, use the –remove-masquerade option.
Note2: To know if masquerading is active in a zone, use the –query-masquerade option.

Port forwarding

In addition to the masquerading, you can want to use port forwarding.
If you want all packets intended for port 22 to be now forwarded to port 3753, type:

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753

Note1: To remove port forwarding, use the –remove-forward-port option.
Note2: To know if port forwarding is active in a zone, use the –query-forward-port option.

Also, if you want to define the destination ip address, type:

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753:toaddr=10.0.0.1

Direct rules

It is still possible to set specific rules by using the direct mode (here to open the tcp port 9000) that by-passes the Firewalld interface:

# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT
success
# firewall-cmd --reload

Note: This last example has been borrowed from Khosro Taraghi’s blog.

To display all the direct rules added, type:

# firewall-cmd --direct --get-all-rules

FIREWALLD.RICHLANGUAGE

firewalld.richlanguage — Rich Language Documentation

Description

With the rich language more complex firewall rules can be created in an easy to understand way. The language uses keywords with values and is an abstract representation of ip*tables rules.
The rich language extends the current zone elements (service, port, icmp-block, masquerade and forward-port) with additional source and destination addresses, logging, actions and limits for logs and actions.
This page describes the rich language used in the command line client and D-Bus interface. For information about the rich language representation used in the zone configuration files, please have a look at firewalld.zone(5).
A rule is part of a zone. One zone can contain several rules. If some rules interact/contradict, the first rule that matches "wins".
General rule structure

rule
  [source]
  [destination]
  service|port|protocol|icmp-block|masquerade|forward-port
  [log]
  [audit]
  [accept|reject|drop]

The complete rule is provided as a single line string. A destination is allowed here as long as it does not conflict with the destination of a service.
Rule structure for source black or white listing

rule
  source
  [log]
  [audit]
  accept|reject|drop

This is used to grant or limit access from a source to this machine or machines that are reachable by this machine. A destination is not allowed here.
Important information about element options: Options for elements in a rule need to be added exactly after the element. If the option is placed somewhere else it might be used for another element as far as it matches the options of the other element or will result in a rule error.

Rule

rule [family="ipv4|ipv6"]

If the rule family is provided, it can be either "ipv4" or "ipv6", which limits the rule to IPv4 or IPv6. If the rule family is not provided, the rule will be added for IPv4 and IPv6. If source or destination addresses are used in a rule, then the rule family need to be provided. This is also the case for port/packet forwarding.

Source

source [not] address="address[/mask]"

With the source address the origin of a connection attempt can be limited to the source address. An address is either a single IP address, or a network IP address. The address has to match the rule family (IPv4/IPv6). Subnet mask is expressed in either dot-decimal (/x.x.x.x) or prefix (/x) notations for IPv4, and in prefix notation (/x) for IPv6 network addresses. It is possible to invert the sense of an address by adding not before address. All but the specified address will match then.

Destination

destination [not] address="address[/mask]"

With the destination address the target can be limited to the destination address. The destination address is using the same syntax as the source address.
The use of source and destination addresses is optional and the use of a destination addresses is not possible with all elements. This depends on the use of destination addresses for example in service entries.

Service

service name="service name"

The service service name will be added to the rule. The service name is one of the firewalld provided services. To get a list of the supported services, use firewall-cmd --get-services.
If a service provides a destination address, it will conflict with a destination address in the rule and will result in an error. The services using destination addresses internally are mostly services using multicast.

Port

port port="port value" protocol="tcp|udp"

The port port value can either be a single port number portid or a port range portid-portid. The protocol can either be tcp or udp.

Protocol

protocol value="protocol value"

The protocol value can be either a protocol id number or a protocol name. For allowed protocol entries, please have a look at /etc/protocols.

ICMP-Block

icmp-block name="icmptype name"

The icmptype is the one of the icmp types firewalld supports. To get a listing of supported icmp types: firewall-cmd --get-icmptypes
It is not allowed to specify an action here. icmp-block uses the action reject internally.

Masquerade

masquerade

Turn on masquerading in the rule. A source and also a destination address can be provided to limit masquerading to this area.
It is not allowed to specify an action here.

Forward-Port

forward-port port="port value" protocol="tcp|udp" to-port="port value" to-addr="address"

Forward port/packets from local port value with protocol "tcp" or "udp" to either another port locally or to another machine or to another port on another machine.
The port value can either be a single port number or a port range portid-portid. The to-addr is an IP address.
It is not allowed to specify an action here. forward-port uses the action accept internally.

Log

log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]

Log new connection attempts to the rule with kernel logging for example in syslog. You can define a prefix text that will be added to the log message as a prefix. Log level can be one of "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug", where default (i.e. if theres no one specified) is "warning". See syslog(3) for description of levels. See Limit section for description of limit tag.

Audit

audit [limit value="rate/duration"]

Audit provides an alternative way for logging using audit records sent to the service auditd. Audit type will be discovered from the rule action automatically. Use of audit is optional. See Limit section for description of limit tag.

Action

An action can be one of accept, reject or drop.
The rule can either contain an element or also a source only. If the rule contains an element, then new connection matching the element will be handled with the action. If the rule does not contain an element, then everything from the source address will be handled with the action.

accept [limit value="rate/duration"]

reject [type="reject type"] [limit value="rate/duration"]

drop [limit value="rate/duration"]

With accept all new connection attempts will be granted. With reject they will not be accepted and their source will get a reject ICMP(v6) message. The reject type can be set to specify appropriate ICMP(v6) error message. For valid reject types see --reject-with type in iptables-extensions(8) man page. Because reject types are different for IPv4 and IPv6 you have to specify rule family when using reject type. With drop all packets will be dropped immediately, there is no information sent to the source. See Limit section for description of limit tag.

Limit

limit value="rate/duration"

It is possible to limit Log, Audit and Action. A rule using this tag will match until this limit is reached. The rate is a natural positive number [1, ..] The duration is of "s", "m", "h", "d". "s" means seconds, "m" minutes, "h" hours and "d" days. Maximum limit value is "2/d", which means at maximum two matches per day.

Information About Logging and Actions

Logging can be done with the log and also with audit. A new chain is added to all zones: zone_log. This will be jumped into before the deny chain to be able to have a proper ordering.
The rules or parts of them are placed in separate chains according to the action of the rule:

zone_log
zone_deny
zone_allow

Then all logging rules will be placed in the zone_log chain, which will be walked first. All reject and drop rules will be placed in the zone_deny chain, which will be walked after the log chain. All accept rules will be placed in the zone_allow chain, which will be walked after the deny chain. If a rule contains log and also deny or allow actions, the parts are placed in the matching chains.

Examples

These are examples of how to specify rich language rules. This format (i.e. one string that specifies whole rule) uses for example firewall-cmd --add-rich-rule (see firewall-cmd(1)) as well as D-Bus interface.

Example 1

Enable new IPv4 and IPv6 connections for protocol ah

rule protocol value="ah" accept

Example 2

Allow new IPv4 and IPv6 connections for service ftp and log 1 per minute using audit

rule service name="ftp" log limit value="1/m" audit accept

Example 3

Allow new IPv4 connections from address 192.168.0.0/24 for service tftp and log 1 per minutes using syslog

rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept

Example 4

New IPv6 connections from 1:2:3:4:6:: to service radius are all rejected and logged at a rate of 3 per minute. New IPv6 connections from other sources are accepted.

rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject
rule family="ipv6" service name="radius" accept

Example 5

Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on port 4012

rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"

Example 6

White-list source address to allow all connections from 192.168.2.2

rule family="ipv4" source address="192.168.2.2" accept

Example 7

Black-list source address to reject all connections from 192.168.2.3

rule family="ipv4" source address="192.168.2.3" reject type="icmp-admin-prohibited"

Example 8

Black-list source address to drop all connections from 192.168.2.4

rule family="ipv4" source address="192.168.2.4" drop

See Also

firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5),

FIREWALL-CMD

Managing firewalld with firewall-cmd

What is firewall-cmd

In addition to the graphical tool firewall-config rules can also be managed with the command line utility "firewall-cmd". Below is a quick overview of some of the basic commands. For a full list of all functionality, please refer to the relevant man pages or documentation listed below.







"firewall-cmd" comes as part of the firewalld application and is installed by default. You can verify your installation by issuing the following command from the command line:

[root@centos07b ~]# firewall-cmd --version
0.3.9


From the above output taken from a CentOS 7 server, we can see that the version is "0.3.9".

If you need help at any time, you can issue the command: firewall-cmd --help
An overview of the commands and options will be displayed to your console/terminal session.

Permanent and Temporary Changes to rules and settings

Before we look at some of the options available to the firewall-cmd tool, we need to understand the following:

To make a command permanent or persistent the option --permanent needs to be added to the command.

It is important to note that this means the change will be permanent but the change will only take effect after the firewall has been re-loaded or after a system restart.

Commands issued without the --permanent option take effect immediately. These changes are only valid until the next firewall re-load, system re-boot. When you reload the firewall you are discarding any temporary changes you have made.

View the current state of the firewall

To view the current state of the firewall, issue the following command: firewall-cmd --state

[root@centos07b ~]# firewall-cmd --state
running


View Active Zones and interfaces

To view a list of active zones along with a list of interfaces that are currently assigned to that zone, issue the following command: firewall-cmd --get-active-zones

[root@centos07b ~]# firewall-cmd --get-active-zones
public
  interfaces: enp0s3


Zone lookup for an interface

If you need to find out which zone a particular interface is currently assigned to, then issue the following command:

firewall-cmd --get-zone-of-interface=interface_name

[root@centos07b ~]# firewall-cmd --get-zone-of-interface=enp0s3
public


If you are unsure of your interface name, you may issue the following command to identify the name: nmcli d

[root@centos07b ~]# nmcli d
DEVICE  TYPE      STATE      CONNECTION 
enp0s3  ethernet  connected  enp0s3     
lo      loopback  unmanaged  --  


Find out all the interfaces assigned to a zone

To display all the interfaces that are assigned to a zone, for example the public zone, issue the following command:

firewall-cmd --zone=public --list-interfaces

The information is retrieved from the NetworkManager and Only shows interfaces and Not connections.

[root@centos07b ~]# firewall-cmd --zone=public --list-interfaces
enp0s3


View all settings of a zone

To view all the settings for a specified zone, issue the following command: firewall-cmd --zone=public --list-all

[root@centos07b ~]# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: enp0s3
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:


View currently Active Services

To view the currently active services, issue the following command: firewall-cmd --get-service

[root@centos07b ~]# firewall-cmd --get-service
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https


View Services that will be active after a reload

To view services that will be active after the next firewall reload or system reboot, issue the following command:

firewall-cmd --get-service --permanent

[root@centos07b ~]# firewall-cmd --get-service --permanent
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https



Activate Panic Mode - Drop All Packets

To start dropping all incoming and outgoing packets, issue the following command: firewall-cmd --panic-on

[root@centos07b ~]# firewall-cmd --panic-on
success


Note: Be careful if you issue this command from a remote terminal as you will loose the ability to enter a command! Active connections will be terminated after a period of inactivity. This length of time is dependant on the the individual session time out values that are set.

Deactivate Panic Mode - Allow traffic again

To allow traffic again to pass, issue the following command to disable panic mode:firewall-cmd --panic-off

[root@centos07b ~]# firewall-cmd --panic-off
success


After switching panic mode off, connections may be restored depending on the length of time that panic mode was enabled for.

Display current status of Panic Mode

To check if you have panic mode set to "on" or "off", issue the following command: firewall-cmd --query-panic

[root@centos07b ~]# firewall-cmd --query-panic
no


The answer "yes" or "no" will be returned.

Reload the Firewall without Disruption

You can reload the firewall without interrupting the connections of users by issuing the following command: firewall-cmd --reload

[root@centos07b ~]# firewall-cmd --reload
success


Reload the Firewall and discard state

The following command should only be run when you are encountering severe problems with your firewall:

firewall-cmd --complete-reload

[root@centos07b ~]# firewall-cmd --complete-reload
success


Adding an Interface to a Zone

To add an interface to a specified zone using the firewall-cmd command, issue the following command:

firewall-cmd --zone=public --add-interface=interface_name

The following adds the interface "enp0s3" to the public zone.

[root@centos07b ~]# firewall-cmd --zone=public --add-interface=enp0s3


To make this setting permanent, add the --permanent option and reload the firewall.

Setting the Default Zone

To set the default zone to "public", issue the following command: firewall-cmd --set-default-zone=public

[root@centos07b ~]# firewall-cmd --set-default-zone=public


Displaying Open Ports

To list all open ports on a specified zone, issue the following command: firewall-cmd --zone=zone --list-ports

The example below is issued against the public zone.

[root@centos07b ~]# firewall-cmd --zone=public --list-ports


Add a port to a Zone

To add a port to a specified zone, issue the following command: 

Example: Allow TCP traffic through port 3181 to the public zone:

[root@centos07b ~]# firewall-cmd --zone=public --add-port=3181/tcp
success

[root@centos07b ~]# firewall-cmd --zone=public --list-ports
3181/tcp


By using the list port command, we can verify our change was successful.

To make this change Permanent, add the "--permanent" option and reload the firewall.

Adding a range of ports

To add a range of ports to a specified zone from the command line, you can issue the following command:

Example: Allow TCP traffic through ports 3182-3185 in the public zone:

[root@centos07b ~]# firewall-cmd --zone=public --add-port=3182-3185/tcp
success
[root@centos07b ~]# firewall-cmd --zone=public --list-ports
3181/tcp 3182-3185/tcp


By using the list port command, we can verify our change was successful.

To make this change Permanent, add the "--permanent" option and reload the firewall.

Add a Service to a Zone

To add a service to a zone, issue the following command: firewall-cmd --zone=zone --add-service=service

Example: Adding the service smtp into the work zone:

[root@centos07b ~]# firewall-cmd --zone=work --add-service=smtp
success


For this to be a permanent change, you need to specify the option --permanent and then reload the firewall.

Remove a Service from a Zone

To remove a specified service from a specified zone, issue the following command:

firewall-cmd --zone=zone --remove-service=smtp

Example: Remove the service smtp from the zone work:

[root@centos07b ~]# firewall-cmd --zone=work --remove-service=smtp
success


For this to be a permanent change, you need to specify the option --permanent and then reload the firewall.

Configure IP Address Masquerading

To check as to whether IP masquerading has been enabled, the following command can be issued:

firewall-cmd --zone=external --query-masquerade

[root@centos07b ~]# firewall-cmd --zone=external --query-masquerade
yes


If IP Masquerading is enabled, the reply "yes" will be displayed, otherwise the reply "no" will be displayed. If no zone is specified, then the default zone is used.

[root@centos07b ~]# firewall-cmd --query-masquerade
no


Enabling IP Masquerading for a Specified Zone

To enable IP Masquerading for a zone, issue the following command: firewall-cmd --zone=zone --add-masquerade

[root@centos07b ~]# firewall-cmd --zone=external --add-masquerade
success


To make the above setting permanent, add the --permanent option and reload the firewall.

Disable IP Masquerading for a Specified Zone

To disable IP Masquerading for a zone, issue the following command: firewall-cmd --zone=zone --remove-masquerade

[root@centos07b ~]# firewall-cmd --zone=external --remove-masquerade
success


To make the above setting permanent, add the --permanent option and reload the firewall.

Configuring Port Forwarding from the command line

To forward inbound network traffic packets from one port to an alternative port or address, first enable IP address masquerading for a zone.

# firewall-cmd --zone=zone --add-masquerade


To forward locally (to a port on the same system), issue the following command:

[root@centos07b ~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2468
success


In the above example, packets that are intended for port 22 are now forwarded to port 2468. The original destination port is specified with the port option. This option can be a port, or a range of ports together with a specified protocol.

The protocol if specified must be either "tcp" or "udp". The new local port or the range of ports to which the traffic is being forwarded to is specified with the toport option. To make these setting permanent, add the --permanent option and reload the firewall.

To forward packets to an internal address, without changing the destination port, issue the following command:

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.168.0.88


In the above example, the packets that are intended for port 22 are now forwarded to the same port at the specified IP address (192.168.0.88) that is passed to the toaddr parameter. The original destination port is specified with the port parameter. This option can be a port, or a range of ports, together with a protocol. The protocol, if specified, must be either "tcp" or "udp".

To make the above setting permanent, add the --permanent option and reload the firewall.

To forward packets to another port at another IPv4 address, usually an internal address, issue the following command:

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3579:toaddr=192.168.0.88


In the above example, the packets that were intended for port 22 are now being sent to port 3579 at IP address 192.168.0.88

To make the above setting permanent, add the --permanent option and reload the firewall.

Sources

For a full list of all options and parameters that are available for "Firewalld", please consult the relevant official documentation sites.

FirewallD

Red Hat Enterprise Linux 7.0 Security Guide

How to open http port 80 on Redhat 7 Linux using firewall-cmd







By default the port 80 for http connection is filtered on Redhat 7 as you can only access this port from the actual localhost and not from any other public host. To open a port 80 on RHEL 7 Linux we need to add an iptables rule. For this RHEL7 uses firewall-cmd. First add your port 80 rule with a following command:
[root@rhel7 ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent

Once you add the above firewall rule reload firewall service:
[root@rhel7 ~]# firewall-cmd --reload

And check whether the port was added to ipatables rules:
[root@rhel7 ~]# iptables-save | grep 80
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT



If you decide to block/remove http port 80 firewall rule you can again use the firewall-cmd command:
[root@rhel7 ~]# iptables-save | grep 80
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
[root@rhel7 ~]# firewall-cmd --zone=public --remove-port=80/tcp --permanent
success
[root@rhel7 ~]# firewall-cmd --reload
success
[root@rhel7 ~]# iptables-save | grep 80
[root@rhel7 ~]# 





 Adding & Blocking IP Addresses

To add specific IP address (192.168.0.254) to trusted public zone, use the following command.
# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'


After adding above rule, don’t forget to list all the trusted public zone rules.
# firewall-cmd --zone=public --list-all


To remove any added rule, just replace the ‘–add-rich-rule‘ with remove ‘–remove-rich-rule‘ as show in below command.
# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'