RHEL 7 Firewalld tips.

Share this link

To a non expert, Firewalld can sometimes appear a little bit strange and confusing.
Let’s take an example: you just set up an Apache webserver and want to configure a https virtual host.
Because it’s a test, you want to temporarily allow https on port tcp 443 to go through the firewall with the default zone:

# firewall-cmd --add-port=443/tcp
success
# firewall-cmd --list-ports
443/tcp

At this moment and because it was a temporary configuration, it would not have been a good idea to reload the firewall configuration, you would have lost the previous modification:

# firewall-cmd --reload
success
# firewall-cmd --list-ports
#

Later, you decide to make your configuration permanent:

# firewall-cmd --permanent --add-port=443/tcp
success

If you forget to reload the configuration, this is not going to work, at least until your next reboot!

# firewall-cmd --list-ports
#

But if you reload the firewall configuration, you get what you expected:

# firewall-cmd --reload
success
# firewall-cmd --list-ports
443/tcp

1st tip: A temporary configuration is directly activated without any need to reload the firewall configuration. But a permanent configuration requires a reload of the firewall configuration to work as expected. And it’s not the other way around!

This rule is verified for source management, port management, service management, masquerading and port forwarding but not for interface assignments to a zone or direct rules that are always directly activated whether temporary or not.

Concerning the firewall-cmd –list-ports command and lots of other commands used to check the configuration like firewall-cmd –list-services, firewall-cmd –query-masquerade, firewall-cmd –list-sources or firewall-cmd –list-all, you need to understand a subtile point:

  • The firewall-cmd –list-ports command displays the current configuration, ie the list of the temporarily open ports and the permanently open ports already activated.
  • The firewall-cmd –permanent –list-ports command only shows the permanent configuration, ie the list of the permanently open ports, activated or not!

2nd tip: During an exam, you need to use the –permanent option when applying most of the configurations and then reload the firewall configuration. However, when checking your configuration, you shouldn’t use the –permanent option if you want to get the correct information!

Posted in RHEL7

Leave a Reply

Be the First to Comment!

Notify of
wpDiscuz

RHCSA7: Task of the day

Allowed time: 10 minutes.
Create two new user accounts "steve" and "oliver".
Create a group "team". Create a directory "shared".
All files put into the "shared" directory by "steve" or "oliver" should belong to the "team" group and be only visible by them.

RHCE7: Task of the day

Allowed time: 3 minutes.
Configure your machine to be a router.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...

Recent Comments