Opbzil

excellent link to firewalld from cert depot firewalld

also good link from Redhat configuring Firewalld

You can see if the firewall is running by either querying the

systemctl status firewalld

or

 firewall-cmd --state

you can also reload the firewall with the following command

firewall-cmd --reload

good for testing to ensure your rules are persistent

Firewalld operates 2 configuration sets

Runtime the default configuration all changes are applied immediately and NOT kept after a reboot or a reload

Permanent this option needs to be applied to ensure that changes are kept and loaded after a reboot. To make changes permanent use the –permanent option on the command

Firewalld comes with several zzones available they are used to separate the traffic and can be applied to different Network interfaces

To see the default zone

 firewall-cmd --get-default-zone 

To change the default zone

 firewall-cmd --set-default-zone=internal 

To see what zones are currently active. It also shows you what nics are associated to each zone

 firewall-cmd --get-active-zones 

To get the configuration of a specific zone

 firewall-cmd --zone=public --list-all 

To see the configuration for all the zones including the inactive ones use

  firewall-cmd --list-all-zones 

to associate each zone with only a specific nic use the following command

 firewall-cmd --zone=public --add-interface=em1 

you can also check what zone an interface is assigned

 firewall-cmd --get-zone-of-interface=em1 

Firewalld allows you to specify specific services or ports to be allowed or blocked. Ussually easier to just specify the service you want to allow or block

You can modify these services using the configuration files located at /usr/lib/firewalld/services you can also create your own service files and these should be stored in /etc/firewalld/services

To get a list of all the services

 firewall-cmd --get-services 

To enable or disable a service

 firewall-cmd --zone=public --add-service=http --permanent 

 firewall-cmd --zone=public --remove-service=http --permanent

To get more details about a service vyou can try the info option

  firewall-cmd --info-service=RH-Satellite-6 

which gives back something like

[root@dub-firewall1 ~]#  firewall-cmd --info-service=RH-Satellite-6
RH-Satellite-6
  ports: 53/tcp 53/udp 67-69/udp 80/tcp 443/tcp 5000/tcp 5646-5647/tcp 5671/tcp 8000/tcp 8080/tcp 8140/tcp 9090/tcp
  protocols:
  source-ports:
  modules:
  destination:

You can also allow or block specific ports

 firewall-cmd --zone=public --add-port=12345/tcp --permanent 

 firewall-cmd --zone=public --remove-port=12345/tcp --permanent 

Rich rules allow for more complex configurations. For example to allow all IPV4 traffic from a particular host

To manage rich rules you need to use

 --add-rich-rule, --list-rich-rules and --remove-rich-rule

  firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=10.5.5.70 accept' 

to list all your current Rich Rules use

 firewall-cmd --list-rich-rules 

To check ports and services that are open

 firewall-cmd --zone=external --list-ports 

 firewall-cmd --zone=external --list-services