firewall-cmd

Firewalld (the daemon controlled by firewall-cmd) introduces the concept of zones to the Linux firewall.

Zones are assigned to specific interfaces, with specific rules configured per zone.

You can list the currently configured zones using firewall-cmd, too:

$ sudo firewall-cmd --get-zones
block dmz drop external home internal public trusted work

To check which zone we're actively using, and on which interface, we use --get-active-zones.

In the following code, we can see that eth0 and eth1 are using the public zone:

$ firewall-cmd --get-active-zones
public
 interfaces: eth0 eth1

Because eth0 is active under public, let's list the details of the public zone:

$ sudo firewall-cmd --list-all --zone public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Here, we can see that the services this zone is aware of are ssh and dhcpv6-client.

We can specifically list the services of a zone using --list-services:

$ sudo firewall-cmd --zone public --list-services 
ssh dhcpv6-client

If we want information about exactly what that service allows, we can use --info-service.

In the following code, we're looking at ssh, discovering that it allows port 22/tcp through:

$ sudo firewall-cmd --info-service ssh
ssh
  ports: 22/tcp
  protocols: 
  source-ports: 
  modules: 
  destination: