Is there a way to run just save with firewalld in RHEL7?
The version of firewalld in RHEL 7.0 has no "save" script and no way to copy the running firewall configuration to the permanent configuration. You save a firewall change with firewalld by adding --permanent
to the command line making the change. Without it, any change you make is temporary and will be lost when the system restarts.
For example:
firewall-cmd --add-service=http # Running config
firewall-cmd --add-service=http --permanent # Startup config
Later (post-RHEL 7) versions of firewalld do include a way to save the running configuration, and this is available now in Fedora and in RHEL 7.1. In this case the command is simply:
firewall-cmd --runtime-to-permanent
Related videos on Youtube
Peter Souter
Devops person, mainly using Ruby, Puppet and Terraform...
Updated on September 18, 2022Comments
-
Peter Souter almost 2 years
I'm starting to use RHEL7 and learning a little about the changes that come with systemd.
Is there a way to perform
/sbin/service iptables save
in firewalld?$ /sbin/service iptables save The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
The closest parallel I can find from the Documentation is
--reload
:Reload the firewall without loosing state information: $ firewall-cmd --reload
But it doesn't explicitly say if it's saving or not.
-
Antony Nguyen over 8 yearsTo continue on Michael Hampton's comment, I found that I had to restart the firewalld service ("systemctl restart firewalld") after running "firewall-cmd --runtime-to-permanent" in order for the firewall rules to be saved correctly, especially after having to remove some rules manually via iptables. It appears firewalld caches some rules, so a "firewall-cmd --reload" may re-institute rules from firewalld that should have been removed via the "--runtime-to-permanent" command.
-
AdamKalisz over 5 years@AntonyNguyen you shouldn't use iptables commands when firewalld is managing the rules. FIrewalld has no way of knowing of the change (it would need to poll periodically and that would kill the performance of the firewall because of its design, which btw. is fixed by nftables) use 'firewall-cmd --direct --passthrough ipv4 -A FORWARD ... -j DROP'