/
PBX GUI - Firewall Command Line

PBX GUI - Firewall Command Line

Owned by Nathaniel Halbrooks
Last updated: Mar 06, 2025 by Merry Arpaia
4 min read

Starting with FreePBX Firewall version 13.0.23.1 (with additional options added in ver. 13.0.43.1), the FreePBX Firewall has the following command line controls:

for help use: fwconsole firewall --help

Help

[root@lgaetzdev2 ~]# fwconsole firewall --help ______                   ______ ______ __   __ |  ___|                  | ___ \| ___ \\ \ / / | |_    _ __   ___   ___ | |_/ /| |_/ / \ V / |  _|  | '__| / _ \ / _ \|  __/ | ___ \ /   \ | |    | |   |  __/|  __/| |    | |_/ // /^\ \ \_|    |_|    \___| \___|\_|    \____/ \/   \/   Usage:   firewall [options] [--] <cmd> [<opt>] [<ids>]...   Arguments:   cmd                   Command to run (see --help)   opt                   Optional parameter   ids                   IDs to add or remove from a zone   Options:   -f, --force           Force Add/Removal of entry   -h, --help            Display this help message   -q, --quiet           Do not output any message   -V, --version         Display this application version       --ansi            Force ANSI output       --no-ansi         Disable ANSI output   -n, --no-interaction  Do not ask any interactive question   -v|vv|vvv, --verbose  Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug   Help:   Valid Commands:   disable : Disable the System Firewall. This will shut it down cleanly.   stop : Stop the System Firewall   start : Start (and enable, if disabled) the System Firewall   restart : Restart the System Firewall   lerules [enable] or [disable] : Enable or disable Lets Encrypt rules.   trust : Add the hostname or IP specified to the Trusted Zone   untrust : Remove the hostname or IP specified from the Trusted Zone   list [zone] : List all entries in zone 'zone'   add [zone] [id id id..] : Add to 'zone' the IDs provided.   del [zone] [id id id..] : Delete from 'zone' the IDs provided.   fix_custom_rules : Create the files for the custom rules if they don't exist and set the permissions and owners correctly.   When adding or deleting from a zone, one or many IDs may be provided.   These may be IP addresses, hostnames, or networks.   For example:     fwconsole firewall add trusted 10.46.80.0/24 hostname.example.com 1.2.3.4

 

Firewall commands and usage examples:

  • disable - This disables the FreePBX Firewall module, stops the service, and immediately flushes all iptables rules. Disable differs from stop in that the module stays disabled after a reboot. Note there is no corresponding enable command, use start instead.

    Example

    # fwconsole firewall disable

     

  • stop - This temporarily stops the FreePBX Firewall until it is manually started or until the pbx is booted. All existing iptables rules are immediately flushed. 

    Example

    # fwconsole firewall stop

     

  • start - This starts the FreePBX Firewall, enabling first if necessary

    Example

    # fwconsole firewall start Enabling Firewall.   Broadcast message from <fqdn redacted> (Wed Apr 13 11:02:22 2016): Firewall service now starting.

  • restart - Stops service if running and starts again

    # fwconsole firewall restart Enabling Firewall.

  • lerules - enables or disables the Lets Encrypt rules to allow inbound LE validation on port 80

    # fwconsole firewall lerules enable Lets Encrypt rules enabled successfully. Restarting Firewall... # fwconsole firewall lerules disable Lets Encrypt rules disabled successfully. Restarting Firewall...

  • trust - Adds a host to the list of trusted networks shown on the zones, networks page

    Examples

    # fwconsole firewall trust www.google.com Attempting to add www.google.com to Trusted Zone Success. Entry added to Trusted Zone.    # fwconsole firewall trust 192.168.0.1/24 Attempting to add 192.168.0.1/24 to Trusted Zone Success. Entry added to Trusted Zone.

     

  • untrust - removes a host (if present) from the list of trusted networks shown on the zones, networks page

    Examples

    # fwconsole firewall untrust www.google.com Attempting to remove www.google.com from Trusted Zone Success. Entry removed from Trusted Zone.   # fwconsole firewall untrust 192.168.0.1/24 Attempting to remove 192.168.0.1/24 from Trusted Zone Success. Entry removed from Trusted Zone.

  • list - list all hosts for a specified zone, acceptable zones are external, other, internal, trusted, and blacklist

    Examples

    [root@lgaetzdev2 ~]# fwconsole firewall list blacklist All blacklisted entries.         8.8.8.8         google.com: (Resolves to 216.58.219.206)    [root@lgaetzdev2 ~]# fwconsole firewall list trusted All entries in zone 'trusted':         192.168.0.0/16         172.16.0.0/12         10.0.0.0/8         fc00::/8         fd00::/8         127.0.0.1/32

  • add - add host(s) to specified zone, acceptable zones are external, other, internal, trusted, and blacklist, separate multiple hosts by spaces

    Examples

    [root@lgaetzdev2 ~]# fwconsole firewall add blacklist example.com 192.168.15.0/24 Attempting to add 'example.com' to Blacklist ... Success! Attempting to add '192.168.15.0/24' to Blacklist ... Success!   [root@lgaetzdev2 ~]# fwconsole firewall add other 192.168.75.0/24 Attempting to add '192.168.75.0/24' to Zone 'other' ... Success!

  • del - delete host(s) from the specified zone, acceptable zones are external, other, internal, trusted, and blacklist, separate multiple hosts by spaces

    Examples

    [root@lgaetzdev2 ~]# fwconsole firewall list other All entries in zone 'other':         192.168.75.0/24   [root@lgaetzdev2 ~]# fwconsole firewall del other 192.168.75.0/24 Attempting to remove 192.168.75.0/24 from 'other' Zone ... Success!   [root@lgaetzdev2 ~]# fwconsole firewall list other All entries in zone 'other':

Return to Documentation Home I Return to Sangoma Support