Is there a way to run just save with firewalld in RHEL7?

Question

I'm starting to use RHEL7 and learning a little about the changes that come with systemd.

Is there a way to perform /sbin/service iptables save in firewalld?

$ /sbin/service iptables save
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

The closest parallel I can find from the Documentation is --reload:

Reload the firewall without loosing state information:
$ firewall-cmd --reload

But it doesn't explicitly say if it's saving or not.

Answer 1

The version of firewalld in RHEL 7.0 has no "save" script and no way to copy the running firewall configuration to the permanent configuration. You save a firewall change with firewalld by adding --permanent to the command line making the change. Without it, any change you make is temporary and will be lost when the system restarts.

For example:

firewall-cmd --add-service=http                 # Running config
firewall-cmd --add-service=http --permanent     # Startup config

Later (post-RHEL 7) versions of firewalld do include a way to save the running configuration, and this is available now in Fedora and in RHEL 7.1. In this case the command is simply:

firewall-cmd --runtime-to-permanent

Answer 2

I needed to add SIP service and some IPs

in the directory /usr/lib/firewalld/services/ I added sip.xml based on other xml service files.

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SIP</short>
  <description>This is SIP, Yo! </description>
  <port protocol="udp" port="5060"/>
</service>

Then I added sip service to a firewalld

# firewall-cmd --add-service=sip --permanent 

Then I added IPs to service in /etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description></description>
  <service name="dhcpv6-client"/>
  <service name="http"/>
  <service name="ssh"/>
  <service name="https"/>

  <rule family="ipv4">
    <source address="x.x.x.x/32"/>
    <service name="sip"/>
    <accept/>
  </rule>

</zone>

you can also add LOG if you add level of logging

  <rule family="ipv4">
    <source address="x.x.x.x/32"/>
    <service name="sip" 
    <log prefix="sip" level="info"/>
    <accept/>
  </rule>

after you added rules to your zone, execute

# firewall-cmd --reload

check your iptables - you should be all set.