Firewalld (firewall daemon) is an alternative to the iptables service, for dynamically managing a system’s firewall with support for network (or firewall) zones and provides a D-Bus interface for managing configurations.
In this article, we will discuss how to configure system firewall with firewalld in CentOS 7 / RHEL 7 / OEL 7.
How to Install Firewalld on CentOS 7 / RHEL 7/ OEL 7
On CentOS 7, the firewalld package comes pre-installed and you can verify using following command.
rpm -qa firewalld
[root@salt-master ~]# rpm -qa firewalld
firewalld-0.6.3-13.el7_9.noarch
[root@salt-master ~]#
Manage Firewalld Service
Firewalld service can be managed via the systemctl command.
# systemctl start firewalld # Start the firewalld Service
# systemctl enable firewalld #enable the service to auto-start at boot time
# systemctl status firewalld #view service status
[root@salt-master ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Sat 2021-08-14 22:39:44 IST; 8s ago
Docs: man:firewalld(1)
Main PID: 4104 (firewalld)
CGroup: /system.slice/firewalld.service
└─4104 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Aug 14 22:39:43 salt-master systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 14 22:39:44 salt-master systemd[1]: Started firewalld - dynamic firewall daemon.
Aug 14 22:39:44 salt-master firewalld[4104]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please conside...abling it now.
Hint: Some lines were ellipsized, use -l to show in full.
[root@salt-master ~]#
You can Check the firewalld deamon is running or not from firewall-cmd tool.
[root@salt-master ~]# firewall-cmd --state
[root@salt-master ~]# firewall-cmd --state
running
[root@salt-master ~]#
Save the Configuration Permanently
If you want to save any changes permanently, then you can reload firewalld. This will reload firewall rules and keep state information. The current permanent configuration will become new runtime configuration.
Firewall Zones
To get a list of all available firewall zones:
[root@salt-master ~]# firewall-cmd --get-zones
[root@salt-master ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@salt-master ~]#
To get a list of all available services in firewall :
[root@salt-master ~]# firewall-cmd --get-services
[root@salt-master ~]# firewall-cmd --get-services
RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
[root@salt-master ~]#
Get and set default zone :
[root@salt-master ~]# firewall-cmd --get-default-zone
[root@salt-master ~]# firewall-cmd --get-default-zone
public
[root@salt-master ~]#
set the default zone:
[root@salt-master ~]# firewall-cmd --set-default-zone=<zone name>
To set the configuration permanently :
[root@salt-master ~]# firewall-cmd --set-default-zone=<zone name> --permanent
[root@salt-master ~]# firewall-cmd --reload
To get a list of all active zones :
[root@salt-master ~]# firewall-cmd --get-active-zones
[root@salt-master ~]# firewall-cmd --get-active-zones
public
interfaces: enp0s3 enp0s8
[root@salt-master ~]#
More Information on a Zone:
[root@salt-master ~]# firewall-cmd --info-zone public
[root@salt-master ~]# firewall-cmd --info-zone public
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@salt-master ~]#
How to Open and Block Ports and Services
Add Ports
To open a port in the firewall, simply add it in a zone with the "--add-port" option. If you don’t explicitly specify the zone, it will be enabled in the default zone.
The following example shows how to add port 80 and 443 to allow in-bound web traffic :
# firewall-cmd --zone=public --permanent --add-port=80/tcp --add-port=443/tcp
[root@salt-master ~]# firewall-cmd --zone=public --permanent --add-port=80/tcp --add-port=443/tcp
success
[root@salt-master ~]#
Next, reload firewalld and check the enabled features in the public zone once more, you should be able see the just added ports.
# firewall-cmd --reload
# firewall-cmd --info-zone public
[root@salt-master ~]# firewall-cmd --reload
success
[root@salt-master ~]# firewall-cmd --info-zone public
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8
sources:
services: dhcpv6-client ssh
ports: 80/tcp 443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@salt-master ~]#
Remove Ports
To Remove a port in the firewall, simply remove it from a zone with the "--remove-port" option.
The following example shows how to remove port 80 and 443 to allow in-bound web traffic :
# firewall-cmd --zone=public --permanent --remove-port=80/tcp --remove-port=443/tcp
Open Services
To open a service in the firewall, enable it using the "--add-service" option.
The following command will permanently enable the http service in public zone:
# firewall-cmd --zone=public --permanent --add-service=http
# firewall-cmd --reload
Remove Services
Alike "--remove-service" option can be used to block a service.
# firewall-cmd --zone=public --permanent --remove-service=http
# firewall-cmd --reload
Whitelist an IP address
To whitelist or allow access from an IP or range of IPs, you can tell the firewall to add a trusted source.
# firewall-cmd --permanent --add-source=192.168.1.24
You can also allow a range of IPs using what is called CIDR.
# firewall-cmd --permanent --add-source=192.168.1.0/24
Remove Whitelisted IP address
To remove a whitelisted IP or IP range, you can use the --remove-source option.
# firewall-cmd --permanent --remove-source=192.168.1.24
Block an IP address
Rich rules are needed to block an IP. Rich rules are similar in form to the way iptables rules are written.
# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.24' reject"
You can again use CIDR notation also block a range of IP addresses.
# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"
Remove a rich rule
To remove a rich rule, use the option --remove-rich-rule, but you have to fully specify which rule is being removed,.
# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.24" port protocol="tcp" port="3306" accept'
Next, reload firewalld and check the enabled features in the public zone once more, you should be able see the just added ports.
# firewall-cmd --reload
No comments