FirewallD is a complete firewall solution that manages the system’s iptables rules and provides a D-Bus interface for operating on them. Starting with CentOS 7, FirewallD replaces iptables as the default firewall management tool.
In this tutorial, we show you how to set up a firewall with FirewallD on your CentOS 7 system and explain you the basic FirewallD concepts.

Prerequisites

Before you start with this tutorial, make sure you are logged into your server with a user account with sudo privileges or with the root user. The best practice is to run administrative commands as a sudo user instead of root, if you don’t have a sudo user on your CentOS system you can create one by following these instructions.

Basic Firewalld Concepts

FirewallD uses the concepts of zones and services, instead of iptables chain and rules. Based on the zones and services you’ll configure, you can control what traffic is allowed or disallowed to and from the system.
FirewallD can be configured and managed using the firewall-cmd command line utility.

Firewalld Zones

Zones are predefined sets of rules specifying what traffic should be allowed based on the level of trust on the networks your computer is connected to. You can assign network interfaces and sources to a zone.
Bellow are the zones provided by FirewallD ordered according to the trust level of the zone from untrusted to trusted:
  • drop: All incoming connections are dropped without any notification. Only outgoing connections are allowed.
  • block: All incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6n. Only outgoing connections are allowed.
  • public: For use in untrusted public areas. You do not trust other computers on the network but you can allow selected incoming connections.
  • external: For use on external networks with NAT masquerading enabled when your system acts as a gateway or router. Only selected incoming connections are allowed.
  • internal: For use on internal networks when your system acts as a gateway or router. Other systems on the network are generally trusted. Only selected incoming connections are allowed.
  • dmz: Used for computers located in your demilitarized zone that will have limited access to the rest of your network. Only selected incoming connections are allowed.
  • work: Used for work machines. Other computers on the network are generally trusted. Only selected incoming connections are allowed.
  • home: Used for home machines. Other computers on the network are generally trusted. Only selected incoming connections are allowed.
  • trusted: All network connections are accepted. Trust all of the computers in the network.

Firewall services

Firewalld services are predefined rules that apply within a zone and define the necessary settings to allow incoming traffic for a specific service.

Firewalld Runtime and Permanent Settings

Firewalld uses two separated configuration sets, runtime and the permanent configuration.
The runtime configuration is the actual running configuration and it is not persistent on reboots. When the Firewalld service starts it loads the permanent configuration which becomes the runtime configuration.
By default, when making changes to the Firewalld configuration using the firewall-cmd utility the changes are applied to the runtime configuration, to make the changes permanent you need to use the --permanent flag.

Installing and Enabling FirewallD

  1. Installing FirewallD
    Firewalld is installed by default on CentOS 7, but if it is not installed on your system, you can install the package by typing:
    sudo yum install firewalld
    Copy
  2. Check the firewall status.
    Firewalld service is disabled by default. You can check the firewall status with:
    sudo firewall-cmd --state
    Copy
    If you just installed or never activated before, the command will print not running otherwise you will see running.
  3. Enabling FirewallD
    To start the FirewallD service and enable it on boot type:
    sudo systemctl start firewalld
    sudo systemctl enable firewalld
    Copy

Working with Firewalld Zones

After enabling the FirewallD service for the first time, the public zone is set as a default zone. You can view the default zone by typing:
sudo firewall-cmd --get-default-zone
Copy
public
Copy
To get a list of all available zones, type:
sudo firewall-cmd --get-zones
Copy
block dmz drop external home internal public trusted work
Copy
By default, all network interfaces are assigned the default zone. To check what zones are used by your network interface(s) type:
sudo firewall-cmd --get-active-zones
Copy
public
  interfaces: eth0 eth1
Copy
The output above tell us that the both interfaces eth0 and eth1 are assigned to the public zone.
You can print the zone configuration settings with:
sudo firewall-cmd --zone=public --list-all
Copy
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
Copy
From the output above, we can see that the public zone is active and set as default, used by both eth0 and eth1 interfaces Also the connections related to the DHCP client and SSH are allowed.
If you want to check the configurations of all available zones type:
sudo firewall-cmd --list-all-zones
Copy
The command will print a huge list will the settings of all available zone.

Changing the Zone of an Interface

You can easily change the Interface Zone by using the using --zone flag in combination with the --change-interface flag. The following command will assign the eth1 interface to the work zone :
sudo firewall-cmd --zone=work --change-interface=eth1
Copy
Verify the changes by typing:
sudo firewall-cmd --get-active-zones
Copy
work
  interfaces: eth1
public
  interfaces: eth0
Copy

Changing the Default Zone

To change the default zone use the --set-default-zone flag followed by the name of the zone you want to make default. For example to change the default zone to home you should run the following command:
sudo firewall-cmd --set-default-zone=home
Copy
Verify the changes with:
sudo firewall-cmd --get-default-zone
Copy
home
Copy
Advertisement

Opening a Port or Service

With FirewallD you can allow traffic for specific ports based on predefined rules called services.
To get a list of all default available services type:
sudo firewall-cmd --get-services
Copy
You can find more information about each service by opening the associated .xml file within the /usr/lib/firewalld/services directory. For example, the HTTP service is defined like this:
/usr/lib/firewalld/services/http.xml


  WWW (HTTP)