firewalld is the default available firewall management tool on CentOS 7 servers. Basically, it is a package of iptables, including the graphical configuration tool firewall config and the command line tool firewall CMD. Using iptables service, each change requires refreshing old rules and reading new rules from / etc/sysconfig/iptables. However, firewalld only applies different parts of the change.
Install and view status
yum install firewalld
Start the service and start it when the system boots:
systemctl start firewalld systemctl enable firewalld
Stop and disable:
systemctl stop firewalld systemctl disable firewalld
Check the firewall status. The output should be running or not running
# firewall-cmd --state running
By default, firewalld is running and rejects all incoming traffic, with a few exceptions, such as SSH.
To view the status of the FirewallD daemon:
systemctl status firewalld
Firewall D zone
Firewall D uses service s and zone s instead of iptables rule s and chain s.
By default, the following zone s are available:
- drop – discards all incoming network packets without response, and only outgoing network connections are available.
- block - reject all incoming network packets and respond to an ICMP message prohibited by the host. Only outgoing network connections are available.
- Public - only the selected incoming network connections are accepted for public areas.
- External - used for external networks with address camouflage enabled. Only selected incoming network connections are accepted.
- DMZ - DMZ isolation area, which can only accept selected incoming network connections with restricted external access to the internal network.
-
**work** — For computers in your work area, only selected incoming network connections are accepted.
- Home - for computers in your home area, only selected incoming network connections are accepted.
- Internal - for computers on your internal network, only selected incoming network connections are accepted.
- trusted - all network connections are accepted.
To list all available zones, run:
# firewall-cmd --get-zones work drop internal external trusted home dmz public block
List default areas:
# firewall-cmd --get-default-zone public
Change the default area:
# firewall-cmd --set-default-zone=dmz # firewall-cmd --get-default-zone dmz
All configurations for a specific area:
# firewall-cmd --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Configuration of all areas:
# firewall-cmd --list-all-zones root@Test-Linux block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: home target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: internal target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
FirewallD service
firewalld service uses XML configuration file to record firewalld service information.
List all available services:
# firewall-cmd --get-services amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
The XML configuration files are stored in the / usr/lib/firewalld/services / and / etc/firewalld/services / directories.
The configuration files are located in two directories:
- /Save the default configuration, such as default area and public service, in usr/lib/FirewallD. Avoid modifying them because they are overwritten every time the firewall package is updated.
- /Save the system configuration file in / etc/firewalld. These files will overwrite the default configuration.
config set
FirewallD uses two configuration sets: runtime and persistent. When the system restarts or restarts FirewallD, the run-time configuration changes are not retained, and the changes to the persistent configuration set are not applied to the running system.
By default, the firewall CMD command applies to the run-time configuration, but is saved to the persistent configuration using the -- permanent flag. To add and activate persistence rules, you can use one of two methods.
1. Add rules to both the persistent rule set and the runtime rule set.
firewall-cmd --zone=public --add-service=http --permanent firewall-cmd --zone=public --add-service=http
2. Add the rule to the persistent rule set and reload FirewallD.
firewall-cmd --zone=public --add-service=http --permanent firewall-cmd --reload
The reload command deletes all runtime configurations and applies persistent configurations. Because firewalld dynamically manages rule sets, it does not break existing connections and sessions.
Configure your firewall with firewall D
As an example, suppose you are running a web server with an SSH service port of 7022 and a mail service. You can configure your server using firewall D as follows:
First, set the default area to dmz.
# firewall-cmd --set-default-zone=dmz # firewall-cmd --get-default-zone dmz
HTTP and HTTPS rules for adding persistence to the dmz zone:
# firewall-cmd --zone=dmz --add-service=http --permanent # firewall-cmd --zone=dmz --add-service=https --permanent
Open port 25 (SMTP) and port 465 (SMTPS):
firewall-cmd --zone=dmz --add-service=smtp --permanent firewall-cmd --zone=dmz --add-service=smtps --permanent
Open IMAP, IMAPS, POP3 and POP3S ports:
firewall-cmd --zone=dmz --add-service=imap --permanent firewall-cmd --zone=dmz --add-service=imaps --permanent firewall-cmd --zone=dmz --add-service=pop3 --permanent firewall-cmd --zone=dmz --add-service=pop3s --permanent
Since the SSH port is changed to 7022, remove the SSH service (port 22) and open port 7022:
firewall-cmd --remove-service=ssh --permanent firewall-cmd --add-port=7022/tcp --permanent
To apply these changes, reload the firewall:
firewall-cmd --reload
Finally, you can list these rules:
# firewall-cmd –list-all dmz target: default icmp-block-inversion: no interfaces: sources: services: http https imap imaps pop3 pop3s smtp smtps ports: 7022/tcp protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules:
Release ports 80 and 443
# firewall-cmd --permanent --add-port=80/tcp # firewall-cmd --permanent --add-port=443/tcp # firewall-cmd --reload # Apply these rules to the current session
View the settings on the current firewall
# firewall-cmd --list-services http https ssh