Firewalld is a firewall management tool that is used to allow or deny connection to the Linux system. It provides a set of rules to control the inbound traffic.
Firewalld acts as the front end for the Linux kernel Netfilter.
The permanent configuration is loaded from XML files in '/usr/lib/firewalld' or '/etc/firewalld'.
As of CentOS 7, firewalld (Dynamic Firewall Manager) is the default firewall tool on CentOS servers. We advise keeping firewalld active and enabled at all times.
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to secure their Servers via Linux Firewalld.
In this context, we shall look into how to install and use firewalld in CentOS system.
Firewalld comes with the basic installation of Redhat or Centos. If there is not, you can install it in the following ways.
On RHEL 7.X or centos 7.X install by,
$ sudo yum install firewalld -y
On RHEL 7.X or centos 8.X install by,
$ sudo dnf install firewalld -y
To start the service,
$ sudo systemctl start firewalld
To enable the firewalld service,
$ sudo systemctl enable firewalld
Check the status of firewalld,
$ systemctl status firewalld
Firewalld comes with different predefined zones also known as level of trust.
Zones are basically managed groups that have a set of rules.
However, the rules are not predefined.
For example, you can set a 'public' zone which contains public hosting ports, while 'home' zone allows ssh connections.
To list zones in firewalld use following command:
$ sudo firewall-cmd --get-zones
To see active zone among the zones use:
$ sudo firewall-cmd --get-active-zone
Now, let's add some ports to allow traffic into our system.
To add a tcp port you have to type the following.
Remember to add –permanent option otherwise, your rule will not be persistent on reload / restart of firewalld:
$ sudo firewall-cmd --add-port=443/tcp --permanent
Similarly, you can also allow UDP port:
$ sudo firewall-cmd --add-port=161/udp --permanent
You can also allow services such as DNS, HTTP. It will allow the default port of the service.
For example,
$ sudo firewall-cmd --add-service=http --permanent
After you add the port / Reload firewall service to take into an effect:
$ sudo firewall-cmd --reload
Verify using:
$ sudo firewall-cmd --list-all
Note: When you don't add any zone, the rule will be added to the 'public' zone by default.
To remove port from firewalld you can use:
$ sudo firewall-cmd --remove-port=443/tcp --permanent
To remove service from firewalld you can use:
$ sudo firewall-cmd --remove-service=http --permanent
Remember to reload the firewall after you add or remove the port/services.
Rich rules provide more granular options to firewall rules. They are used to configure port forwarding, rate limiting, logging etc.
For example, to accept ssh connection form a single IP say, 192.001.11.11 you should add a rich rule by specifying IP version, source address, port, protocol:
$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.001.11.11/32" port protocol="tcp" port="22" accept'
Also, you can drop all the ip source of a entire network not to allow 22 port as below:
$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.001.11.11/24" port protocol="tcp" port="22" drop'
To allow new IPv4 connections from address 192.168.0.0/24 for service tftp and log 1 per minutes using syslog you can do:
sudo firewall-cmd --permanent --zone=public --add-rich-rule=’rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept’
If you like to remove firewall demon from CentOS / RHEL then stop the running service:
$ sudo systemctl stop firewalld
On RHEL 7.X or Centos 7.X:
$ sudo yum remove firewalld -y
On RHEL 8.X or Centos 8.X:
$ sudo dnf remove firewalld -y
This article covers method to Install and Use Firewalld in CentOS in order to increase the security of your Linux system. Note that the host-based firewall like firewalld is recommended by compliances like PCI DSS.
FirewallD is a complete firewall solution that manages the system's iptables rules and provides a D-Bus interface for operating on them. Starting with CentOS 7, FirewallD replaces iptables as the default firewall management tool.
Firewalld services are predefined rules that apply within a zone and define the necessary settings to allow incoming traffic for a specific service.
How to install Firewalld on CentOS?
Firewalld is installed by default on CentOS 7, but if it is not installed on your system, you can install the package by running the command:
$ sudo yum install firewalld
Firewalld service is disabled by default. You can check the firewall status with:
$ sudo firewall-cmd --state
If you just installed or never activated before, the command will print not running. Otherwise, you will see running.
To start the FirewallD service and enable it on boot type:
$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld
To open HTTP and HTTPS ports add permanent service rules to the dmz zone:
$ sudo firewall-cmd --permanent --zone=dmz --add-service=http
$ sudo firewall-cmd --permanent --zone=dmz --add-service=https
Make the changes effective immediately by reloading the firewall:
$ sudo firewall-cmd --reload
Zones provided by FirewallD:
1. drop: All incoming connections are dropped without any notification. Only outgoing connections are allowed.
2. block: All incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6n. Only outgoing connections are allowed.
3. public: For use in untrusted public areas. You do not trust other computers on the network, but you can allow selected incoming connections.
4. external: For use on external networks with NAT masquerading enabled when your system acts as a gateway or router. Only selected incoming connections are allowed.
5. internal: For use on internal networks when your system acts as a gateway or router. Other systems on the network are generally trusted. Only selected incoming connections are allowed.
6. dmz: Used for computers located in your demilitarized zone that have limited access to the rest of your network. Only selected incoming connections are allowed.
7. work: Used for work machines. Other computers on the network are generally trusted. Only selected incoming connections are allowed.
8. home: Used for home machines. Other computers on the network are generally trusted. Only selected incoming connections are allowed.
9. trusted: All network connections are accepted. Trust all of the computers in the network.