Firewalld is a new concept and default utility to manage the host based Firewall in CentOS7/RHEL7. In previous versions, iptables were used to manage the firewall. The iptables service still exist, and if you want to use iptables in your Centos/Rhel 7 machine then you have to disable and mask firewalld service. In some ways, firewalld is easier to manage and configure than iptables.
Prerequisites
- User with Sudo privileges
See Also : Iptables Tutorial – Beginners to Advanced Guide To Linux Firewall
Basic Concepts of Firewalld
FirewallD is based on the concepts of zones and services, instead iptables uses chain and rules. Based on the zones and services, you can control what traffic is allowed to or denied from the server.
Firewalld Zones
Below is the list of zones in firewalld service.
- DROP : Lowest level of trust, all incoming connections are dropped without any notification and only outgoing connections are possible.
- BLOCK : Similar to the DROP Zone, but incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only outgoing connections are possible.
- PUBLIC : Represents public, untrusted networks. You can not trust other computers on the network, but you can allow selected incoming connections.
- EXTERNAL : For use on external networks with NAT masquerading configured, when your firewall acts as a gateway or router.
- INTERNAL : For use on internal networks, when your firewall acts as a gateway or router. The computers are fairly trustworthy.
- DMZ : Used for machines in demilitarized zone( limited access to the rest of your network). Only certain incoming connections are allowed.
- WORK : Used for machines in work environment, Other machines(computers) on the network are generally trusted.
- HOME : Used for machines in home environment, Other computers on the network are generally trusted.
- TRUSTED : All network connections are accepted. Trust all the machines in the network.
Firewalld Permanent and immediate Settings
Firewalld uses below two separated configuration sets.
- Runtime Configuration : This configuration is the actual running configuration, and it is not persistent after reboots.
- Permanent configuration : In this configuration, changes are applied to the runtime configuration with —permanent option using Firewall-cmd utility.
Install and Enable Firewalld
In rhel based OS (CentOS 7), Firewalld is installed by default. If it is not installed on your system, you can install the package with the following commands.
$ sudo yum install firewalld
After installing the firewalld package, don’t forget to enable it so that it will starting automatically on boot.
$ sudo systemctl enable firewalld
By default, Firewalld service is disabled. You can check the status with following commands:
$ sudo firewall-cmd --state
#output
running
If you newly installed or never activated before, you will get this output not running. Otherwise, you will get running.
Overview of Current Firewall Rules
You can see which zone is currently chosen as the default by executing below command:
$ firewall-cmd --get-default-zone
#output
Public
You can list of all the available zones with the following commands:
$ sudo firewall-cmd --get-zones
#output
block dmz drop external home internal public trusted work
Initially default zone is assigned to all network interfaces. To see what zones are used by your network interface(s) use below command:
$ sudo firewall-cmd --get-active-zones
#output
public
interfaces: ens33
To know what rules are associated with the public zone with the following command:
$ sudo firewall-cmd --list-all
You can check the specific configuration associated with a zone by adding –zone= parameter in your –list-all command:
$ sudo firewall-cmd --zone=home --list-all


Selecting Zones for Interface
You can change the Zone for Interface by using –zone option in addition with the –change-interface option. The following command will assign the ens33 interface to the public zone:
$ sudo firewall-cmd --zone=public --change-interface=ens33
Verify the changes by executing below command:
$ sudo firewall-cmd --get-active-zones
Changing the Default Zone
You can change the default zone if needed by adding –set-default-zone option followed by the name of the zone you want to make default.
$ sudo firewall-cmd --set-default-zone=work
You can verify the changes with the following command:
$ sudo firewall-cmd --get-default-zone
Setup Rules for your Applications
Adding Services to Zones
For instance, if you are running a web server serving HTTP traffic, you can allow this traffic for interfaces in your default zone (Suppose default zone is public) using below command:
$ sudo firewall-cmd --zone=public --add-service=http
#output
success
Verify the changes by executing below command:
$ sudo firewall-cmd --zone=public --list-services
You should use –permanent option with firewall rules so that your service will be available after a reboot. You can do it using following command:
$ sudo firewall-cmd --zone=public --permanent --add-service=http
#output
success
Your “public” zone will allow HTTP web traffic on port 80. If your web server is configured to use SSL/TLS, you need to add the https service. You can add this with the following command:
$ sudo firewall-cmd --zone=public --add-service=https $ sudo firewall-cmd --zone=public --permanent --add-service=https
Opening a Port for Zones
You can open specific ports if you do not have service name handy. For instance your applications runs on port 4000 and uses TCP. You can add this port with –add-port option as follows:
$ sudo firewall-cmd --zone=public --add-port=4000/tcp #output success
You can verify the changes with the following command:
$ sudo firewall-cmd --zone=public --list-ports
You can also open a sequential range of ports. For instance, if your application uses UDP ports 3990 to 3999, you could open this range as follows:
$ sudo firewall-cmd --zone=public --add-port=3990-3999/udp
You should reload the firewalld service after adding services or open the ports:
$ sudo firewall-cmd --complete-reload
Defining a Service
Opening ports for zones is easy, but it can be difficult to keep track of ports related to services. it is hard to remember that opened ports is still required. To avoid this situation, you should define a service.
Services are collections of ports with an associated name and description. It is easier to administer services than ports. All the existing services can be found in (/usr/lib/firewalld/services). You can take an existing service, copy it to your service name that you want to give, then make changes as per you need.
$ sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/service-example.xml
You can see the
$ sudo cat /usr/lib/firewalld/services/ssh.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>SSH</short> <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description> <port protocol="tcp" port="22"/> </service>
Next, you can modify your service-example as follows:
$ sudo vi /etc/firewalld/services/service-example.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>service-example</short> <description>This is just an example service. You can write your own description for your service.</description> <port protocol="tcp" port="1111"/> <port protocol="udp" port="2222"/> </service>
Afterwards, reload firewalld service to get access to your newly added service:
$ sudo firewall-cmd --reload
You can verify the newly added service as follows:
$ sudo firewall-cmd --get-services
Now you can use this service in your zones as you normally do.
Conclusion
After this firewalld tutorial, I hope you learned basic to advanced concepts of Linux Firewall.
Read Also : How to Configure Firewall with UFW on Ubuntu
2 thoughts on “Firewalld Tutorial: Beginners to Advanced Guide To Linux Firewall”