Use firewalld on CentOS 7, Red Hat, and Fedora
Firewalld has replaced iptables as the firewall for CentOS® 7. The syntax that firewalld uses is more user-friendly. This post shows you how to ensure that firewalld is running and starts when your server boots. It also shows you how to create persistent and flexible firewall rules.
Note: Red Hat® Fedora® also uses firewalld, so all of the commands in this article also work in the Fedora image that Rackspace provides.
Basic firewalld concepts
Firewalld uses zones to manage groups of rules. Zones are attached to network interfaces and determine which traffic is allowed on a specific network and which traffic is denied.
This functionality might be useful if you want to establish a very strict firewall on your public interface, and a more relaxed firewall on your Cloud Network interface. Becoming familiar with the zones that firewalld pre-defined is helpful. Firewalld has the following pre-defined zones, in order from least trusted to most trusted:
drop: This zone only allows outgoing connections. It drops incoming connections without a reply.
block: While similar to
drop, this zone rejects incoming requests with an
public: Use this zone for public networks, or when you don’t trust any of the other computers on the network. This zone accepts incoming connections on a case-by-case basis.
external: Use this zone on external networks where the firewall acts as the gateway. This zone is configured for Network Address Translation (NAT) masquerading so that your internal network is private but reachable.
internal: Use this zone for the internal part of a gateway, where the other computers are reasonably trustworthy.
dmz: Use this zone for isolated computers that are located in a demilitarized zone (DMZ). This zone only allows Secure Shell (SSH) and Internet Control Message Protocol (ICMP).
work: Use this zone for work computers.
home: Use this zone for home environments.
trusted: Use this zone when you trust all of the computers on the network.
To use the firewall, you create rules and alter the properties of your zones, and then assign your network interfaces to the zones that are most appropriate for your network.
Start the firewall and enable it on boot
By default, firewalld should be enabled, reboot the server, and then start at boot.
You can easily check if the firewall is running by using the
as shown in the following example:
$ sudo firewall-cmd --state Finding out about your zones
If firewalld is not running, you can enable and start it by running the following commands:
$ sudo systemctl enable firewalld $ sudo systemctl start firewalld
You can see which zone is currently the default zone by running the following command:
$ sudo firewall-cmd --get-default-zone
You can see which network interfaces are assigned to which zones by running the following command:
$ sudo firewall-cmd --get-active-zones
Note: The default assigns all network interfaces to the public zone.
You can also find the rules that are associated with the public zone by running the following command:
$ sudo firewall-cmd --list-all --zone=public
The output should look like the following example:
public (default, active) interfaces: eth0 eth1 sources: services: dhcpv6-client http https ssh ports: 1025/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
The output shows that the public zone is the default, and has eth0 and
eth1 network interfaces. Dynamic Host Configuration Protocol (DHCP)
dhcpv6-client), SSH, Hypertext Transfer Protocol (HTTP), and Secure HTTP
(HTTPS) traffic are allowed, as well as Transmission Control Protocol (TCP)
traffic on port
To get a list of the available zones, run the following command:
$ sudo firewall-cmd --get-zones
Set up your zones
You can move interfaces between zones during your session by using the
--change-interface= argument and the
--zone argument. If the firewall
restarts, the interface reverts to the default zone.
$ sudo firewall-cmd --zone=internal --change-interface=eth1
To define a permanent zone for an interface, open the configuration file for the interface and add the following lines:
... ONBOOT=yes ZOME=internal
Save and close the file, then run the following commands to restart the networking and firewall and force the changes to take effect:
$ sudo systemctl restart network $ sudo systemctl restart firewalld
Set up the rules
Firewalld comes with pre-defined services that enable you to add only the
service, rather than the port number and protocol type. For example, they
enable you to allow
http rather than
tcp port 80.
You can obtain a list of these services by using the following command:
$ sudo firewall-cmd --get-services
Then, use the following example command to add a service:
$ sudo firewall-cmd --add-service=http
The configuration takes immediate effect, but doesn’t survive reboots. To
enable these types of service configurations to restart when the server
reboots, you need to add the
--permanent argument. We recommend that you run
both of these commands in sequence so that the configuration takes immediate
effect, and services also reboot, as shown in the following example:
$ sudo firewall-cmd --add-service=http firewall-cmd --permanent --add-service=http
You can obtain additional details about firewalld’s pre-defined rules by navigating to the /usr/lib/firewalld/services/ directory and reading the files.
Set up rich rules
Rich rules are how you define conditionals in firewalld. The most common use case for rich rules is allowing access from a particular IP address or IP address range. The following commands enable access to TCP port 80 from any IP on the 192.168.0.0 network and make the rule permanent:
$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' $ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent
For examples of rich rules, see the Fedora® Wiki.
You can create your own service and refer to when you create rules by placing a file in the /usr/lib/firewalld/services/ directory. The easiest way to perform this task by copying an existing .xml file in this directory, then changing the details.
The following example command copies an existing file to a new file:
$ sudo cp /usr/lib/firewalld/services/http.xml /usr/lib/firewalld/services/myservice.xml
The following command opens the new file for editing:
$ sudo vim /usr/lib/firewalld/services/myserver.xml
The file should look like the following example:
<!--?xml version="1.0" encoding="utf-8"?--> <service> <short>My Custom Service</short> <description>A brief description of the service. This rule allows port 1134 on TCP for my application.</description> <port protocol="tcp" port="1134"></port> </service>
To apply your changes, use the following commands with the name of the file, minus the .xml file extension:
$ sudo firewall-cmd --add-service=myservice $ sudo firewall-cmd --permanent --add-service=myservice
©2020 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License