Setting Up a Firewall with FirewallD on CentOS 7

Introduction

Firewalld is a firewall management solution that is available to many Linux distributions. It serves as an interface to the iptables packet filter system provided by the Linux kernel. In this guide, you will learn how to configure a firewall for your server. We will also show you the basics of managing the firewall with the firewall-cmd administration tool.

Firewalld Basics

FirewallD uses the concepts of zones and services, rather than the chain and rules of iptables. Depending on the zones and services you configure, you can control what traffic is allowed or not allowed to and from the system. FirewallD can be configured and managed using the command line utility firewall-cmd.

Install and Enable your Firewall to Start at Boot

On most Linux distributions firewallD is already installed. However, if you need to install it yourself type the syntax below:

You can enable the service and reboot your server once firewalld is installed:

Next, restart your server. Your firewall will be enabled when you have successfully restarted the server. After that, use the command below to verify that service has been activated:

The output shows that the default firewall setting is working.

Checking the Defaults

You can check the zone selected by the server using this command:

Verify the active zone by typing:

Print the configuration of the default zone to know the rules attached to the public area using this syntax:

The output indicates that this zone is both the default and active zone. It also shows that eth0 and eth1 interfaces are assigned to this zone.

Checking Alternative Zones

In addition to default and active zones, there are other zones that you can explore. Enter this command to see all the available zones:

Check the particular configuration assigned to a zone by adding –zone= parameter in the –list-all command:

 Changing the Interface Zone

You can easily change the interface zone using the option –change-interface combined with the option –change-interface. The following command will assign the interface eth1to the workspace:

You can verify the changes by typing:

Changing the Default Zone

To change the default zone, use the –set-default-zone followed by the name of the zone you want to set as default. For example, to change the default zone to start, you should run the following command:

Next, you can verify the changes with:

Setting Rules for your Applications

Let’s run through the basics required to define firewall exceptions for the services:

Adding a Service to your Zones

The most straightforward way is by adding the ports or services you need to the zones you are using. Ditto, you can use the –get-services option to see all the available services:

You can activate the service for a zone with the parameter –add-service =. The action targets the default zone or any zone defined by the –zone = parameter. By default, only the current firewall session is configured. You can set up a permanent firewall configuration by activating the –permanent flag. For example, if you are running a web server that provides regular HTTP traffic, you can allow this traffic for interfaces in our “public” zone for this session by entering:

You can omit –zone = if you want to change the default zone. You can check the success of the operation with the –list-all or –list-services operations:

Once you’ve verified that everything is working as expected, you’ll most likely want to change the permanent firewall rules to make your service still available after a restart. We can make the change to our “public” zone permanently by entering the syntax:

You can check if this was successful by adding the –permanent flag to the –list-services operation. You must use sudo for –all permanent operations:

Your “public” zone now allows HTTP traffic on port 80. You can add this to the current session and persistent rule set using the command below:

If there are no services that fit your requirements, you have two excellent options to handle this situation:

1. Opening a Port for your Zones

The most straightforward way to add support for your particular application is to open the ports used in each zone. It is as simple as designating a port or port range and the corresponding protocol for the ports that you need to open. For example, if your application runs on port 5000 and uses TCP, you can add it to the “public” zone for this session with the –add-port = parameter. Protocols can be TCP or UDP:

In order to check that the operation is successful, use the –list-ports operation:

You can also specify a range for the serial interface by separating the start and end ports in the range with a hyphen. For example, if your application uses UDP ports 4990 to 4999, you can open them in “public” by writing:

After testing, we will probably want to add them to the permanent firewall. You can do this by typing the following:

2. Defining a Service

A service is a collection of ports with an associated name and description. Services are easier to manage than ports, but it requires a little initial work. The most straightforward way to get started is to copy an existing script (in / usr / lib / firewalld / services) to the /etc/firewalld/services directory. For example, you can copy the SSH service definition to use in the “example” service definition as follows. The file name minus the XML suffix determines the service name in the list of firewall services:

At this point, you can adjust the definition in the copied file:

First, the file contains the SSH definition you copied:

Most of this definition consists of metadata. You must change the service short name in the <short> tags. This is a legible service name. Imagine for our “example” service, we have to open port 7777 for TCP and 8888 for UDP. You can change the existing definition by entering INSERT mode by pressing i:

Next, press ESC and type: x to save and close the file. Then, type the command below to restart your firewall in order to have access to your new service;

After that, use the command below to a list of available services:

This service is now available in your zone.

Creating Your Zones

While the predefined zones are likely to be sufficient for most users, it may be useful to define your zones that describe their function more fully.

When adding a zone, add it to your permanent firewall settings. Then you can reload to bring the settings to your session. For example, you can create the two zones discussed earlier by typing:

You can confirm that they are present in your permanent configuration using this command:

Reload the firewall to bring these new zones into active configuration:

Now, you can assign the appropriate services and ports to your zones. For example, for the “publicweb” zone you might like to add the services SSH, HTTP and HTTPS:

 

Also, you can add the DNS service to your “privateDNS” zone using this command:

Next, you can change your interfaces to these new zones to test them:

Test the configuration to see if it works. If these values ​​work for you, you must add the same rules to the permanent configuration. You can do this by reapplying the rules with the —permanent indicator:

 

After applying these rules permanently, you can restart your network and reload your firewall service:

Check that the zones were assigned correctly:

Furthermore, make sure both zones have the correct service:

If you want to set one of your zones as the default for other interfaces, you have to configure this behavior with the parameter –set-default-zone= using this command:

Conclusion

At this point, you have created your own zones successfully. You should have a basic understanding of administering the firewalld service on your CentOS system for everyday use. Having a good grasp of the firewalld service enables you to take full advantage of its power and flexibility.

Happy Computing!