FirewallD is a firewall management tool available by default on CentOS 7 servers. It’s one type of a firewall management solution which will manages iptables rules. In this tutorial, we will cover how to set up a firewalld on CentOS 7 server and explain you the basic FirewallD concepts. FirewallD replaces iptables as the default firewall management tool.
You should login with sudo enabled user account or with root user. It’s best practice to run administrative commands as sudo user instead of root user. If you don’t have sudo user you can make it by following this instructions.
Basic Concepts in Firewalld
FirewallD uses concepts of services and zones instead of iptables rules and chains. Using that you can configure which traffic should allowed or disallowed to and from system. FirewallD is using firewall-cmd utility to manage your firewall configuration.
Zones are sets of rules which specify what traffic should be allow depending on the level of trust you have in the networks your computer is connected to. You can assign network interfaces and sources to a zone.
Following are predefined zones included in FirewallD in order from trust level of the zone from least trusted to most trusted:
- drop: All incoming connections are dropped without any reply. Only outgoing connections are allowed. It’s lowest level of trust.
- block: This is same as above but all incoming connections are rejected with an
icmp6-adm-prohibitedmessages. Only outgoing connections are allowed.
- public: This represent untrusted public areas. You do not trust other computers on the network but may allow selected incoming connections.
- external: External networks in the event that you are using the firewall as your gateway. It is configure for NAT masquerading so that your internal network remains private but reachable.
- internal: For computers in your internal network, only selected incoming connections are accepted.
- dmz: DMZ demilitarized zone, publicly-accessible with limited access to the internal network, only selected incoming connections are accepted.
- work: Used for work machines. Trust most of the computers in the network. A few more services might be allow.
- home: Used for home machines. Other computers on the network are generally trustable. Only selected incoming connections are allowed.
- trusted: All network connections are acceptable. Trust all of the computers in the network
FirewallD services are xml configuration files, with predefined rules that apply within a zone and define the necessary settings to allow incoming traffic for a specific service. xml configuration files are stored in the
Installing and Enabling FirewallD
By default, Firewalld is available on your CentOS 7. If it’s not on your system then you can install the package by running below command:
sudo yum install firewalld
Firewalld service is disable by default. You can check the firewall status with:
sudo firewall-cmd --state
If you installed now or not activated before then it will print not running otherwise it will print running.
You can start the FirewallD service and enable it on boot by typing:
sudo systemctl start firewalld
sudo systemctl enable firewalld
Configure your firewall with FirewallD
By default, after enabled FirewallD service the public zone is default zone. You can get list of the default zone by typing:
sudo firewall-cmd --get-default-zone
To get list of all available zones execute below command:
sudo firewall-cmd --get-zones
All network interfaces are assign the default zone. To check what zones are use by your network interface(s) type:
sudo firewall-cmd --get-active-zones
You can print the zone configuration settings with:
interfaces: eth0 eth1
services: ssh dhcpv6-client
Change the Default Zone
To change the default zone use the –set-default-zone flag followed by the name of the zone you want to make default. For example to change the default zone to home you should run the following command:
sudo firewall-cmd --set-default-zone=dmz
Verify the changes with:
sudo firewall-cmd --get-default-zone
FirewallD Rule for HTTP and HTTPS
To add permanent service rules for HTTP and HTTPS to the dmz zone, run:
firewall-cmd --zone=dmz --add-service=http --permanent
firewall-cmd --zone=dmz --add-service=https --permanent
You have learned how to configure and manage the FirewallD service on your CentOS system. Make sure all the necessary incoming connections are allow to work properly.
If you have questions feel free to leave a comment below.