You are here
Home > Linux System Administration > FirewallD Introduction On CentOS 7

FirewallD Introduction On CentOS 7

Firewalld introduction

What is FirewallD?

Firewalld was introduced in CentOS 7/ RHEL 7 with both a GUI and command line interface for making changes. It is a alternative for using IPtables.  If offers a zone based firewall configuration that allows you to enable different zones with different levels of trust.

Different Zone possibilities

Zones change be changed, different network cards  or rules can also force different zones to be applied in different situations.

Drop Zone – Allows outgoing  connections, but incoming connnections are dropped
Block Zone – Allows outgoing ssh/dhcp connections, but incoming connnections are rejected.
Public Zone – Allows both incoming and outgoing connections(ssh)
DMZ  Zone – Allows both incoming ssh connections and outgoing connections
Trusted Zone – allows both incoming and outgoing connections
Home – dhcp,ipp and ssh incoming is allowed as well as outgoing connections
Internal  – Outgoing connections and the same connections as Home are allowed

FirewallD Zone Management

To see what zone is currently being used:

# firewall-cmd --get-default-zone

To set a new zone(replace internal with the zone you want to use)

# firewall-cmd --set-default-zone=internal

To see configuration of a zone:

# firewall-cmd --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: eth0
 services: dhcpv6-client ftp http https ssh
 ports: 80/tcp 81/tcp
 masquerade: no
 rich rules:

FirewallD Port Managment

To allow ftp to access with the current zone being used:

# firewall-cmd --add-service ftp

To allow http access with the current zone being used:

# firewall-cmd --add-service http

If you add –permanent this will ensure the rule stays after a reload of the firewall ruleset.

To get a list of all services:

# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

Managing the service itself

To start firewalld

systemctl start firewalld

To ensure firewalld starts after a reboot

systemctl enable firewalld

To reload the firewalld rulset:

firewall-cmd --reload


Leave a Reply

Notify of