You are here
Home > Linux System Administration > FirewallD Introduction On CentOS 7

FirewallD Introduction On CentOS 7

Firewalld introduction

What is FirewallD?

Firewalld was introduced in CentOS 7/ RHEL 7 with both a GUI and command line interface for making changes. It is a alternative for using IPtables.  If offers a zone based firewall configuration that allows you to enable different zones with different levels of trust.


Different Zone possibilities

Zones change be changed, different network cards  or rules can also force different zones to be applied in different situations.

Drop Zone – Allows outgoing  connections, but incoming connnections are dropped
Block Zone – Allows outgoing ssh/dhcp connections, but incoming connnections are rejected.
Public Zone – Allows both incoming and outgoing connections(ssh)
DMZ  Zone – Allows both incoming ssh connections and outgoing connections
Trusted Zone – allows both incoming and outgoing connections
Home – dhcp,ipp and ssh incoming is allowed as well as outgoing connections
Internal  – Outgoing connections and the same connections as Home are allowed

FirewallD Zone Management

To see what zone is currently being used:

# firewall-cmd --get-default-zone
internal

To set a new zone(replace internal with the zone you want to use)

# firewall-cmd --set-default-zone=internal
success

To see configuration of a zone:

# firewall-cmd --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: eth0
 sources:
 services: dhcpv6-client ftp http https ssh
 ports: 80/tcp 81/tcp
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks:
 rich rules:

FirewallD Port Managment

To allow ftp to access with the current zone being used:

# firewall-cmd --add-service ftp
success

To allow http access with the current zone being used:

# firewall-cmd --add-service http
success

If you add –permanent this will ensure the rule stays after a reload of the firewall ruleset.

To get a list of all services:

# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

Managing the service itself

To start firewalld

systemctl start firewalld

To ensure firewalld starts after a reboot

systemctl enable firewalld

To reload the firewalld rulset:

firewall-cmd --reload

 

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz
Top