-->
  • Recent Articles

    How to Install, Configure and Use Firewalld in CentOS 7 / RHEL 7 / OEL 7

    Firewalld (firewall daemon) is an alternative to the iptables service, for dynamically managing a system’s firewall with support for network (or firewall) zones and provides a D-Bus interface for managing configurations.

    In this article, we will discuss how to configure system firewall with firewalld in CentOS 7 / RHEL 7 / OEL 7. 

    How to Install Firewalld on CentOS 7 / RHEL 7/ OEL 7

    On CentOS 7, the firewalld package comes pre-installed and you can verify using following command.

    rpm -qa firewalld
    [root@salt-master ~]# rpm -qa firewalld
    firewalld-0.6.3-13.el7_9.noarch
    [root@salt-master ~]#
    
    

    Manage Firewalld Service

    Firewalld service can be managed via the systemctl command.

    # systemctl start firewalld	# Start the firewalld Service
    # systemctl enable firewalld	#enable the service to auto-start at boot time
    # systemctl status firewalld	#view service status
    [root@salt-master ~]# systemctl status firewalld
    ● firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
       Active: active (running) since Sat 2021-08-14 22:39:44 IST; 8s ago
         Docs: man:firewalld(1)
     Main PID: 4104 (firewalld)
       CGroup: /system.slice/firewalld.service
               └─4104 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
    
    Aug 14 22:39:43 salt-master systemd[1]: Starting firewalld - dynamic firewall daemon...
    Aug 14 22:39:44 salt-master systemd[1]: Started firewalld - dynamic firewall daemon.
    Aug 14 22:39:44 salt-master firewalld[4104]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please conside...abling it now.
    Hint: Some lines were ellipsized, use -l to show in full.
    [root@salt-master ~]#
    
    You can Check the firewalld deamon is running or not from firewall-cmd tool.

    [root@salt-master ~]# firewall-cmd --state
    
    [root@salt-master ~]# firewall-cmd --state
    running
    [root@salt-master ~]#
    

    Save the Configuration Permanently


    If you want to save any changes permanently, then you can reload firewalld. This will reload firewall rules and keep state information. The current permanent configuration will become new runtime configuration.
    # firewall-cmd --reload

    Firewall Zones

    To get a list of all available firewall zones:

    [root@salt-master ~]# firewall-cmd --get-zones
    [root@salt-master ~]# firewall-cmd --get-zones
    block dmz drop external home internal public trusted work
    [root@salt-master ~]#
    
    To get a list of all available services in firewall :
    [root@salt-master ~]# firewall-cmd --get-services
    [root@salt-master ~]# firewall-cmd --get-services
    RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
    [root@salt-master ~]#
    
    Get and set  default zone :

    [root@salt-master ~]# firewall-cmd --get-default-zone
    [root@salt-master ~]# firewall-cmd --get-default-zone
    public
    [root@salt-master ~]#
    
    set the default zone:

    [root@salt-master ~]# firewall-cmd --set-default-zone=<zone name>

    To set the configuration permanently : 

    [root@salt-master ~]# firewall-cmd --set-default-zone=<zone name> --permanent
    [root@salt-master ~]# firewall-cmd --reload 

     To get a list of all active zones :

    [root@salt-master ~]# firewall-cmd --get-active-zones
    [root@salt-master ~]# firewall-cmd --get-active-zones
    public
      interfaces: enp0s3 enp0s8
    [root@salt-master ~]#
    
    More Information on a Zone:
    [root@salt-master ~]# firewall-cmd --info-zone public
    [root@salt-master ~]# firewall-cmd --info-zone public
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: enp0s3 enp0s8
      sources:
      services: dhcpv6-client ssh
      ports:
      protocols:
      masquerade: no
      forward-ports:
      source-ports:
      icmp-blocks:
      rich rules:
    
    [root@salt-master ~]#

    How to Open and Block Ports and Services

    Add Ports 


    To open a port  in the firewall, simply add it in a zone with the "--add-port" option. If you don’t explicitly specify the zone, it will be enabled in the default zone.

    The following example shows how to add port 80 and 443 to allow in-bound web traffic :

    # firewall-cmd --zone=public --permanent --add-port=80/tcp --add-port=443/tcp
    
    [root@salt-master ~]# firewall-cmd --zone=public --permanent --add-port=80/tcp --add-port=443/tcp
    success
    [root@salt-master ~]#

    Next, reload firewalld and check the enabled features in the public zone once more, you should be able see the just added ports.

    # firewall-cmd --reload
    # firewall-cmd --info-zone public
    [root@salt-master ~]# firewall-cmd --reload
    success
    [root@salt-master ~]# firewall-cmd --info-zone public
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: enp0s3 enp0s8
      sources:
      services: dhcpv6-client ssh
      ports: 80/tcp 443/tcp
      protocols:
      masquerade: no
      forward-ports:
      source-ports:
      icmp-blocks:
      rich rules:
    
    [root@salt-master ~]#
    

    Remove Ports 


    To Remove a port  in the firewall, simply remove it from a zone with the "--remove-port" option. 

    The following example shows how to remove port 80 and 443 to allow in-bound web traffic :

    # firewall-cmd --zone=public --permanent --remove-port=80/tcp --remove-port=443/tcp

    Open Services

    To open a service in the firewall, enable it using the "--add-service" option.

    The following command will permanently enable the http service in public zone:

    # firewall-cmd --zone=public --permanent --add-service=http
    # firewall-cmd --reload 

    Remove Services

    Alike "--remove-service" option can be used to block a service.

    # firewall-cmd --zone=public --permanent --remove-service=http
    # firewall-cmd --reload 

    Whitelist an IP address

    To whitelist or allow access from an IP or range of IPs, you can tell the firewall to add a trusted source.

    # firewall-cmd --permanent --add-source=192.168.1.24

    You can also allow a range of IPs using what is called CIDR.

    # firewall-cmd --permanent --add-source=192.168.1.0/24

    Remove Whitelisted IP address

    To remove a whitelisted IP or IP range, you can use the --remove-source option.

    # firewall-cmd --permanent --remove-source=192.168.1.24

    Block an IP address

    Rich rules are needed to block an IP. Rich rules are similar in form to the way iptables rules are written.

    # firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.24' reject"

    You can again use CIDR notation also block a range of IP addresses.

    # firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"

    Remove a rich rule

    To remove a rich rule, use the option --remove-rich-rule, but you have to fully specify which rule is being removed,.

    # firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.24" port protocol="tcp" port="3306" accept'

    Next, reload firewalld and check the enabled features in the public zone once more, you should be able see the just added ports.

    # firewall-cmd --reload
    

    No comments