How to setup Firewall using FirewallD

What is FirewallD?


FirewallD is a firewall management solution used in Linux distributions. Firewall helps to make the server secure and provides more control in your hands. We will learn some basic commands to use FirewallD and once you are comfortable with the command, you can explore advanced versions of the FirewallD command.

What are Firewall Zones?


Zones are a set of rules that define which traffic is allowed over the network. If your computer frequently moves between the network, for example, a laptop; you can define multiple firewall zones with different sets of rules. These zones depend on the level of trust that you have on a particular network. However, for a server, the firewall zones are not too important because the network environment rarely changes.

Few examples of zones are as follows:

  1. Trusted: Most trusted zone where you can trust all the machines over the network.
  2. Work: Trust most of the computers in the network.
  3. Public: Un-trusted network. You don’t trust any other computer in the network.
  4. Drop: All connections are dropped without a reply. It is the lowest level of trust.

How to install and configure FirewallD?

Most of the time FirewallD is installed by default. However, if the firewalld is not installed, you can install it on your CentOS 7 as follows:

# sudo yum install firewalld

After the installation is complete, you have to enable FirewallD and reboot your server.

# sudo systemctl enable firewalld
# sudo reboot

After reboot, you can check the status of your Firewall by running this command:

# sudo firewall-cmd --state

Output:
running

Check default Settings

Once the firewalld is installed, a few default settings are configured within the firewall. We can check those settings.

Check Default Zone

The default zone is setup as public because we have not setup any Firewall commands.

# sudo firewall-cmd --get-default-zone

Output:
public

You can also, check all the zones that are active at the moment:

# sudo firewall-cmd --get-active-zones

Output:
public
     interfaces: eth0

Check all the rules associated with all zones

You can check all the zones that are configured as well as the settings that are associated with each zone.

# sudo firewall-cmd --list-all

Output
output
public (default, active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Change the Zone for your interface

One of the most common command is to change the zone associated with your interface. You can run following command to achieve it:

# sudo firewall-cmd --zone=home --change-interface=eth0

Output
success

Change Default Zone

Once you change the zone associated with your interface, you will have to update your default zone in order to correspond with your interface. You can change your default zone as follows:

# sudo firewall-cmd --set-default-zone=work

Add Service or Ports to the Zone

Another important command is to allow a service, such as, samba, ssh, HTTP, or HTTPS to your default zone.

Here are few examples to run the command:

# sudo firewall-cmd --add-service=http

# sudo firewall-cmd --zone=work --add-service=samba

# sudo firewall-cmd --zone=public --permanent --add-service=https

# sudo firewall-cmd --add-port=5000/tcp

In order to check the list of services or ports that are allowed over the zone, you can run the following command:

# sudo firewall-cmd --zone=public --list-services

sudo firewall-cmd --zone=public --list-ports

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.