How to setup Firewall using FirewallD
What is FirewallD?
FirewallD is a firewall management solution used in Linux distributions. Firewall helps to make the server secure and provides more control in your hands. We will learn some basic commands to use FirewallD and once you are comfortable with the command, you can explore advanced versions of the FirewallD command.
What are Firewall Zones?
Zones are a set of rules that define which traffic is allowed over the network. If your computer frequently moves between the network, for example, a laptop; you can define multiple firewall zones with different sets of rules. These zones depend on the level of trust that you have on a particular network. However, for a server, the firewall zones are not too important because the network environment rarely changes.
Few examples of zones are as follows:
- Trusted: Most trusted zone where you can trust all the machines over the network.
- Work: Trust most of the computers in the network.
- Public: Un-trusted network. You don’t trust any other computer in the network.
- Drop: All connections are dropped without a reply. It is the lowest level of trust.
How to install and configure FirewallD?
Most of the time FirewallD is installed by default. However, if the firewalld is not installed, you can install it on your CentOS 7 as follows:
# sudo yum install firewalld
After the installation is complete, you have to enable FirewallD and reboot your server.
# sudo systemctl enable firewalld
# sudo reboot
After reboot, you can check the status of your Firewall by running this command:
# sudo firewall-cmd --state
Output:
running
Check default Settings
Once the firewalld is installed, a few default settings are configured within the firewall. We can check those settings.
Check Default Zone
The default zone is setup as public because we have not setup any Firewall commands.
# sudo firewall-cmd --get-default-zone
Output:
public
You can also, check all the zones that are active at the moment:
# sudo firewall-cmd --get-active-zones
Output:
public
interfaces: eth0
Check all the rules associated with all zones
You can check all the zones that are configured as well as the settings that are associated with each zone.
# sudo firewall-cmd --list-all
Output
output
public (default, active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Change the Zone for your interface
One of the most common command is to change the zone associated with your interface. You can run following command to achieve it:
# sudo firewall-cmd --zone=home --change-interface=eth0
Output
success
Change Default Zone
Once you change the zone associated with your interface, you will have to update your default zone in order to correspond with your interface. You can change your default zone as follows:
# sudo firewall-cmd --set-default-zone=work
Add Service or Ports to the Zone
Another important command is to allow a service, such as, samba, ssh, HTTP, or HTTPS to your default zone.
Here are few examples to run the command:
# sudo firewall-cmd --add-service=http
# sudo firewall-cmd --zone=work --add-service=samba
# sudo firewall-cmd --zone=public --permanent --add-service=https
# sudo firewall-cmd --add-port=5000/tcp
In order to check the list of services or ports that are allowed over the zone, you can run the following command:
# sudo firewall-cmd --zone=public --list-services
sudo firewall-cmd --zone=public --list-ports