In this article, we will see the fundamentals of a new firewall service introduced in CentOS 7 named FirewallD. It comes with an extremely powerful filtering system called Netfilter, which is built right into the kernel module to check every packet that travels across to the system.
Prerequisites
You can configure your firewall settings using three ways:
- Direct editing in the
/etc/firewalldconfiguration files - Graphical interface
firewall-configtool - Command-line
firewall-cmdin Terminal
Search
- Zone
# check all the available zones
sudo firewall-cmd --get-zones
# find out which is the default zone
sudo firewall-cmd --get-default-zone
# find a list of active zones and associated network interfaces
sudo firewall-cmd --get-active-zones
# find out if there rules listed in the active public zone
sudo firewall-cmd --list-all --zone="public"
# check the list of all available zones
sudo firewall-cmd --list-all-zones
- Service
# list all the available services
sudo firewall-cmd --get-services
# list all the available services in a particular zone
sudo firewall-cmd --zone=FedoraWorkstation --list-services
- Port
sudo firewall-cmd --list-ports
Add
- build a customized firewalld zone
As we know, all the system specified configuration files are located at /usr/lib/firewalld/zones and the user-specified files are at /etc/firewalld/zones.Use the following command to create a customized zone file to permit both ssh and apache services using the port numbers 80 and 22. Make sure the new file should be saved as an .xml format under a user-defined location. Currently, the length of the name-zone file will be limited to 17 characters only.
sudo vim /etc/firewalld/zones/mysecure.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>linuxtecksecure</short>
<description>For use in Corporate areas.</description>
<service name="apache"/>
<service name="ssh"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="22"/>
</zone>
save and exit. Reload the firewall service :
sudo firewall-cmd --reload
# re-check the available zones in firewalld
sudo firewall-cmd --get-zones
- add an existing service to the default zone
sudo firewall-cmd --add-service=nfs
# verify the same by using the following command
sudo firewall-cmd --zone=FedoraWorkstation --list-services
- To make it a permanent rule, we need to use the
--permanentparameter. In order to enable those changes in the firewalld, we need to reload or restart the firewall service.
sudo firewall-cmd --permanent --add-service=ftp
sudo firewall-cmd --reload
- open a port for service in the public zone
sudo firewall-cmd --zone=public --add-port=139/tcp
sudo firewall-cmd --zone=public --add-port=137/udp
# all other ports at once
sudo firewall-cmd --zone=public --add-port=1025-65535/tcp
sudo firewall-cmd --zone=public --add-port=1025-65535/udp
Delete
Modify
- Usually, we test all the rules in the runtime environment, once the rules are working successfully, then we use the ‘–permanent’ option to make them permanent.
# migrate my runtime settings to permanent
sudo firewall-cmd --runtime-to-permanent
- change the default zone to specific ones
sudo firewall-cmd --get-default-zone
# try to change the zone from public to work
sudo firewall-cmd --set-default-zone=work
- change the network interface from one zone to another
# using the following command you can change the interface into another zone.
sudo firewall-cmd --zone=internal --change-interface=enp1s1
# verify the same using the following command
sudo firewall-cmd --get-active-zones