Linux

What is firewalld? How to configure firewalld in Centos

Firewalld is utility that allow us to manage firewall rules. It is is the default firewall on Centos.

Install and starting firewalld.

Some CentOS systems may not have firewalld. To install it, enter:

yum install firewalld

For automatic start, enter:

systemctl enable firewalld

And to start the service:

systemctl start firewalld

General commands for managing firewalld

View Status:

firewall-cmd --state

Reload a firewalld configuration when you make change to rules:

firewall-cmd --reload

Reload rules and reset current connections:

firewall-cmd --complete-reload

View created rules:

firewall-cmd --list-all

Stop service:

systemctl stop firewalld

Start service:

systemctl start firewalld

Disable autorun:

systemctl disable firewalld

Enable autorun:

systemctl enable firewalld

Save the current rules, make them permanent:

firewall-cmd --runtime-to-permanent

Rule Management of firewalld:

General syntax for working with rules:

firewall-cmd [option] [zone] <rule>
  • [option] – additional parameters for the created rule, for example –permanent – a permanent rule, that is, it will be effective after a reboot. Not required.
  • [zone] – by default, rules are created for the public zone. To work with a specific zone, it must be specified, for example, –zone=dmz. Not required.
  • <rule> – the rule itself. Required.

Adding ports firewalld:

For Open port 80:

firewall-cmd --permanent --add-port=80/tcp

–permanent – it is a key which allows to add permanent rule.

Add a rule for a specific zone:

firewall-cmd --permanent --zone=external --add-port=80/tcp

Add port range:

firewall-cmd --permanent --add-port=6000-6200/udp

Add multiple rules with one command:

firewall-cmd --permanent --add-port=80/tcp --add-port=443/tcp

Adding a service in firewalld

Using services instead of ports can improve the ease of managing rules by combining multiple ports into a single service.

View a list of available services:

firewall-cmd --get-services

Allow the port, for example, for the ntp service:

firewall-cmd --permanent --add-service=ntp

Create your own service:

firewall-cmd --permanent --new-service=name-service

Add a port such as TCP 3400 to the service:

firewall-cmd --permanent --service=name-service --add-port=3400/tcp

Set a description for convenience:

firewall-cmd --permanent --service=name-service --set-short="Service for service"
firewall-cmd --permanent --service=name-service --set-description="Long Description For Service"

Information about the created service can be obtained with the command:

firewall-cmd --info-service=name-service

Now the created service can be used to create rules, for example:

firewall-cmd --permanent --add-service=name-service

How to create rules with conditions(Rich-rule)

rich-rule allows you to create rules with conditions. Let’s look at a few examples:

We allow the http service with the condition that requests will be from certain IP addresses (subnet 192.168.0):

firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept'

Or for a specific port:

firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" port port="3333" protocol="tcp" accept'

To block a subnet, you can use the command:

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.5.0/24' reject"

The list of rules with conditions can be displayed with the command:

firewall-cmd --list-rich-rules

How to delete rules in firewalld?

Similar to creation, but instead of add we type remove, for example –remove-port (remove the port) or –remove-service (service).

Remove the rule to open port 80:

firewall-cmd --permanent --remove-port=80/tcp

How to manage zones?

All rules in firewalld can be zoned. Each has its own set of rules and its own network interfaces. This should be used if we want to make rules different in severity for different network adapters.

View a list of all available zones:

firewall-cmd --list-all-zones

View the list of used zones:

firewall-cmd --get-active-zones

Information about a specific zone:

firewall-cmd --list-all --zone=public

Create a rule for the public zone:

firewall-cmd --permanent --zone=public --add-port=80/tcp

Add a network interface to the zone:

firewall-cmd --permanent --zone=public --remove-interface=ens33
firewall-cmd --permanent --zone=internal --add-interface=ens33

First you need to remove the adapter from the current zone.

Set the default action for a zone:

firewall-cmd --permanent --zone=public --set-target=DROP

Create a new zone:

firewall-cmd --permanent --new-zone=custom_zone

If you want to practice firewalld, watch video below.

Leave a Reply

Your email address will not be published. Required fields are marked *