Getting started with FIREWALLD in RHEL/CentOS 7

Earlier we discussed about SELinux, which helps us secure our system. In addition to using SELinux, we should also enable firewall of our system. Starting with RHEL7, Firewalld was introduced which replaced IPtables, though you can still use IPtables but we should rather avoid it since Redhat has replaced it with Firewalld. We have to select one of the either as we can’t use both as it will lead to conflicts.

FIREWALLD

Firewalld is firewall management tool which acts as frontend for IPtables packet filtering system. It uses ‘Zones’ & ‘services’ as opposed to ‘chains’ & ‘rules’ used in iptables, to implement the policies. So before we proceed to configuring Firewalld on our server, let’s learn about different zones.

To get list of all available zones, run

$ firewall-cmd – -get-zones

Here is list of all the available zones with a brief description,

BLOCK Zone – Only established connections within the server will be allowed. All incoming connections are rejected with icmp-host-prohibited,

DMZ Zone– Only certain incoming connections are allowed. Used for  computers located in isolation/DMZ.

DROP Zone – All incoming connections are rejected without any reply, only outgoing connections are possible. It’s the lowest level of trust.

EXTERNAL Zone – Used when using machine as gateway. NAT Masquerading is used which keeps internal network private but accessible.

INTERNAL Zone – Other portion of External Zone. Computers are trustworthy with few more services available.

HOME Zone – Used for home environments, used to trust other computers in the network.

PUBLIC Zone – Used when in a public/untrustworthy environment. Selected services may be allowed on case by case basis.

TRUSTED Zone – Used when environment is trustworthy. All connections are allowed in the network.

WORK Zone – Internal networks are defined, used for work environment. Most computers are trusted with a few services allowed.

Now let’s move onto configuring our firewall for use,

 

Starting/Stopping the service

To start firewall, run the following

$ systemctl start firewalld.service

To stop ,

$ systemctl stop firewalld.service

To verify the current status, run

$ firewall-cmd –state

Also enable your service to run after each reboot,

$ systemctl enable firewalld.service

 

Getting Default-Zone

To get the current default zone,

$ firewall-cmd –get-default-zone

The default zone usually is ‘Public’ . To check default zone for a particular interface,

$ firewall-cmd –get-zone-of-interface=enp0s1

 

Changing Default-zone

To change the default zone to zone that you need, for example ‘INTERNAL Zone’, run the following

$ firewall-cmd –set-default-zone=internal

Changing zone for a interface,

$ firewall-cmd –zone=home –change-interface=enp0s1

Check if the zone has been changed by running,

$ firewall-cmd –get-default-zone
$ firewall-cmd –get-zone-of-interface=enp0s1

 

Note- Zone change for network interfaces is for the current session only. To  permanently change zone of a interface, we need to edit network-interface file i.e. open /etc/sysconfig/network-scripts/ifcfg-enp0s1 & add the following

ZONE=home

Save & exit the file. Your zone change for file will now be permanent.

 

Adding Services in zone

Once we have set a zone as per our need, we can add/remove services in the zone. To get the list of the available services, run

$ firewall-cmd –get-services

To add a service to current zone, use the following command,

$ firewall-cmd –zone=public –add-service=http

We can also add a service by its port number,

$ firewall-cmd –zone=public –add-port=80

 

Removing Services from the zone

To remove services from zone,

$ firewall-cmd –zone=public –remove-service=http
$ firewall-cmd –zone=public –remove-port=80

 

Permanently adding a service to zone

The above mentioned command to add a service to zone will only add service temporarily, in order to add the service permanently to our Firewalld policy & make those rules available even after a reboot we should use ‘- – permanent’ parameter,

$ firewall-cmd –zone=public –add-port=80 – -permanent
$ firewall-cmd –zone=public –add-service=http – -permanent

Verify the services by running,

$ firewall-cmd –zone=public –permanent –list-services

 

Adding an IP address range

To open a complete IP address on our Firewalld, run

$ firewall-cmd –permanent –add-source=10.20.30.0/8

 

Note :-Make sure you reload firewall after modifying services,

$ firewall-cmd –reload

 

This completes our tutorial on Firewalld. I hope you now have a basic understanding of what firewalld is & how to use it. If having any queries/suggestions, please use comment box below.

 

If you think we have helped you or just want to support us, please consider these :-

Connect to us: Facebook | Twitter | Google Plus

Become a Supporter – Make a contribution via PayPal

[paypal_donation_button align=”left” border=”1″]

Linux TechLab is thankful for your continued support.

Shusain

Passionate about Linux & open source. Loves to learn, read & write about Linux as well as new technologies.

You may also like...

Leave a Reply