Getting started with FIREWALLD in RHEL/CentOS 7
Earlier we discussed about SELinux, which helps us secure our system. In addition to using SELinux, we should also enable firewall of our system. Starting with RHEL7, Firewalld was introduced which replaced IPtables, though you can still use IPtables but we should rather avoid it since Redhat has replaced it with Firewalld. We have to select one of the either as we can’t use both as it will lead to conflicts.
Firewalld is firewall management tool which acts as frontend for IPtables packet filtering system. It uses ‘Zones’ & ‘services’ as opposed to ‘chains’ & ‘rules’ used in iptables, to implement the policies. So before we proceed to configuring Firewalld on our server, let’s learn about different zones.
To get list of all available zones, run
Here is list of all the available zones with a brief description,
BLOCK Zone – Only established connections within the server will be allowed. All incoming connections are rejected with icmp-host-prohibited,
DMZ Zone– Only certain incoming connections are allowed. Used for computers located in isolation/DMZ.
DROP Zone – All incoming connections are rejected without any reply, only outgoing connections are possible. It’s the lowest level of trust.
EXTERNAL Zone – Used when using machine as gateway. NAT Masquerading is used which keeps internal network private but accessible.
INTERNAL Zone – Other portion of External Zone. Computers are trustworthy with few more services available.
HOME Zone – Used for home environments, used to trust other computers in the network.
PUBLIC Zone – Used when in a public/untrustworthy environment. Selected services may be allowed on case by case basis.
TRUSTED Zone – Used when environment is trustworthy. All connections are allowed in the network.
WORK Zone – Internal networks are defined, used for work environment. Most computers are trusted with a few services allowed.
Now let’s move onto configuring our firewall for use,
Starting/Stopping the service
To start firewall, run the following
To stop ,
To verify the current status, run
Also enable your service to run after each reboot,
To get the current default zone,
The default zone usually is ‘Public’ . To check default zone for a particular interface,
To change the default zone to zone that you need, for example ‘INTERNAL Zone’, run the following
Changing zone for a interface,
Check if the zone has been changed by running,
Note- Zone change for network interfaces is for the current session only. To permanently change zone of a interface, we need to edit network-interface file i.e. open /etc/sysconfig/network-scripts/ifcfg-enp0s1 & add the following
Save & exit the file. Your zone change for file will now be permanent.
Adding Services in zone
Once we have set a zone as per our need, we can add/remove services in the zone. To get the list of the available services, run
To add a service to current zone, use the following command,
We can also add a service by its port number,
Removing Services from the zone
To remove services from zone,
Permanently adding a service to zone
The above mentioned command to add a service to zone will only add service temporarily, in order to add the service permanently to our Firewalld policy & make those rules available even after a reboot we should use ‘- – permanent’ parameter,
Verify the services by running,
Adding an IP address range
To open a complete IP address on our Firewalld, run
Note :-Make sure you reload firewall after modifying services,
This completes our tutorial on Firewalld. I hope you now have a basic understanding of what firewalld is & how to use it. If having any queries/suggestions, please use comment box below.