Firewalld Tutorial: Beginners to Advanced Guide To Linux Firewall

Firewalld is a new concept and default utility to manage the host based Firewall in CentOS7/RHEL7. In previous versions, iptables were used to manage the firewall. The iptables service still exist, and if you want to use iptables in your Centos/Rhel 7 machine then you have to disable and mask firewalld service. In some ways, firewalld is easier to manage and configure than iptables.

See Also : Iptables Tutorial — Beginners to Advanced Guide To Linux Firewall

FirewallD is based on the concepts of zones and services, instead iptables uses chain and rules. Based on the zones and services, you can control what traffic is allowed to or denied from the server.

Below is the list of zones in firewalld service.

• DROP : Lowest level of trust, all incoming connections are dropped without any notification and only outgoing connections are possible.
• BLOCK : Similar to the DROP Zone, but incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only outgoing connections are possible.
• PUBLIC : Represents public, untrusted networks. You can not trust other computers on the network, but you can allow selected incoming connections.
• EXTERNAL : For use on external networks with NAT masquerading configured, when your firewall acts as a gateway or router.
• INTERNAL : For use on internal networks, when your firewall acts as a gateway or router. The computers are fairly trustworthy.
• DMZ : Used for machines in demilitarized zone( limited access to the rest of your network). Only certain incoming connections are allowed.
• WORK : Used for machines in work environment, Other machines(computers) on the network are generally trusted.
• HOME : Used for machines in home environment, Other computers on the network are generally trusted.
• TRUSTED : All network connections are accepted. Trust all the machines in the network.

Firewalld uses below two separated configuration sets.

• Runtime Configuration : This configuration is the actual running configuration, and it is not persistent after reboots.
• Permanent configuration : In this configuration, changes are applied to the runtime configuration with -permanent option using Firewall-cmd utility.

In rhel based OS (CentOS 7), Firewalld is installed by default. If it is not installed on your system, you can install the package with the following commands.

$ sudo yum install firewalld

After installing the firewalld package, don’t forget to enable it so that it will starting automatically on boot.

$ sudo systemctl enable firewalld

By default, Firewalld service is disabled. You can check the status with following commands:

$ sudo firewall-cmd --state 
#output 
running

If you newly installed or never activated before, you will get this output not running. Otherwise, you will get running.

Overview of Current Firewall Rules

You can see which zone is currently chosen as the default by executing below command:

$ firewall-cmd --get-default-zone 
#output 
Public

You can list of all the available zones with the following commands:

$ sudo firewall-cmd --get-zones #output block dmz drop external home internal public trusted work

Initially default zone is assigned to all network interfaces. To see what zones are used by your network interface(s) use below command:

$ sudo firewall-cmd --get-active-zones #output public interfaces: ens33

To know what rules are associated with the public zone with the following command:

$ sudo firewall-cmd --list-all

You can check the specific configuration associated with a zone by adding -zone= parameter in your -list-all command:

$ sudo firewall-cmd --zone=home --list-all

You can change the Zone for Interface by using -zone option in addition with the -change-interface option. The following command will assign the ens33 interface to the public zone:

$ sudo firewall-cmd --zone=public --change-interface=ens33

Verify the changes by executing below command:

$ sudo firewall-cmd --get-active-zones

You can change the default zone if needed by adding -set-default-zone option followed by the name of the zone you want to make default.

$ sudo firewall-cmd --set-default-zone=work

You can verify the changes with the following command:

$ sudo firewall-cmd --get-default-zone

For instance, if you are running a web server serving HTTP traffic, you can allow this traffic for interfaces in your default zone (Suppose default zone is public) using below command:

$ sudo firewall-cmd --zone=public --add-service=http #output success

Verify the changes by executing below command:

$ sudo firewall-cmd --zone=public --list-services

You should use -permanent option with firewall rules so that your service will be available after a reboot. You can do it using following command:

$ sudo firewall-cmd --zone=public --permanent --add-service=http #output 
success

Your “public” zone will allow HTTP web traffic on port 80. If your web server is configured to use SSL/TLS, you need to add the https service. You can add this with the following command:

$ sudo firewall-cmd --zone=public --add-service=https $ sudo firewall-cmd --zone=public --permanent --add-service=https

You can open specific ports if you do not have service name handy. For instance your applications runs on port 4000 and uses TCP. You can add this port with -add-port option as follows:

$ sudo firewall-cmd --zone=public --add-port=4000/tcp 
#output 
success

You can verify the changes with the following command:

$ sudo firewall-cmd --zone=public --list-ports

You can also open a sequential range of ports. For instance, if your application uses UDP ports 3990 to 3999, you could open this range as follows:

$ sudo firewall-cmd --zone=public --add-port=3990-3999/udp

You should reload the firewalld service after adding services or open the ports:

$ sudo firewall-cmd --complete-reload

Opening ports for zones is easy, but it can be difficult to keep track of ports related to services. it is hard to remember that opened ports is still required. To avoid this situation, you should define a service.

Services are collections of ports with an associated name and description. It is easier to administer services than ports. All the existing services can be found in (/usr/lib/firewalld/services). You can take an existing service, copy it to your service name that you want to give, then make changes as per you need.

$ sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/service-example.xml

You can see the

$ sudo cat /usr/lib/firewalld/services/ssh.xml

<?xml version="1.0" encoding="utf-8"?> 
<service> 
<short>SSH</short> 
<description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description> 
<port protocol="tcp" port="22"/> 
</service>

Next, you can modify your service-example as follows:

$ sudo vi /etc/firewalld/services/service-example.xml

<?xml version="1.0" encoding="utf-8"?> 
<service> 
<short>service-example</short> 
<description>This is just an example service. You can write your own description for your service.</description> 
<port protocol="tcp" port="1111"/> 
<port protocol="udp" port="2222"/> 
</service>

Afterwards, reload firewalld service to get access to your newly added service:

$ sudo firewall-cmd --reload

You can verify the newly added service as follows:

$ sudo firewall-cmd --get-services

Now you can use this service in your zones as you normally do.

After this firewalld tutorial, I hope you learned basic to advanced concepts of Linux Firewall.

Read Also : How to Configure Firewall with UFW on Ubuntu

Originally published at https://thecodecloud.in on September 20, 2020.