Beginners Guide to firewalld in CentOS/RHEL 7
firewalld Overview
firewalld is the default method in CentOS/RHEL 7 for managing host-level firewalls. Started from the firewalld.service systemd service, firewalld manages the Linux kernel netfilter subsystem using the low-level iptables, ip6tables, and ebtables commands.
# for SERVICE in iptables ip6tables ebtables
do
systemctl mask ${SERVICE}.service
done
firewalld separates all incoming traffic into zones, with each zone having its own set of rules. To check which zone to use for an incoming connection, firewalld uses this logic, where the first rule that matches wins:
- If the source address of an incoming packet matches a source rule setup for a zone, that packet will be routed through that zone.
- If the incoming interface for a packet matches a filter setup for a zone, that zone will be used.
- Otherwise, the default zone is used. The default zone is not a separate zone; instead, it points to one of the other zones defined on the system.
Unless overridden by an administrator or a NetworkManager configuration, the default zone for any new network interface will be set to the public zone
A number of predefined zones are shipped with firewalld, each with their own intended usage:
Default Configuration of firewalld Zones
| ZONE NAME | DEFAULT CONFIGURATION |
|---|---|
| trusted | Allow all incoming traffic |
| home | Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client predefined services. |
| internal | Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client predefined services (same as the home zone to start with). |
| work | Reject incoming traffic unless related to outgoing traffic or matching the ssh, ipp-client, or dhcpv6-client predefined services. |
| public | Reject incoming traffic unless related to outgoing traffic or matching the ssh or dhcpv6-client predefined services. The default zone for newly added network interfaces. |
| external | Reject incoming traffic unless related to outgoing traffic or matching the ssh predefined service. Outgoing IPv4 traffic forwarded through this zone is masqueraded to look like it originated from the IPv4 address of the outgoing network interface |
| dmz | Reject incoming traffic unless related to outgoing traffic or matching the ssh predefined service. |
| block | Reject all incoming traffic unless related to outgoing traffic. |
| drop | Drop all incoming traffic unless related to outgoing traffic (do not even respond with ICMP errors). |
Managing Firewalld
firewalld can be managed in three ways:
- Using the command-line tool firewall-cmd.
- Using the graphical tool firewall-config.
- Using the configuration files in /etc/firewalld/.
In most cases, editing the configuration files directly is not recommended, but it can be useful to copy configurations in this way when using configuration management tools
Configure firewall settings with firewall-cmd
This section will focus on managing firewalld using the command-line tool firewall-cmd.
firewall-cmd is installed as part of the main firewalld package. firewall-cmd can perform the same actions as firewall-config.
The following table lists a number of frequently used firewall-cmd commands, along with an explanation. Note that unless otherwise specified, almost all commands will work on the runtime configuration, unless the –permanent option is specified. Many of the commands listed take the –zone=[ZONE] option to determine which zone they affect. If –zone is omitted from those commands, the default zone is used.
While configuring a firewall, an administrator will normally apply all changes to the –permanent configuration, and then activate those changes with firewall-cmd –reload. While testing out new, and possibly dangerous, rules, an administrator can choose to work on the runtime configuration by omitting the –permanent option. In those cases, an extra option can be used to automatically remove a rule after a certain amount of time, preventing an administrator from accidentally locking out a system: –timeout=[TIMEINSECONDS].
| FIREWALL-CMD COMMANDS | EXPLANATION |
|---|---|
| –get-default-zone | Query the current default zone |
| –set-default-zone= | Set the default zone. This changes both the runtime and the permanent configuration. |
| –get-zones | List all available zones. |
| –get-services | List all predefined services |
| –get-active-zones | List all zones currently in use (have an interface or source tied to them), along with their interface and source information |
| –add-source= [–zone=] | Route all traffic coming from the IP address or network/netmask to the specified zone. If no –zone= option is provided, the default zone will be used. |
| –remove-source= [–zone=] | Remove the rule routing all traffic coming from the IP address or network/netmask from the specified zone. If no –zone= option is provided, the default zone will be used. |
| –add-interface= [-zone=] | Route all traffic coming from to the specified zone. If no –zone= option is provided, the default zone will be used. |
| –change-interface= [-zone=] | Associate the interface with instead of its current zone. If no –zone= option is provided, the default zone will be used. |
| –list-all [–zone=] | List all configured interfaces, sources, services, and ports for . If no –zone= option is provided, the default zone will be used. |
| –list-all-zones | Retrieve all information for all zones (interfaces, sources, ports, services, etc.). |
| –add-service= | Allow traffic to . If no –zone= option is provided, the default zone will be used. |
| –add-port= | Allow traffic to the port(s). If no –zone= option is provided, the default zone will be used. |
| –remove-service= | Remove from the allowed list for the zone. If no -zone= option is provided, the default zone will be used. |
| –remove-port= | Remove the port(s) from the allowed list for the zone. If no –zone= option is provided, the default zone will be used. |
| –reload | Drop the runtime configuration and apply the persistent configuration |
firewall-cmd example
The following examples show the default zone being set to dmz, all traffic coming from the 192.168.0.0/24 network being assigned to the internal zone, and the network ports for mysql being opened on the internal zone
# firewall-cmd --set-default-zone=dmz
# firewall-cmd --permanent --zone=internal --add source=192.168.0.0/24
# firewall-cmd --permanent --zone=internal --add-service=MySQL
# firewall-cmd --reload
firewalld Configuration Files
firewalld configuration files are stored in two places: /etc/firewalld and /usr/lib/firewalld. If a configuration file with the same name is stored in both locations, the version from /etc/firewalld/ will be used. This allows administrators to override default zones and settings without fear of their changes being wiped out by a package update.