Setup FirewallD in CentOS Quickly and Easily

Setup FirewallD in CentOS configures a dynamic firewall manager that controls network traffic through zones and services. Install, enable, and configure FirewallD to secure your system by managing network access effectively.

🤖AI Overview:

Setting up FirewallD in CentOS involves activating and managing the system’s default firewall tool to control network traffic, enhance security, and configure zones and ports dynamically. FirewallD replaces iptables on CentOS 7 and later, offering easy runtime and permanent firewall configurations for IPv4 and IPv6.

What is Firewalld and Why Configure it?

Users of any Linux distributions know that blocking and unblocking ports were done using the IPTABLES firewall before introducing Firewalld by Red Hat Enterprise Linux. To handle the system’s iptables rules and provide a D-Bus interface for interacting with them, FirewallD is a complete firewall solution. Starting with CentOS 7, FirewallD has taken iptables’ place as the default firewall administration program.

It is straightforward for services, programs, and users to modify firewall settings thanks to the firewalld D-Bus interface. The firewall configuration tools firewall-cmd, firewall-config, and firewall-applet use the same interface. Testing and evaluation can be done in runtime thanks to the separation of the runtime and permanent settings. Only until the following service reloads and restarts or until a system reboots is the runtime configuration still in effect. After that, the permanent configuration will load once more.

The runtime environment enables the usage of runtime for settings that should only be in effect for a brief time. The runtime configuration may be saved to the permanent environment if it has been used for evaluation and is complete and functional. Setup Firewalld in CentOS helps you to guarantee your system security.

Firewalld Zones

For various connection zones, Firewalld offers various protection levels. At least one network interface, like eth0, is connected to a zone. The firewalld daemon controls rule sets using objects referred to as “zones.” According to your level of trust in the networks your computer is linked to, zones are essentially sets of rules that specify what traffic should be permitted. To specify the activity that the firewall should permit, each network interface is given a zone.

Run the command below to view the preconfigured zones:

$ firewall-cmd --get-zones

The output would be like:

block dmz drop external home internal libvirt public trusted work

as you see, block, dmz, drop, external, home, internal, libvirt, public, trusted, and work are the zones listed by default.

To use the firewall, we can make rules, modify the zone’s properties, and then allocate our network interfaces to the most suitable zones by doing so.

FirewallD Services

Firewalld services are established rules that are zone-specific and specify the settings required to permit incoming traffic for a given service.

Firewalld permanent/immediate Rules

Runtime and permanent configuration are the two distinct configuration sets used by Firewalld. The runtime configuration is the configuration that is actually in use at the time and is not permanent across reboots. The runtime configuration is created when the Firewalld service is started by loading the permanent configuration.

By default, the runtime configuration is updated when modifications are made to the Firewalld configuration using the firewall-cmd application. Use the --permanent option to make the modifications permanent.

Prerequisites to Configure Firewall with FirewallD on CentOS

To check the firewall on CentOS your machine needs to meet all the below specifications:

• A non-root user with sudo privileges.
• A CentOS machine.
• Access to a command line (Ctrl+Alt+T).

How to Check CentOS Firewalld Status

While Firewalld is enabled on CentOS 7 by default, run the command below to check firewall status if you are using a higher version of CentOS machine:

sudo systemctl status firewalld

If the firewall is active, you will notice bright green letters in your output indicating that it is running.

How to Disable FirewallD on CentOS

Now that you have learned the CentOS firewall status command, you can check whether it is active. In this part, you will learn How to stop the default firewalld manager on CentOS temporarily and permanently.

Disable CentOS Firewalld Temporarily

To stop firewalld temporarily on CentOS, run the command below command:

sudo systemctl stop firewalld

The firewall must be disabled now. You can check it by running the following command:

sudo systemctl status firewalld

The ”Active: running” you viewed on your recent output must have been changed to ”Active: inactive (dead)”.

The service is turned off until a reboot with the systemctl stop firewalld command. The firewalld service will resume operation following a system reboot and the conclusion of your runtime session.

Disable CentOS Firewalld Permanently

If you need to disable the firewalld permanently on CentOS, use the following commands to stop the firewall service and then disable it.

Run the following command to stop the firewalld tool:

sudo systemctl stop firewalld

Now, you can check the firewall status just like in the previous step:

sudo systemctl status firewalld

You should see the service is inactive in your output. But if not, use the following command to prevent the service from starting when the system boots up:

sudo systemctl disable firewalld

The firewall service on your CentOS 7 server has now been successfully stopped and disabled. However, other running services could make firewalld active. So, you need to mask firewalld from other services on the system to stop them from activating firewalld:

sudo systemctl mask --now firewalld

The firewalld service will now have a symbolic link (symlink) to /dev/null. The following should be the output:

<span style="color: #808080;">Output</span>
Created symlink from /etc/systemd/system/firewalld.service to /dev/null.

Steps to Enable FirewallD in CentOS

Let’s go through this guide and review all the required steps to Setup FirewallD in CentOS7.

Step 1. Install FirewallD in CentOS

While firewalld is installed on most Linux distributions such as CentOS by default, run the command below to install firewalld on your CentOS system:

sudo yum install firewalld

Since the Firewalld service is disabled by default, you need to enable it. But first, let’s see the firewall status using the command below:

sudo firewall-cmd --state

If not running is displayed, the firewalld must have been installed recently or not activated. But if you see running your firewalld is enabled.

However, you can run the following commands to start and enable Firewalld service:

sudo systemctl start firewalld
sudo systemctl enable firewalld

In this way, Firewalld service will be enabled on boot.

Step 2. Configure Firewalld Zones

In this part of Setup Firewalld in CentOS, you will learn more about Firewall rules. Now that you enabled the FirewallD service, your default zone is the public zone. Run the command below to see the default zone:

sudo firewall-cmd --get-default-zone

Certainly, it will print public.

As we mentioned earlier, getting a list of all available zones is possible by typing sudo firewall-cmd --get-zones command. The default zone is given to all network interfaces by default. Run the command below to find out which zones are used by your network interface(s).

sudo firewall-cmd --get-active-zones

<span style="color: #808080;">output</span>
public
  interfaces: eth0 eth1

The aforementioned result indicates that eth0 and eth1 are both assigned to the public zone. The zone setup configurations can be printed using the below command:

sudo firewall-cmd --zone=public --list-all

<span style="color: #808080;">output</span>
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

The public zone is active, set to default, and used by both the eth0 and eth1 interfaces, as can be seen from the output above. Additionally, connections linked to SSH and the DHCP client are permitted. Use the following command to view the setups for every zone that is currently accessible.

sudo firewall-cmd --list-all-zones

The command outputs a lengthy list of all available zone parameters.

Step 3. Change the Zone of an Interface

Using the --zone option along with the --change-interface option makes changing the Interface Zone simple. The eth1 interface will be assigned to the work zone using the command:

sudo firewall-cmd --zone=work --change-interface=eth1

To verify the changes, type:

sudo firewall-cmd --get-active-zones

<span style="color: #808080;">output</span>
work
  interfaces: eth1
public
  interfaces: eth0

Step 4. Modify the Default zone

Use the --set-default-zone option and the name of the zone you want to set as default to change the default zone. For instance, run the following command to set the default zone to “office”:

sudo firewall-cmd --set-default-zone=office

To verify the changes, type:

sudo firewall-cmd --get-default-zone

<span style="color: #808080;">output</span>
office

Step 5. Open a Port for Zone

A lot of the most frequent prerequisites for applications that you would want to grant access to are represented by the firewall services that are supplied with the firewalld installation. There may be circumstances, nevertheless, in which these services are insufficient for your needs.

By opening the ports your application requires in the necessary zone(s), you can increase support for it. To achieve this, you must specify the protocol, port, or port range for the ports you need to open. In other words, with FirewallD, you may use services, which are pre-made rules, to enable traffic for particular ports.

Run the command below to get a list of all default ports/services that are readily available:

sudo firewall-cmd --get-services

For instance, we may use the --add-port= argument to add our TCP-based application, which runs on port 5000, to the “public” zone for this session. tcp or udp are the two types of protocols:

sudo firewall-cmd --zone=public --add-port=5000/tcp

<span style="color: #808080;">output</span>
success

Using the –list-ports procedure, confirm that this was successful:

sudo firewall-cmd --zone=public --list-ports

<span style="color: #808080;">output</span>
5000/tcp

The beginning and ending ports in the range can be separated with a dash to indicate a range of ports in order. For instance, we could type the following to open up UDP ports 4990 through 4999 on “public” if our application utilizes these ports:

sudo firewall-cmd --zone=public --add-port=4990-4999/udp

You would probably want to include these in the permanent firewall after testing. This can be done by keying in:

sudo firewall-cmd --zone=public --permanent --add-port=5000/tcp
sudo firewall-cmd --zone=public --permanent --add-port=4990-4999/udp
sudo firewall-cmd --zone=public --permanent --list-ports

<span style="color: #808080;">output</span>
success
success
5000/tcp 4990-4999/udp

Step 6. Create a New FirewallD Service

The /usr/lib/firewalld/services directory houses the default services. The simplest way to start a new service is to copy an existing service file to the directory for user-created services, /etc/firewalld/services, and make the necessary changes.

For instance, we might use something like this to copy the SSH service definition and use it for our “example” service definition. The service name in the list of firewall services is determined by the filename, minus the.xml suffix:

sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/example.xml

Change the service’s short name and description in the <short> and <description> tags of the newly formed example.xml file. The port tag, which specifies the protocol and port number you want to open, is the most crucial tag that needs to be changed.

To save the file and reload the FirewallD service, type:

sudo firewall-cmd --reload

In this way, you can use the example service in your zones.

Step 7. Using FirewallD for Port Forwarding in CentOS

Using the --add-masquerade switch, first activate masquerading for the target zone before forwarding traffic from one port to another port or address. To enable masquerade for the external zone, run:

sudo firewall-cmd --zone=external --add-masquerade

Also, it is possible to forward traffic from one port to another on the same server. For instance, look at the below example that is forwarding the traffic from port 80 to port 8080 on the same server:

sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080

To forward traffic to another server, run a command like below in which forwarding the traffic from port 80 to port 80 on a server with IP 10.10.10.2 can be done.

sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toaddr=10.10.10.2

Forwarding Port with Firewalld is also done by forwarding traffic to another server on a different port. Have a look at the below example that the traffic from port 80 to port 80 is forwarding on a server with IP 10.10.10.2:

sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.10.10.2

Step 8. Configure Firewall on your Web Server

Although most users will likely find the established zones to be more than adequate, it can be useful to define your own zones that are more apt to describe their purpose. In this step, you will learn how to create your own zone and a ruleset with FirewallD for your web server.

Assuming your server only has one interface, eth0, you want to permit inbound traffic exclusively on the SSH, HTTP, and HTTPS ports. The dmz (demilitarized) zone will be used because it by default only permits SSH traffic. Run the following commands to set the default zone to dmz and assign it to the eth0 interface:

sudo firewall-cmd --set-default-zone=dmz
sudo firewall-cmd --zone=dmz --add-interface=eth0

Now, you can open HTTP and HTTPS ports adding permanent service rules to the dmz zone:

sudo firewall-cmd --permanent --zone=dmz --add-service=http
sudo firewall-cmd --permanent --zone=dmz --add-service=https

Then, reload the firewall to make the changes effective:

sudo firewall-cmd --reload

To verify the dmz zone configuration settings, run:

sudo firewall-cmd --zone=dmz --list-all

<span style="color: #808080;">output</span>
dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh http https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

The output above informs us that the ssh (22) http (80) and https (443) ports are open and that the dmz is the default zone, applied to the eth0 interface.

Conclusion

Setting up FirewallD in CentOS is essential for protecting your server from unauthorized access and attacks. This beginner-friendly guide has covered fundamental concepts, installation checks, managing zones, adding and removing services and ports, and applying permanent rules.

Following these steps will help you maintain a secure and well-managed firewall on your CentOS server. Always remember that a properly configured firewall is a critical part of your overall system security strategy.

FAQ