In computing, a good Firewall system can prevent any unauthorized access to the network security systems. Businesses and organizations invest a good amount of money in their cybersecurity infrastructure, depending on how crucial their business is. Show In this article, we will see the fundamentals of a new firewall service introduced in CentOS 7 named FirewallD. It comes with an extremely powerful filtering system called Netfilter, which is built right into the kernel module to check every packet that travels across to the system. This means it can inspect, modify, reject or drop on any of the network packets like incoming, outgoing or forwarded programmatically before reaching the destination. In Centos-7 onwards firewalld became a default tool to manage the host-based firewall service. The daemon of the firewalld is installed from the firewalld package and it will be available on all the base installations of the OS but not on the minimal installation. Advantages of using FirewallD over "iptables: i. Any configuration changes made at runtime are not required to re-load or restart the firewalld service. ii. It simplifies firewall management by arranging the entire network traffic into zones. iii. More than one firewall configuration can be set per system to change the network environment. It will be very useful for mobile devices like laptop users. iv. It uses the D-Bus messaging system to interact/maintain firewall settings. In CentOS 7 or higher versions, we can still use the classic iptables . In order to use iptables we need to stop and disable the firewalld service. Using both (firewalld and iptables) together will mess up the system, as they are incompatible with each other. It is always recommended to use firewalld to manage your firewall service unless we have some specific reasons to continue using the classic iptables. As we know, Firewalld has been designed with a powerful filtering system and is also more flexible to handle firewall management. To take advantage of this design, the firewalld categorizes the incoming traffic into zones on interfaces defined by the source address. Each zone is designed to manage traffic according to specified criteria. The default zone will be set to public and the associated network interfaces will be attached to the public if there is no modification done. All the pre-defined zone rules are stored in two locations: The system specified zone rules are under '/usr/lib/firewalld/zones/' and user-specified zone rules are under /etc/firewalld/zones/. If there is any modification done in the system zone configuration file it will be copied automatically to the /etc/firewalld/zones/. This guide will help you to strengthen your basic knowledge of firewalld service on how to use firewall-cmd command in RHEL/CentOS 7. Prerequisites :
Difficulties in setting up sudo users? Click here to find the steps. You can configure your firewall settings using three ways: a. Direct editing in the '/etc/firewalld' configuration files b. Graphical interface 'firewall-config' tool c. Command-line 'firewall-cmd' in Terminal Note: In this demo, we will be focusing only on the 'firewall-cmd' command. All the below examples are tested on RHEL/CentOS 7.6: Step1: Install and enable firewallD ServiceFirst, let's update the latest current version of the package.
Note: Firewalld will be available on all the base installations of CentOS 7 but not on minimal installation, in that case, we can use the following command to install:
Use the following commands to start and enable the service
You can verify the status of the firewall service by using the following commands:
Step2: ZonesFirewalld introduced several predefined zones and services for different purposes. One of the main purposes is to handle firewalld management easier. Based on these zones & services we can block any form of incoming traffic to the system unless it explicitly permits using some special rules into the zone. 1. How to check all the available zones in firewalld?
Note: These are the default pre-defined zones in firewalld . All these rules can be used for various purposes. Please see the following pre-defined zones sorted based on the trust level: Note: We have listed all the available zone rules and their intended uses. For more information concerning firewalld.zone(5), check the manual page. 2. How to find out which is the default zone?
Note: Based on the output above, you can see that the public zone is marked as a default zone. We can change it based on our requirements. We will discuss that further in the coming examples. 3. How to find a list of active zones and associated network interfaces?
Note: In the above output, you can see the public zone is active and associated with the "enp1s0" network interface. If none of the interfaces are not specified to a particular zone, it will automatically be attached to the default zone. 4. How to find out if there are any rules listed in the active public zone?
Note: The above output shows that the public zone is active and set as default, the network interface "enp1so" is associated with the active zone. In this zone dhcpv6-client and ssh are permitted through the firewall service. 5. How to check the list of all available zones?
Note: Similar to the previous example, here it will also list a detailed configuration page of each available zone separately. Please check for yourself as the output list will be pretty lengthy. 6. How to change the default zone to specific ones? Before changing to the new zone, let's check the existing available zone.
Note: In the output you can see the public zone is set as a default one and now let's try to change the zone from public to work.
Note: As you can see, the output of the above command was a success. Let us verify the same.
7. How to change the network interface from one zone to another? Note: If your system has two network interfaces, let's say "enp1s0 and enp1s1". By default, all the interfaces will be assigned to the default zone, by using the following command you can change the interface into another zone.
Note: You can verify the same using the following command:
8. How to build a customized firewalld zone? Note: As we know, all the system specified configuration files are located at "/usr/lib/firewalld/zones" and the user-specified files are at "/etc/firewalld/zones".Use the following command to create a customized zone file to permit both ssh and apache services using the port numbers 80 and 22. Make sure the new file should be saved as an .xml format under a user-defined location. Currently, the length of the name-zone file will be limited to 17 characters only.
save and exit. Note: Reload the firewall service :
Now, re-check the available zones in firewalld
Note: Using the above command we can create a new (linuxtecksecure) zone to enable the apache and ssh service only by default. After creating the file, we need to "reload" the firewalld service, in-order to activate the zone into the firewalld (Remember: Always re-load your firewalld service after you make any changes/updates in your existing zone files in-order to activate otherwise the changes won't be affected in the firewalld). Step3: ServicesSimilarly, a firewalld have another component called "Services". These services can be used in the zone file to manage the traffic rules in the firewall settings. From the following list, each pre-defined "Services" that are used in the default configuration of zone files. 9. How to list all the available services in firewalld?
Note: Firewalld ships with a number of services for various purposes. In the above output, you can see the complete list of all the available services. 10. How to list all the available services in a particular zone?
Note: The output shows only two services are enabled in the "work" zone. 11. How to add an existing service to the default zone?
Note: In this example, I have added an existing service named samba to the default zone. You can verify the same by using the following command:
Note: Similarly, we can add a service to a different zone other than the default one. Use the following command:
Step 4: Firewalld Runtime and Permanent:By default, firewalld supports two separate modes, permanent and runtime (immediate). When we start the firewall, it loads all the permanent configuration files into the runtime. Any chance you make either an add or update will be applied to the runtime configuration and will not be enabled automatically to the permanent configuration. To make it a permanent rule, we need to use the '--permanent' parameter. In order to enable those changes in the firewalld, we need to reload or restart the firewall service. 12. How to add a service permanently?
Note: Remember, whenever you use a '--permanent' flag, don't forget to reload the firewall service. You can check some of the following real-time examples of how firewall rules are added permanently. (a) Allow http and https service in firewalld click_here (b) Allow DNS port in firewalld click_here 13. How do I migrate my runtime settings to permanent?
Note: Usually, we test all the rules in the runtime environment, once the rules are working successfully, then we use the '--permanent' option to make them permanent. Here, we can use the above command to migrate all the runtime settings into a permanent mode in one shot. If the firewall setup isn't effective, then just reload/restart the firewall service to make those rules work in the permanent configuration. Step 5: PortThe firewalld permits us to handle the network port directly. The beauty is, without even installing a specific service into the system, we can open and close the related port in the firewall. 14. How to open a port for samba service in the public zone?
Note: Using the above command, we have successfully opened the port for samba services. To verify the same.
Note: After successfully testing, if you wish to proceed with these rules as permanent to the firewall, then use the '--permanent' flag along with the above command or use runtime as a permanent command and don't forget to reload the service. Step 6: TimeoutFirewalld has another interesting feature called Timeout. This function will help many system administrators to add a quick rule in their run time setup. For example, if a user wants to download a file from the server via FTP service. Since this is just a one time action, permanent rules are not required. Downloading a file may take hardly 2-5 minutes (it may vary depending on the file size). In our case, we can allow the FTP service for 5 minutes and it automatically disconnects after the given time.
Note: We can specify the timeout in seconds (s), minutes (m) or hours (h). That's it! In the next session, we will see how to configure the firewalld service step by step using advanced features with examples. Thank you for taking your valuable time to read! I hope this article will help you to understand the basic usage of the 'firewall-cmd' command with examples. Drop me your feedback/comments. If you like this article, kindly share it and it may help others as well. A few firewalld references are collected from this site Thank you! Which command is used for firewall in Linux?Firewall-cmd is a front-end tool for managing the firewalld daemon, which interfaces with the Linux kernel's netfilter framework. This stack probably isn't present on the embedded modems common in small- to medium-sized businesses, but it's on or available for any Linux distribution that uses systemd .
Which command is used for firewall?Description. firewall-cmd is the command line client of the firewalld daemon. It provides an interface to manage the runtime and permanent configurations. The runtime configuration in firewalld is separated from the permanent configuration.
Should I enable firewall in Linux?For most Linux desktop users, firewalls are unnecessary. The only time you'd need a firewall is if you're running some kind of server application on your system. This could be a web server, email server, game server, etc.
What is the command to disable firewall in Linux?Disabling the firewall and SELinux. Disable the firewall on boot: # systemctl disable firewalld.service.. Disable SELinux by editing file /etc/selinux/config and changing the line: SELINUX=[...] to SELINUX=disabled.. |