Setup and Configure Basic Firewall Using FirewallD on CentOS 7 Linux System

In this article we will setup and configure the basic firewall using firewalld on Linux systems (RPM Family “Redhat 7/CentOS 7 /Scientific Linux 7”). We will cover how to set up a firewall for your server and show you the basics of managing the firewall. We will enable and start firewalld service and allow services and ports and configure zones. We will use firewall-cmd command to configure and manage firewalld, we will not use firewall-config “the firewalld GUI configuration tool in this article”.

FirewallD provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and permanent configuration options. It also supports an interface for services or applications to add
firewall rules directly.

FirewallD is the default firewall on RPM Family of Linux systems release 7 “Redhat 7/CentOS 7 /Scientific Linux 7”. It is a direct replacement for iptables and works also with the kernel’s netfilter code.

If you want to use iptables instead, you can go and check our article “Setup and Configure Basic iptables on CentOS 7 Linux system“. It contains all what you need to migrate to iptables instead of firewalld.

Part 1: Checking if FirewallD is installed and running

The first step is to check whether FirewallD is installed and running. This can be done via systemd by running the following:

# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
 Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
 Active: active (running) since Thu 2016-08-25 11:33:46 EET; 5 days ago
 Main PID: 1160 (firewalld)
 CGroup: /system.slice/firewalld.service
 └─1160 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Aug 25 11:33:45 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 25 11:33:46 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
   ...

Alternatively, you can check using the firewall-cmd tool:

# firewall-cmd --state
running

As you see from the above output, the firewalld is enabled and started by default on all different types of CentOS 7/ Red Hat 7 installation.

I’m going to disable the firewalld service. Enabling the service would cause the firewall to start up at boot. We should wait until we have created our firewall rules and had an opportunity to test them before configuring this behavior. This can help us avoid being locked out of the machine if something goes wrong.

Run the following command to disable the firewalld for now:

# systemctl disable firewalld

But what if the firewalld does not exist for any reason on your box, we will install it as follow:

# yum -y install firewalld

Now start it as follow:

# systemctl start firewalld

• Enabling FirewallD

This is the last step you will run on this article, once you’ve configured the firewall as you like, you should be sure to enable it via systemd in order to ensure it starts at startup:

# systemctl enable firewalld

Again, do not run this step now, once you finish all your configuration enable the firewalld. I only included this command here the article structure.

Part 2: Managing zones

FirewallD operates using the concept of zones where a zone defined the level of trust used for a connection. You can split different network interfaces into different zones in order to apply specific firewall rules per interface or you can use one zone for all interfaces.

Out of the box, firewalld ships with 9 zones and everything is done on the default public zone, but there are several other pre-configured zones that can be applied too.

• Listing all available zones

To get a list of all of the available zones, run the following command:

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

• Checking the default zone

To get the default zone that’s currently configured, run the following command:

# firewall-cmd --get-default-zone
public

• Changing the default zone

If you wish to change the default zone (for example, to home), this can be done by running:

# firewall-cmd --set-default-zone=home
success

This information will be reflected in the main configuration file, /etc/firewalld/firewalld.conf.

Hints:
1. changing zones is a permanent change "will persist against restart the firewalld service.
2. Don't manually modify /etc/firewalld/firewalld.conf file and instead use firewall-cmd.

• Checking the currently assigned zones

To get a list of the active zones “having interfaces assigned to”, run the following command:

# firewall-cmd --get-active-zones
public
 interfaces: enp0s20u3 enp0s20u4 wlp2s0

As you see from the above output, all interfaces “by default” assigned to the public zone. And because I’m using a laptop you see three interfaces assigned to public zone.

You can also check the zone of a single interface (enp0s20u3 in this case) by running:

# firewall-cmd --get-zone-of-interface=enp0s20u3 
public

• Creating zones

If you want to create your own zone “myzone”, run the following command:

# firewall-cmd --permanent --new-zone=myzone
success

After creation, you need to either run the above command again without –permanent or reload the firewalld, here’s I’ll reload :

# firewall-cmd --reload
success

Now, I’ll check the existence of myzone, run the following command:

# firewall-cmd --get-zones
block dmz drop external home internal myzone public trusted work

• Deleting zones

If you want to delete a zone you do not want, run the following command:

# firewall-cmd --permanent --delete-zone=myzone
success

You must include option –permanent in the above command, now reload the firewalld using:

# firewall-cmd --reload
success

• Applying a zone to an interface

In order to permanently assign a network interface to a zone, you can either use firewall-cmd with including the --permanent flag to persist the change or edit the interface configuration file and add ZONE=<myzone> and restart the network, run the following command to assign interface enp0s20u3 to internal zone:

# firewall-cmd --permanent --zone=internal --change-interface=enp0s20u3
success

• Getting the permanent configuration of a zone

In order to check the permanent configuration of a zone (internal in this case) including the assigned interfaces, allowed services, port settings and more, run:

# firewall-cmd --list-all --zone=internal --permanent
internal (active)
 interfaces: enp0s20u3
 sources: 
 services: dhcpv6-client ipp-client mdns samba-client ssh
 ports: 
 masquerade: no
 forward-ports: 
 icmp-blocks: 
 rich rules: 

From the above output, now internal zone is active because it has an interface assigned to it.

Part 3: Managing services

Once you have assigned and configured your required zones, you can start adding services to zones. Services describe the protocols and ports that can be accessed for a zone.

• Listing existing services

A number of common services are pre-configured within firewalld. These can be listed:

# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

You can also get a list of the services enabled for the default zone:

# firewall-cmd --list-services
dhcpv6-client ipp ipp-client mdns ssh

• Adding a service to a zone

You can enable a given service for a zone (public) permanently using the --add-service flag:

# firewall-cmd --permanent --zone=public --add-service=http
success

And then reload the current firewall session:

# firewall-cmd --reload
success

Then, to verify it was added:

# firewall-cmd --zone=public --list-services
dhcpv6-client http ssh

• Removing a service from a zone

You can remove a given service for a zone (public) permanently using the --remove-service flag:

# firewall-cmd --permanent --zone=public --remove-service=http
success

And then reload the current firewall session:

# firewall-cmd --reload
success

Then, to verify it was added:

$ firewall-cmd --zone=public --list-services
dhcpv6-client ssh

• Adding/removing multiple services from a zone

You can add or remove multiple services (for example, http and https) from a zone either one at a time, or all at once by wrapping the desired service names in curly braces ({, }):

# firewall-cmd --permanent --zone=public --add-service={http,https}
success

# firewall-cmd --list-services --permanent
dhcpv6-client http https ipp ipp-client mdns ssh

• Creating new services

Sometimes you may need to add new custom services – for example if you’ve changed the port for the SSH daemon. Services are defined using trivial XML files, with the default files being found in /usr/lib/firewalld/services:

#  tree /usr/lib/firewalld/services
/usr/lib/firewalld/services
├── amanda-client.xml
├── bacula-client.xml
├── bacula.xml
├── dhcpv6-client.xml
├── dhcpv6.xml
├── dhcp.xml
├── dns.xml
├── freeipa-ldaps.xml
├── freeipa-ldap.xml
├── freeipa-replication.xml
├── ftp.xml
├── high-availability.xml
├── https.xml
├── http.xml
...

The easiest way to create a new service is to copy one of these existing service files and modifying it. Custom services should reside in /etc/firewalld/services. For example, to customize the SSH service:

# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/ssh-custom.xml

The contents of this copied file should look like:

# cat /etc/firewalld/services/ssh-custom.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="22"/>
</service>

In order to change the port, you should change the short name for the service, and the port. You could also change the description if you desire, but this is just extra metadata that could be used by a user interface or another application. In this example, I’m changing the port to 1234:

# vim /etc/firewalld/services/ssh-custom.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH-Custom</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="1234"/>
</service>

Once saved, you will need to reload the firewall and then you can apply your rule to your zone:

# firewall-cmd --reload
success

# firewall-cmd --permanent --zone=public --add-service=ssh-custom
success

Part 4: Port management

In addition to using services, you can also manually allow ports by protocol. To allow the TCP port 7777 for the public zone:

# firewall-cmd --permanent --zone=public --add-port=7777/tcp
success

You can also add a port range:

# firewall-cmd --permanent --zone=public --add-port=7000-8000/tcp
success

To remove (and thus deny) TCP port 7777 for the public zone:

# firewall-cmd --permanent --zone=public --remove-port=7777/tcp
success

You can also list the currently allowed ports for a given zone (public) after reloading the current firewall session:

# firewall-cmd --zone=public --list-ports
7000-8000/tcp

Summary

In this article we have explained the setup and configuration steps for managing firewalld on RPM family of Linux systems. We first checked the installation of firewalled on CentOS 7, then we started configuring the main three parts of the firewalld firewall “Zones, Services, and ports”. We included different options with each part with examples.

I hope this article is good enough for you.
See you in other articles.