Firewalld is a firewall management system in Linux that allows you to configure firewall rules based on network zones instead chain rules as in iptables. It is a dynamically managed firewall that allows you to define network/firewall zones and assign different trust levels for network interfaces & connections. In this article, we will look at how to configure firewalld in Redhat, CentOS Linux.
How to Configure Firewalld in Redhat, CentOS Linux
Here are the steps to configure firewalld in Redhat, CentOS Linux. It works on the concept of private & public zones. Basically, we need to add network interfaces in our configuration, specify their zones, and then add services to firewalld.
1. Install firewalld
firewalld is already installed by default in RHEL/CentOS systems. If it is not present on your server, open terminal and run the following command to install firewalld.
# yum install firewalld -y
2. Stop Iptables
Since firewalld and iptables both serve similar purpose and can conflict with each other, we will stop iptables and disable it with the following commands.
# systemctl status iptables # systemctl stop iptables # systemctl mask iptables
3. List Firewall Zones
Firewalld works with zones. Each zone can contain ports & services. We need to assign network interfaces to firewall zones and then add services to it. Here are the different zones available.
- Drop zone – all incoming packets are dropped in this zone. Only outgoing connections are allowed
- Block zone – it blocks all incoming connections and allows only connections within the server
- Public zone – rules defined in this zone allow services & ports to accept incoming connections. Rest are dropped.
- External zone – only specific external connections are allowed
- DMZ zone – meant for computers in your demilitarized zone that have limited to access to rest of network
- Work Zone: To be used for work machines. Other systems on this network are generally trusted.
- Home Zone – suitable for home networks with a few trusted connections within your network.
- Trusted Zone – all traffic are accepted if you place a service or port in this zone.
- Internal Zone – similar to work zone with limited connections allowed. To be used on internal networks as other systems on network are trusted
Here is the command to list all available firewalld zones.
# firewall-cmd --get-zones
Here is the command to list default firewall zone.
# firewall-cmd --get-default-zone
Here is the command to list all firewall zones. We need to pass its output to more command since it will be huge with many lines.
# firewall-cmd --list-all-zones | more
4. Set Default Firewall Zone
You can use the following command to set the default zone of your firewall. Here is an example to set firewall zone to internal.
# firewall-cmd --set-default-zone=internal
You can verify the change with the following command.
# firewall-cmd --get-default-zone
If you want to get the zone of specific interface such as enp0s3 use the following command.
# firewall-cmd --get-zone-of-interface=enp0s3
5. Configure Services in Firewalld
Services are rules with ports & options in firewalld. They are automatically loaded when firewalld is running. Here is the command to list all services in firewalld.
# firewall-cmd --get-services
You will also find list all default services available with following command.
# ls /usr/lib/firewalld/services/
Let us say you want to add service for RTMP port 1935 to firewalld. In this case, make a copy of any any of the existing services at /usr/lib/firewalld/services and rename it as rtmp.xml or something else as per your requirement.
# cd /etc/firewalld/services/ # cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/rtmp.xml
Open the file with a text editor.
sudo vi /etc/firewalld/services/rtmp.xml
Edit Heading (rtmp), Description, Protocol, and Port number (1935) to reflect the new service. Save and close the file. Reload firewalld to apply changes.
# firewall-cmd --reload
Confirm changes with the following command.
# firewall-cmd --get-services
6. Add Service to Firewalld zones
Now that you have created a service in firewalld, you can add it to any of the firewalld zones with the following command. Make sure you use the service’s xml filename (rtmp.xml) in –add-service option
# firewall-cmd --add-service=rtmp
The above command will add service temporarily till system reboot. If you want to permanently add new service, then use –permanent option.
# firewall-cmd --add-service=rtmp --permanent
You can also remove service with the following command.
# firewall-cmd --zone=public --remove-service=rtmp
Reload the firewall to apply changes.
# firewall-cmd --reload
You may also add firewall rules from specific source IP address, or open a system port, as shown below.
# firewall-cmd --permanent --add-source=192.168.0.0/24 # firewall-cmd --permanent --add-port=1935/tcp
You can also add rich rules that allow you to easily allow services to connect to your server. Here is an example to allow HTTPS connections from specific IP address.
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept' # firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept' --permanent
After adding these rules, remember to reload firewalld to apply changes.
In this article, we have learnt how to configure various types of firewall fules in firewalld utility.
Also read:
How to Restart Linux Server from Command Line
How to Flush DNS Cache in Windows, Linux & Mac
How to Change Hostname in Debian/Ubuntu
How to Send GET & POST requests using python
How to Create Swap File in Linux
Related posts:
Sreeram has more than 10 years of experience in web development, Python, Linux, SQL and database programming.