configure firewalld in rhel

How to Configure Firewalld in Redhat, CentOS Linux

Firewalld is a firewall management system in Linux that allows you to configure firewall rules based on network zones instead chain rules as in iptables. It is a dynamically managed firewall that allows you to define network/firewall zones and assign different trust levels for network interfaces & connections. In this article, we will look at how to configure firewalld in Redhat, CentOS Linux.


How to Configure Firewalld in Redhat, CentOS Linux

Here are the steps to configure firewalld in Redhat, CentOS Linux. It works on the concept of private & public zones. Basically, we need to add network interfaces in our configuration, specify their zones, and then add services to firewalld.


1. Install firewalld

firewalld is already installed by default in RHEL/CentOS systems. If it is not present on your server, open terminal and run the following command to install firewalld.

# yum install firewalld -y


2. Stop Iptables

Since firewalld and iptables both serve similar purpose and can conflict with each other, we will stop iptables and disable it with the following commands.

# systemctl status iptables
# systemctl stop iptables
# systemctl mask iptables


3. List Firewall Zones

Firewalld works with zones. Each zone can contain ports & services. We need to assign network interfaces to firewall zones and then add services to it. Here are the different zones available.

  • Drop zone – all incoming packets are dropped in this zone. Only outgoing connections are allowed
  • Block zone – it blocks all incoming connections and allows only connections within the server
  • Public zone – rules defined in this zone allow services & ports to accept incoming connections. Rest are dropped.
  • External zone – only specific external connections are allowed
  • DMZ zone – meant for computers in your demilitarized zone that have limited to access to rest of network
  • Work Zone: To be used for work machines. Other systems on this network are generally trusted.
  • Home Zone – suitable for home networks with a few trusted connections within your network.
  • Trusted Zone – all traffic are accepted if you place a service or port in this zone.
  • Internal Zone – similar to work zone with limited connections allowed. To be used on internal networks as other systems on network are trusted

Here is the command to list all available firewalld zones.

# firewall-cmd --get-zones

Here is the command to list default firewall zone.

# firewall-cmd --get-default-zone

Here is the command to list all firewall zones. We need to pass its output to more command since it will be huge with many lines.

# firewall-cmd --list-all-zones | more


4. Set Default Firewall Zone

You can use the following command to set the default zone of your firewall. Here is an example to set firewall zone to internal.

# firewall-cmd --set-default-zone=internal

You can verify the change with the following command.

# firewall-cmd --get-default-zone

If you want to get the zone of specific interface such as enp0s3 use the following command.

# firewall-cmd --get-zone-of-interface=enp0s3


5. Configure Services in Firewalld

Services are rules with ports & options in firewalld. They are automatically loaded when firewalld is running. Here is the command to list all services in firewalld.

# firewall-cmd --get-services

You will also find list all default services available with following command.

# ls /usr/lib/firewalld/services/

Let us say you want to add service for RTMP port 1935 to firewalld. In this case, make a copy of any any of the existing services at /usr/lib/firewalld/services and rename it as rtmp.xml or something else as per your requirement.

# cd /etc/firewalld/services/
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/rtmp.xml

Open the file with a text editor.

sudo vi /etc/firewalld/services/rtmp.xml

Edit Heading (rtmp), Description, Protocol, and Port number (1935) to reflect the new service. Save and close the file. Reload firewalld to apply changes.

# firewall-cmd --reload

Confirm changes with the following command.

# firewall-cmd --get-services


6. Add Service to Firewalld zones

Now that you have created a service in firewalld, you can add it to any of the firewalld zones with the following command. Make sure you use the service’s xml filename (rtmp.xml) in –add-service option

# firewall-cmd --add-service=rtmp

The above command will add service temporarily till system reboot. If you want to permanently add new service, then use –permanent option.

# firewall-cmd --add-service=rtmp --permanent

You can also remove service with the following command.

# firewall-cmd --zone=public --remove-service=rtmp

Reload the firewall to apply changes.

# firewall-cmd --reload

You may also add firewall rules from specific source IP address, or open a system port, as shown below.

# firewall-cmd --permanent --add-source=192.168.0.0/24
# firewall-cmd --permanent --add-port=1935/tcp

You can also add rich rules that allow you to easily allow services to connect to your server. Here is an example to allow HTTPS connections from specific IP address.

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept' --permanent

After adding these rules, remember to reload firewalld to apply changes.

In this article, we have learnt how to configure various types of firewall fules in firewalld utility.

Also read:

How to Restart Linux Server from Command Line
How to Flush DNS Cache in Windows, Linux & Mac
How to Change Hostname in Debian/Ubuntu
How to Send GET & POST requests using python
How to Create Swap File in Linux

Leave a Reply

Your email address will not be published. Required fields are marked *