In enterprises, because of the importance of business, usually attaches great importance to network security, so a good firewall system is a powerful weapon!
In this article, you will learn the basics of CentOS 7’s new firewall service, Firewalld. It has a very powerful filtering system, called Netfilter, which is built into the kernel module to check every packet passing through the system.
This means that it can programmatically check, modify, reject, or discard any network packet, such as incoming, outgoing, or forward, before reaching its destination. Starting with centos-7, Firewalld became the default tool for managing host-based firewall services. Firewalld’s daemon is installed from the Firewalld package and will be available on all base installations of the operating system, but not on minimal installations.
Advantages of using FirewallD over “iptables” :
- Any configuration changes made at run time do not require a reload or restart of the Firewalld service
- Simplify firewall administration by scheduling entire network traffic into zones
- Each system can set up multiple firewall configurations to change the network environment
- Use the D-bus messaging system to interact/maintain firewall Settings
In CentOS 7 or later, you can still use classic iptables. To use iptables, you need to stop and disable firewalld service. Using Firewalld and iptables at the same time can mess up your system because they are incompatible with each other.
It is recommended to use Firewalld to manage firewall services unless we have some specific reason to continue using classic iptables.
Firewalld has designed a powerful filtering system and is more flexible in handling firewall management. To take advantage of this design, Firewalld classifies incoming traffic into a region on the interface defined by the source address.
Each zone is designed to manage traffic according to specified criteria. If no changes are made, the default locale is set to public and the associated network interface is attached to public.
All predefined area rules are stored in two locations: system designated area rules in “/ usr/lib/firewalld/zones”, the user to specify the regional rules in the/etc/firewalld/zones. If any changes are made in the system zone configuration file, it is automatically copied to /etc/firewalld-district/.
This document describes firewalld service basics and how to use the firewall-cmd command in RHEL/CentOS 7.
The contents of this article are as follows:
-
Install and enable the firewallD service
-
area
- 1. How do I view all available areas in Firewalld?
- 2. How do I find out which is the default region?
- 3. How to find the list of active areas and related network interfaces?
- 4. How to check whether there are any rules listed in the activity common area?
- 5. How do I view the list of all available areas?
- 6. How do I change the default region to a specific region?
- 7. How do I change a network interface from one zone to another?
- 8. How to create a customized Firewalld zone?
-
service
- 1. How do I list all the services available in Firewalld?
- 2. How do I list all the services available in a specific area?
- 3. How do I add existing services to the default zone?
-
Firewalld two modes
- 1. How do I permanently add a service?
- 2. How do I migrate my runtime Settings to permanent Settings?
-
port
- 1. How do I open ports for Samba services in public areas?
-
timeout
Prerequisites:
- Operating system: CentOS 7 or later
- Software package: Firewalld
- User account: root user or user account with sudo permission
- It is recommended that you run all administrative commands with sudo authority instead of root
There are three ways to configure a firewall:
- In the”
/etc/firewalld“Edit directly in the configuration file - GUI Firewall-config tool
- Firewall-cmd command line in the terminal
Note: In this article we will focus only on the “firewall-cmd” command.
Install and enable the firewallD service
First, update the latest current version of the package.
sudo yum update -y
Copy the codeFirewalld is available on all basic installations of CentOS 7, but not on minimum installations. In this case, you can use the following command to install CentOS 7:
$ sudo yum install firewalld -y
Copy the codeUse the following commands to start and enable the service
$sudo systemctl start firewalld.service $sudo systemctl Enable firewalld.serviceCopy the codeRun the following command to verify the firewall service status:
$ sudo firewall-cmd --state
Copy the codeOutput:
running
Copy the code$ sudo systemctl status firewalld
Copy the codeDetailed output:
firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Sat 2020-04-18 22:39:56 IST; 2h 52min ago Main PID: 759 (firewalld) CGroup: / system. Slice/firewalld service └ ─ 759 / usr/bin/python - Es/usr/sbin/firewalld - nofork nopid Apr 18 22:39:56 localhost.localdomain systemd[1]: Started firewalld - dynamic...Copy the codeTip: Some lines are omitted. Use -l to display the entire line.
area
Firewalld introduces several predefined regions and services for different purposes, one of which is to make it easier to handle Firewalld administration.
Based on these zones and services, we can prevent any form of incoming system traffic, unless it explicitly allows some special rules to be used in zones.
1. How do I view all available areas in Firewalld?
$ sudo firewall-cmd --get-zones
Copy the code
This is the default predefined area in Firewalld
2. How do I find out which is the default region?
$ firewall-cmd --get-default-zone
Copy the codeOutput:
public
Copy the codeBased on the output above, you can see that the public area is marked as the default area, and we can change it to our requirements, which we will discuss further in the following examples.
3. How to find the list of active areas and related network interfaces?
$ firewall-cmd --get-active-zones
Copy the codeOutput:
public
interfaces: enp1s0
Copy the codeIn the output above, you can see that the public area is active and associated with the “ENP1s0” network interface, which is automatically attached to the default area if there is no interface not assigned to a specific area.
4. How to check whether there are any rules listed in the activity common area?
$ sudo firewall-cmd --list-all --zone="public"
Copy the code
The output above shows that the public area is active and set to default, and the network interface “ENp1so” is associated with the active area, where DHCPv6-client and SSH are allowed to pass through the firewall service.
5. How do I view the list of all available areas?
$ sudo firewall-cmd --list-all-zones
Copy the codeAs in the previous example, the detailed configuration page for each of the available areas is listed separately, so check for yourself because the output list can be quite long.
6. How do I change the default region to a specific region?
Before changing to the new zone, let’s examine the existing available zones.
$ sudo firewall-cmd --get-default-zone
Copy the codeOutput:
public
Copy the codeIn the output, you can see that the public region is set as the default region. Now let’s try changing the region from public to working.
$ sudo firewall-cmd --set-default-zone=work
Copy the codeOutput:
success
Copy the codeAs you can see, the output of the above command is successful, so let’s verify.
$ sudo firewall-cmd --get-default-zone
Copy the codeOutput:
work <==
Copy the code7. How do I change a network interface from one zone to another?
If the system has two network interfaces, such as “ENp1s0 and ENp1S1”, by default, all the interfaces are assigned to the default zone. You can change the interface to another zone by using the following command.
$ sudo firewall-cmd --zone=internal --change-interface=enp1s1
Copy the codeThis can be verified using the following command:
$ sudo firewall-cmd --get-active-zones
Copy the code8. How to create a customized Firewalld zone?
We know that all system-specified configuration files are in “/usr/lib/firewalld-zones” and user-specified files are in “/etc/firewalld-zones”.
Use the following command to create a custom zone file that allows SSH and Apache services with port numbers 80 and 22.
Ensure that new files should be saved in a user-defined location in.xml format; currently, name zone files are limited to 17 characters in length.
$ sudo vi /etc/firewalld/zones/ linuxtecksecure .xml
Copy the code<? The XML version = "1.0" encoding = "utf-8"? > <zone> <short> LinuxteckSecure </short> <description> used in the enterprise domain. </description> <service name="apache"/> <service name="ssh"/> <port protocol="tcp" port="80"/> <port protocol="tcp" port="22"/> </zone>Copy the codeSave and exit.
Reload firewall service:
$ sudo firewall-cmd --reload
Copy the codeOutput:
success
Copy the codeNow, re-examine the availability zones in Firewalld
$ sudo firewall-cmd --get-zones
Copy the codeOutput:
block dmz drop external home internal "linuxtecksecure" public trusted work
Copy the codeUsing the command above, we can create a new (LinuxteckSecure) zone to enable only Apache and SSH services by default. After creating the file, we need to “reload” firewalld service to activate the zone to Firewalld
Remember: After making any changes/updates to existing zone files, be sure to reload your Firewalld service activation or the changes in the firewall will not be affected.
service
Firewalld has another component called “services” that can be used in zone files to manage traffic rules in firewall Settings, and each predefined “service” is used in the default configuration of zone files.
dhcpv6-client
Manage local traffic of DHCP V6 clients using UDP port 546.
ssh
Manages local traffic for SSH server services using TCP port 22.
Samba-client
Manage local traffic for Windows Venting/printer sharing services and use ports 137(UDP) and 138(UDP)
lpp-client
Manages local traffic for print server services and uses UDP port 631.
mdns
Manages the multicast local link service and uses UDP port 5353.
1. How do I list all the services available in Firewalld?
$ sudo firewall-cmd --get-services
Copy the codeRH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc
ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch
etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre
high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop
kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql
murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis
pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client
samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui
synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans
xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
Copy the code2. How do I list all the services available in a specific area?
$ sudo firewall-cmd --zone=work --list-services
Copy the codeOutput:
dhcpv6-client ssh
Copy the codeThe output shows that only two services are enabled in the Work area.
3. How do I add existing services to the default zone?
$ sudo firewall-cmd --add-service=samba
Copy the codeOutput:
success
Copy the codeIn this example, I have added an existing service called Samba to the default zone, which you can verify with the following command:
$ sudo firewall-cmd --zone=public --list-services
Copy the codeOutput:
dhcpv6-client samba ssh
Copy the codeSimilarly, we can add services to a zone other than the default zone. Use the following command:
$ sudo firewall-cmd --zone=internal --add-service=ftp
Copy the codeFirewalld two modes
By default, Firewalld supports two separate modes, permanent and runtime (immediate).
When we start the firewall, it loads all the permanent configuration files into the runtime.
Any opportunities you have to add or update will apply to the runtime configuration and will not be automatically enabled to the permanent configuration.
To make it permanent, we need to use the “–permanent” parameter, and to enable these changes in Firewalld, we need to reload or restart the firewall service.
1. How do I permanently add a service?
$ sudo firewall-cmd --permanent --add-service=ftp
Copy the codeOutput:
success
Copy the code$ sudo firewall-cmd --reload
Copy the codeOutput:
success
Copy the codeRemember, whenever you use the –permanent flag, don’t forget to reload the firewall service.
2. How do I migrate my runtime Settings to permanent Settings?
$ sudo firewall-cmd --runtime-to-permanent
Copy the codeOutput:
success
Copy the codeNormally, we test all the rules in the run time environment, and once the rules run successfully, then we make them permanent using the “–permanent” option, using the command above to migrate all the run time Settings to permanent mode at once, if the firewall Settings are not working, Simply reload/restart the firewall service to make these rules work in a permanent configuration.
port
Firewalld allows us to deal directly with network ports, and the beauty is that we can turn them on and off in the firewall without even having to install specific services on the system.
1. How do I open ports for Samba services in public areas?
$ sudo firewall-cmd --zone=public --add-port=137/udp
$ sudo firewall-cmd --zone=public --add-port=138/udp
$ sudo firewall-cmd --zone=public --add-port=139/tcp
$ sudo firewall-cmd --zone=public --add-port=445/tcp
Copy the codeOutput:
success
Copy the codeUsing the command above, we have successfully opened the port for the Samba service
Verify:
$ sudo firewall-cmd --list-ports
Copy the codeOutput:
137/udp 138/udp 139/tcp 445/tcp
Copy the codeAfter a successful test, if you want to continue using these rules as permanent rules for your firewall, use the “–permanent” flag with the command above or with the runtime as permanent, and don’t forget to reload the service.
timeout
Firewalld also has an interesting feature called timeout. This feature will help many system administrators to add temporary rules to their runtime Settings, for example, if a user wants to download a file from the server through an FTP service.
Since this is a one-time operation, there is no need for permanent rules.
It may only take 2-5 minutes to download the file (this may vary depending on the file size).
In our example, we can allow the FTP service for 5 minutes, and it will automatically disconnect after a given time.
$ sudo firewall-cmd --zone=public --add-service=ftp --timeout=5m
Copy the codeWe can specify timeouts in seconds (s), minutes (m), or hours (h).
Thank you for your time! I hope this article has given you an example of the basic use of the “firewall-cmd” command, and if you enjoyed it, please share it with others.