In this article, we want to teach you to Set up a Firewall with Firewalld on centos 7.
What is Firewalld?
Firewalld is a firewall management solution for many Linux distributions including, Ubuntu, Debian, CentOS, RHEL, and Fedora, and all versions of them. in this article, we use Centos 7.
Requirements for setting up a Firewall on Centos 7
You need to log in as a non-root user to set up a firewall. you can check our article about the Initial server setup with Centos 7.
Set Up a Firewall with FirewallD on CentOS 7
Before setting up a Firewall with Firewalld on centos 7 let’s see FirewallD zones first.
FirewallD uses zones and services instead of IP tables’ chains and rules. Zones are a set of rules that specify what traffic should be allowed depending on the level of trust you have in a network your computers are connected. Network interfaces assigned a zone to dictate behavior that the firewall should allow.
FirewallD zones
Here is a list of predefined zones for Firewalld:
1. Drop: This zone has the least level of trust and is used to drop all incoming traffic without sending any acknowledgment to the sender.
2. Block: This zone is very similar to the Drop zone, the incoming traffic is rejected and the sender gets a message.
3. Public: This allows traffic from certain public networks.
4. External: This zone is used when your system acts as a gateway or router.
5. Internal: The set of rules that apply to the computers in your private internal network.
6. DMZ: This zone is an isolated patch of computers in your internal network that may not access other internal resources.
7. Work: This zone is used for work machines. The trust level is high.
8. Home: Most computers in this zone trust each other. The trust level is higher than at work.
9. Trusted: This zone has the highest trust level. All computers in the network are trusted.
Installing Firewalld on Centos 7
Here you can set up a Firewall on centos 7 by following these steps.
Install Firewalld on centos 7 with the following command:
sudo yum install firewalld
Then enable it and reboot the system with the following commands:
sudo systemctl enable firewalld sudo reboot
You can see that your service is verified and running with the following command:
sudo firewall-cmd –state
Firewall rules on Centos 7
After setting up a firewall with firewalld on centos 7 you can see firewall rules too.
firewall-cmd --get-active-zones
You can see the default zone’s configuration with:
sudo firewall-cmd --list-all
Get a list of active zones with:
firewall-cmd --get-zones
Now You can see each active zone that you have with the following command for example for home:
sudo firewall-cmd --zone=home --list-all
Select zones for your interfaces of Firewall
When you have configured your network interfaces, each interface will be put in the default zone when the firewall is booted.
You can change the interface for example for home with the following command:
sudo firewall-cmd --zone=home --change-interface=eth0
See this was successful with the following command:
firewall-cmd --get-active-zones
Adjust a default zone for the Firewall
In setting up a firewall on centos 7, you can select zones for your interfaces you can adjust a default zone.
It’s better to adjust a default zone and use that for your configuration with the following command:
sudo firewall-cmd --set-default-zone=home
Add service in your zone
First, you can get a list of available services with the following command:
firewall-cmd --get-services
Enable a service of your list for example HTTP service with:
sudo firewall-cmd --zone=public --add-service=http
You can see it with:
sudo firewall-cmd --zone=public --list-services
Make your public zone change permanent by:
sudo firewall-cmd --zone=public --permanent --add-service=http
You can see it with:
sudo firewall-cmd --zone=public --permanent --list-services
Open a port for your zone
You can add a port for your zone with the following command:
For example, your application runs on port 8000 and uses TCP:
sudo firewall-cmd --zone=public --add-port=8000/tcp
List it with:
sudo firewall-cmd --zone=public --list-ports
If your application runs on port 3500-3700 and uses UDP run the following command:
sudo firewall-cmd --zone=public --add-port=3500-3700/udp
Permanent them by:
sudo firewall-cmd --zone=public --permanent --add-port=8000/tcp sudo firewall-cmd --zone=public --permanent --add-port=3500-3700/udp sudo firewall-cmd --zone=public --permanent --list-ports
Define a service
At this point, you learn How to set up a firewall with firewalld and learn about firewall rules on Centos 7. let’s see how to define a service.
If you forget a service on your server maybe it’s difficult to remember the port that opened it.
In this situation, you can define a service to solve that.
For example, you can copy the SSH service to use for the ‘example’ service definition with the following command:
sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/example.xml
You can set changes into it by Vi editor:
sudo vi /etc/firewalld/services/example.xml
You can change the short name for the service and add a description for it and put your port protocols in it. After you are finished save and close your file.
Reload the firewall:
sudo firewall-cmd –reload
Now you can see it in your available services:
firewall-cmd --get-services
Create your own zone
At this point, you set up a firewall on centos 7 and learn about its rules. You can also create your own zones. For example, you want to create a zone for your web server, named public web.
Use the following command:
sudo firewall-cmd --permanent --new-zone=publicweb
Then reload the firewall:
sudo firewall-cmd --reload firewall-cmd --get-zones
Add services for your zone for example:
sudo firewall-cmd --zone=publicweb --add-service=ssh
Change your interfaces by:
sudo firewall-cmd --zone=publicweb --change-interface=eth0
You can set permanent configuration by:
sudo firewall-cmd --zone=publicweb --permanent --add-service=ssh
Restart your network and reload your firewall:
sudo systemctl restart network sudo systemctl reload firewalld
You can set your zone as your default zone:
sudo firewall-cmd --set-default-zone=publicweb
Conclusion
At this point, you learn how to set up a firewall with firewalld on Centos 7 and you know about firewalld zones and create your own zone.
Hope you enjoy it.
