github gitlab twitter mastodon linkedin instagram 500px email
FirewallD in Centos 7
Nov 1, 2017
3 minutes read

FirewallD is a firewall management tool available by default on CentOS 7 servers. Basically, it is a wrapper around iptables and it comes with graphical configuration tool firewall-config and command line tool firewall-cmd. With the iptables service, every change requires flushing of the old rules and reading the new rules from the /etc/sysconfig/iptables file, while with firewalld only differences are applied.

FirewallD zones

FirewallD uses services and zones instead of iptables rules and chains. By default the following zones are available:

  • drop – Drop all incoming network packets with no reply, only outgoing network connections are available.
  • block – Reject all incoming network packets with an icmp-host-prohibited message, only outgoing network connections are available.
  • public – Only selected incoming connections are accepted, for use in public areas external For external networks with masquerading enabled, only selected incoming connections are accepted.
  • dmz – DMZ demilitarized zone, publicly-accessible with limited access to the internal network, only selected incoming connections are accepted.
  • work – For computers in your home area, only selected incoming connections are accepted.
  • home – For computers in your home area, only selected incoming connections are accepted.
  • internal -For computers in your internal network, only selected incoming connections are accepted.
  • trusted – All network connections are accepted.

To list all available zones run:

# firewall-cmd --get-zones
work drop internal external trusted home dmz public block

To list the default zone:

# firewall-cmd --get-default-zone
public

To change the default zone:

# firewall-cmd --set-default-zone=dmz
# firewall-cmd --get-default-zone
dmz

FirewallD services

FirewallD services are xml configuration files, with information of a service entry for firewalld. TO list all available services run:

# firewall-cmd --get-services
amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

xml configuration files are stored in the /usr/lib/firewalld/services/ and /etc/firewalld/services/ directories.

Configuring your firewall with FirewallD

As an example, here is how you can configure your firewall with FirewallD if you were running a web server, SSH on port 7022 and mail server.

First we will set the default zone to dmz.

# firewall-cmd --set-default-zone=dmz
# firewall-cmd --get-default-zone
dmz

To add permanent service rules for HTTP and HTTPS to the dmz zone, run:

# firewall-cmd --zone=dmz --add-service=http --permanent
# firewall-cmd --zone=dmz --add-service=https --permanent

Open port 25 (SMTP) and port 465 (SMTPS) :

# firewall-cmd --zone=dmz --add-service=smtp --permanent
# firewall-cmd --zone=dmz --add-service=smtps --permanent

Open, IMAP, IMAPS, POP3 and POP3S ports:

# firewall-cmd --zone=dmz --add-service=imap --permanent
# firewall-cmd --zone=dmz --add-service=imaps --permanent
# firewall-cmd --zone=dmz --add-service=pop3 --permanent
# firewall-cmd --zone=dmz --add-service=pop3s --permanent

Since the SSH port is changed to 7022, we will remove the ssh service (port 22) and open port 7022

# firewall-cmd --remove-service=ssh --permanent 
# firewall-cmd --add-port=7022/tcp --permanent 

To implement the changes we need to reload the firewall with:

# firewall-cmd --reload

Finally, you can list the rules with:

# firewall-cmd --list-all
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: http https imap imaps pop3 pop3s smtp smtps
ports: 7022/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:



Back to posts