• Support
  • Get In Touch
Login
October 9, 2016

Working with Firewalld

Need Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on.
View Plans

FirewallD is frontend controller for iptables that is used to filter network traffic. FirewalldD is not an iptables replacement, but it is a wrapper for iptables that is used to manage iptables rules. FirewallD provides an easy way to configure dynamic firewall rules that can be applied instantly without restarting any services. FirewallD provides both command line and graphical interfaces, and is available in most linux distributions.

Features:

  1. Supports most linux distributions.
  2. Load kernel modules automatically.
  3. Easily integrates with Puppet.
  4. Provides both command-line and graphical user interface.
  5. Supports IPv4, IPv6 and NAT.
  6. Predefined list of services and zones.

In this tutorial, we will learn how to setup firewalld and see some useful firewalld rules to configure your server using command line.

#Requirements

  • A server running CentOS-7 operating system.
  • A Non-root user account with sudo privilege set up on your server.

Installing FirewallD

The firewalld package is installed by default in CentOS-7. If not installed, you can easily install it by running the following command:

sudo yum install firewalld

Once firewalld is installed, you will need to stop iptables service, if it is running.
You can stop and mask the iptables service with the following command:

sudo systemctl stop iptables

sudo systemctl mask iptables

Now, start the firewalld service and start it on boot by running the following command:

sudo systemctl start firewalld

sudo systemctl enable firewalld

You can check the firewalld status with the following command:

sudo firewall-cmd --state

or

sudo systemctl status firewalld

You should see the following output:

    ● firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
       Active: active (running) since Fri 2016-09-23 19:13:16 IST; 7min ago
     Main PID: 572 (firewalld)
       CGroup: /system.slice/firewalld.service
               └─572 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

    Sep 23 19:13:12 centOS-7 systemd[1]: Starting firewalld - dynamic firewall daemon...
    Sep 23 19:13:16 centOS-7 systemd[1]: Started firewalld - dynamic firewall daemon.

Zone Management

The firewalld manages groups of rules using zones. Firewalld zones are predefined rulesets for various trust levels for a specific location. Once you have enabled firewalld first time, Public will be the default zone. You can apply zones to different network interface such as internal network and internet.

To view the default zone, run the following command:

sudo firewall-cmd --get-default-zone

Output:

    public

To get the active list of zones, run:

sudo firewall-cmd --get-active-zones

Output:

    public
      interfaces: eth0

To get all the details about public zone, run:

sudo firewall-cmd --zone=public --list-all

Output:

    public (default, active)
      interfaces: eth0
      sources: 
      services: dhcpv6-client ssh
      ports: 3000/tcp 80/tcp 3000/udp 8888/tcp 8080/tcp
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules:

To change the default zone, run:

sudo firewall-cmd --set-default-zone=internal

To get the list of all the available zones, run:

sudo firewall-cmd --get-zones

Output:

    block dmz drop external home internal public trusted work

To get all configurations for all zones, run:

sudo firewall-cmd --list-all-zones

Output:

    block
      interfaces: 
      sources: 
      services: 
      ports: 
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules: 

    dmz
      interfaces: 
      sources: 
      services: ssh
      ports: 
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules: 

    drop
      interfaces: 
      sources: 
      services: 
      ports: 
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules: 

    external
      interfaces: 
      sources: 
      services: ssh
      ports: 
      masquerade: yes
      forward-ports: 
      icmp-blocks: 
      rich rules: 

    home
      interfaces: 
      sources: 
      services: dhcpv6-client ipp-client mdns samba-client ssh
      ports: 
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules: 

    internal (default, active)
      interfaces: eth0
      sources: 
      services: dhcpv6-client ipp-client mdns samba-client ssh
      ports: 
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules: 

    public
      interfaces: 
      sources: 
      services: dhcpv6-client ssh
      ports: 3000/tcp 80/tcp 3000/udp 8888/tcp 8080/tcp
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules: 

    trusted
      interfaces: 
      sources: 
      services: 
      ports: 
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules: 

    work
      interfaces: 
      sources: 
      services: dhcpv6-client ipp-client ssh
      ports: 
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules:

You can also assign specific network interface to a temporary or permanent way.

To assign the eth0 network interface temporary to the internal zone, run:

sudo firewall-cmd --zone=internal --change-interface=eth0

To assign the eth0 network interface permanently to the internal zone, run:

sudo firewall-cmd --permanent --zone=internal --change-interface=eth0

To know which zone is associated with the eth0 interface, run:

sudo firewall-cmd --get-zone-of-interface=eth0

Output:

    internal

It is also possible to create your own zone. It can be useful to define your own zones that are more descriptive of their function.

For example, create a zone for your web server called webzone by running the following command:

sudo firewall-cmd --permanent --new-zone=webzone

Now, reload firewalld to bring the configuration into your running session.

sudo firewall-cmd --reload

Now, run the following command to get a list of newly created zone:

sudo firewall-cmd --get-zones

Output:

    block dmz drop external home internal public trusted webzone work

Now, assign some services such as http, https and ftp to webzone:

sudo firewall-cmd --permanent --zone=webzone --add-service=ftp
sudo firewall-cmd --permanent --zone=webzone --add-service=http
sudo firewall-cmd --permanent --zone=webzone --add-service=https

Now, run the following command to get a list of services assign to webzone:

sudo firewall-cmd --zone=webzone --list-all

Output:

    webzone
      interfaces: 
      sources: 
      services: ftp http https
      ports: 
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules:

Service Management

Firewalld allows traffic based on predefined rules for specific network services. You can create your own custom service rules and add them to any zone.

To get a list of the default available services, run:

sudo firewall-cmd --get-services

Output:

    RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

You can also add services to each zone. For example, to allow the http service permanently in the internal zone, run the following command:

sudo firewall-cmd --permanent --zone=internal --add-service=http

Now, reload the firewalld service to effect these changes:

sudo firewall-cmd --reload

To get the list of services in the default zone, run:

sudo firewall-cmd --list-services

Output:

    dhcpv6-client http ipp-client mdns samba-client ssh

Service Firewall Configuration

The firewall configuration of the main services such as httpd, ftp, dhcp, etc comes in the /usr/lib/firewalld/services directory. It is also possible to add your own custom services to /etc/firewalld/services directory.

For example, HAProxy service is not available in the /usr/lib/firewalld/services directory. You can create your own haproxy service by creating /etc/firewalld/services/haproxy.xml file.

sudo nano /etc/firewalld/services/haproxy.xml

Add the following lines:



     HAProxy
     HAProxy load-balancer

Now, add the HAProxy service to the default zone permanently and reload the firewall configuration:

sudo firewall-cmd --permanent --add-service=haproxy

sudo firewall-cmd --reload

Port Management

Port management follows the same concept as service management.

If you want to allow the 53/tcp port temporary in the internal zone, run:

sudo firewall-cmd --zone=internal --add-port=53/tcp

If you want to allow the 53/tcp port permanantly in the internal zone, run:

sudo firewall-cmd --permanent --zone=internal --add-port=53/tcp

Now, reload the firewalld service to effect these changes:

sudo firewall-cmd --reload

To get the list of ports open in the internal zone, run:

sudo firewall-cmd --zone=internal --list-ports

If you want to deny port 53/tcp, run the following command:

sudo firewall-cmd --permanent --zone=internal --remove-port=53/tcp

Masquerading

IP masquerading is a form of network address translation (NAT) that allows internal computers to communicate to the outside network.

First, check whether Masquerade enabled for external zone or not by running the following command:

sudo firewall-cmd --zone=external --query-masquerade

If it’s not enabled, you can enable it by following command.

sudo firewall-cmd --zone=external --add-masquerade

If you want to remove masquerading, run the following command:

sudo firewall-cmd --zone=external --remove-masquerade

If you want all packets intended for port 22 to be now forwarded to port 2200, run the following command:

sudo firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2200

You can also define the destination IP by running the following command:

sudo firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2200:toaddr=192.168.43.100

Now get all the information about external zone, run:

sudo firewall-cmd --zone=external --list-all

Output:

    external
      interfaces: 
      sources: 
      services: ssh
      ports: 
      masquerade: yes
      forward-ports: port=22:proto=tcp:toport=2200:toaddr=192.168.43.100
        port=22:proto=tcp:toport=2200:toaddr=
      icmp-blocks: 
      rich rules:

Block Incoming and Outgoing Packets

You can use “panic on” mode to block incomming and outgoing connections. For example, to block any established connection on the running system, run the following command:

sudo firewall-cmd --panic-on

Once panic mode is enabled, try to ping hostpresto.com and check whether the panic mode is ON using ‘–query-panic‘ option as listed below.

ping hostpresto.com

Output:

    Unknown host hostpresto.com

sudo firewall-cmd --query-panic

Now try to disable the panic mode then once again ping and check.

sudo firewall-cmd --panic-off

ping hostpresto.com.com

Now this time, there will be a ping request from hostpresto.com.

Adding & Blocking IP Addresses

You can also add specific IP address to trusted public zone.

For example, add IP address (192.168.43.20) to public zone run the following command:

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.43.20" accept'

Now, list all the trusted public zone rules with the following command:

sudo firewall-cmd --zone=public --list-all

Output:

    public
      interfaces: 
      sources: 
      services: dhcpv6-client ssh
      ports: 3000/tcp 80/tcp 3000/udp 8888/tcp 8080/tcp
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules: 
        rule family="ipv4" source address="192.168.43.20" accept

To remove added rule with the following command:

sudo firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.43.20" accept'

If you want to reject or drop a IP address from the public zones, run the following command:

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.43.20" reject'

Now, list again all trusted public zone rules with the following command:

sudo firewall-cmd --zone=public --list-all

Output:

    public
      interfaces: 
      sources: 
      services: dhcpv6-client ssh
      ports: 3000/tcp 80/tcp 3000/udp 8888/tcp 8080/tcp
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules: 
        rule family="ipv4" source address="192.168.43.20" reject

Conclusion

I hope now that you should have a very good knowledge of how to configure and use firewalld service on your system. You can also use firewalld in your virtual lab environment to test firewalld with all parameters.

Need Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on.
View Plans

Share this Article!

Related Posts

Node.js Authentication – A Complete Guide with Passport and JWT

Node.js Authentication – A Complete Guide with Passport and JWT

Truth be told, it’s difficult for a web application that doesn’t have some kind of identification, even if you don’t see it as a security measure in and of itself. The Internet is a kind of lawless land, and even on free services like Google’s, authentication ensures that abuses will be avoided or at least […]

September 30, 2021
Read More Node.js Authentication – A Complete Guide with Passport and JWT
Node.js and MongoDB: How to Connect MongoDB With Node

Node.js and MongoDB: How to Connect MongoDB With Node

MongoDB is a document-oriented NoSQL database, which was born in 2007 in California as a service to be used within a larger project, but which soon became an independent and open-source product. It stores documents in JSON, a format based on JavaScript and simpler than XML, but still with good expressiveness. It is the dominant […]

September 27, 2021
Read More Node.js and MongoDB: How to Connect MongoDB With Node
Using MySQL with Node.js: A Complete Tutorial

Using MySQL with Node.js: A Complete Tutorial

Although data persistence is almost always a fundamental element of applications, Node.js has no native integration with databases. Everything is delegated to third-party libraries to be included manually, in addition to the standard APIs. Although MongoDB and other non-relational databases are the most common choice with Node because if you need to scale an application, […]

September 7, 2021
Read More Using MySQL with Node.js: A Complete Tutorial
Node.Js Vs Django: Which Is the Best for Your Project

Node.Js Vs Django: Which Is the Best for Your Project

Django and NodeJs are two powerful technologies for web development, both have great functionality, versatile applications, and a great user interface. Both are open source and can be used for free. But which one fits your project best? NodeJs is based on JavaScript, while Django is written in Python. These are two equally popular technologies […]

August 31, 2021
Read More Node.Js Vs Django: Which Is the Best for Your Project
Nodejs Vs PHP: Which Works Best?

Nodejs Vs PHP: Which Works Best?

Before getting into the “battle” between Node.js and PHP we need to understand why the issue is still ongoing. It all started with the increased demand for smartphone applications, their success forcing developers to adapt to new back-end technologies that could handle a multitude of simultaneous requests. JavaScript has always been identified as a client-side […]

August 30, 2021
Read More Nodejs Vs PHP: Which Works Best?