In computing, a good Firewall system can prevent any unauthorized access to the network security systems. Businesses and organizations invest a good amount of money in their cybersecurity infrastructure, depending on how crucial their business is.
In this article, we will see the fundamentals of a new firewall service introduced in CentOS 7 named FirewallD. It comes with an extremely powerful filtering system called Netfilter, which is built right into the kernel module to check every packet that travels across to the system. This means it can inspect, modify, reject or drop on any of the network packets like incoming, outgoing or forwarded programmatically before reaching the destination. In Centos-7 onwards firewalld became a default tool to manage the host-based firewall service. The daemon of the firewalld is installed from the firewalld package and it will be available on all the base installations of the OS but not on the minimal installation.
Advantages of using FirewallD over "iptables:
i. Any configuration changes made at runtime are not required to re-load or restart the firewalld service.
ii. It simplifies firewall management by arranging the entire network traffic into zones.
iii. More than one firewall configuration can be set per system to change the network environment. It will be very useful for mobile devices like laptop users.
iv. It uses the D-Bus messaging system to interact/maintain firewall settings.
In CentOS 7 or higher versions, we can still use the classic iptables . In order to use iptables we need to stop and disable the firewalld service. Using both (firewalld and iptables) together will mess up the system, as they are incompatible with each other. It is always recommended to use firewalld to manage your firewall service unless we have some specific reasons to continue using the classic iptables.
As we know, Firewalld has been designed with a powerful filtering system and is also more flexible to handle firewall management. To take advantage of this design, the firewalld categorizes the incoming traffic into zones on interfaces defined by the source address. Each zone is designed to manage traffic according to specified criteria. The default zone will be set to public and the associated network interfaces will be attached to the public if there is no modification done. All the pre-defined zone rules are stored in two locations: The system specified zone rules are under '/usr/lib/firewalld/zones/' and user-specified zone rules are under /etc/firewalld/zones/. If there is any modification done in the system zone configuration file it will be copied automatically to the /etc/firewalld/zones/.
This guide will help you to strengthen your basic knowledge of firewalld service on how to use firewall-cmd command in RHEL/CentOS 7.
Prerequisites :
Operating System : CentOS 7 or higher version's
package : firewalld
User account : root user or user account with sudo privileges
Recommended to run all the administrative commands as with sudo privilege instead of root
Difficulties in setting up sudo users? Click here to find the steps.
You can configure your firewall settings using three ways:
a. Direct editing in the '/etc/firewalld' configuration files
b. Graphical interface 'firewall-config' tool
c. Command-line 'firewall-cmd' in Terminal
Note:
Step1: Install and enable firewallD Service
First, let's update the latest current version of the package.
$ sudo yum update -y
Note:
$ sudo yum install firewalld -y
$ sudo systemctl start firewalld.service
$ sudo systemctl enable firewalld.service
You can verify the status of the firewall service by using the following commands:
$ sudo firewall-cmd --state
Output:
running
$ sudo systemctl status firewalld
Detailed output:
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sat 2020-04-18 22:39:56 IST; 2h 52min ago
Main PID: 759 (firewalld)
CGroup: /system.slice/firewalld.service
└─759 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopidApr 18 22:39:56 localhost.localdomain systemd[1]: Started firewalld - dynamic...
Hint: Some lines were ellipsized, use -l to show in full.
Step2: Zones
Firewalld introduced several predefined zones and services for different purposes. One of the main purposes is to handle firewalld management easier. Based on these zones & services we can block any form of incoming traffic to the system unless it explicitly permits using some special rules into the zone.
1. How to check all the available zones in firewalld?
$ sudo firewall-cmd --get-zones
Note:
Please see the following pre-defined zones sorted based on the trust level:
Note:
2. How to find out which is the default zone?
$ firewall-cmd --get-default-zone
Output:
public
Note:
3. How to find a list of active zones and associated network interfaces?
$ firewall-cmd --get-active-zones
Output:
public
interfaces: enp1s0
Note:
4. How to find out if there are any rules listed in the active public zone?
$ sudo firewall-cmd --list-all --zone="public"
Note:
5. How to check the list of all available zones?
$ sudo firewall-cmd --list-all-zones
Note:
6. How to change the default zone to specific ones?
Before changing to the new zone, let's check the existing available zone.
$ sudo firewall-cmd --get-default-zone
Output:
public
Note:
$ sudo firewall-cmd --set-default-zone=work
Output:
success
Note:
$ sudo firewall-cmd --get-default-zone
Output:
work <==
7. How to change the network interface from one zone to another?
Note:
$ sudo firewall-cmd --zone=internal --change-interface=enp1s1
Note:
$ sudo firewall-cmd --get-active-zones
Note:
$ sudo vi /etc/firewalld/zones/linuxtecksecure.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>linuxtecksecure</short>
<description>For use in Corporate areas.</description>
<service name="apache"/>
<service name="ssh"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="22"/>
</zone>
Note:
$ sudo firewall-cmd --reload
Output:
success
Now, re-check the available zones in firewalld
$ sudo firewall-cmd --get-zones
Output:
block dmz drop external home internal "linuxtecksecure" public trusted work
Note:
Step3: Services
Similarly, a firewalld have another component called "Services". These services can be used in the zone file to manage the traffic rules in the firewall settings. From the following list, each pre-defined "Services" that are used in the default configuration of zone files.
9. How to list all the available services in firewalld?
$ sudo firewall-cmd --get-services
Output:
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
Note:
10. How to list all the available services in a particular zone?
$ sudo firewall-cmd --zone=work --list-services
Output:
dhcpv6-client ssh
Note:
11. How to add an existing service to the default zone?
$ sudo firewall-cmd --add-service=samba
Output:
success
Note:
$ sudo firewall-cmd --zone=public --list-services
Output:
dhcpv6-client samba ssh
Note:
$ sudo firewall-cmd --zone=internal --add-service=ftp
Step 4: Firewalld Runtime and Permanent:
By default, firewalld supports two separate modes, permanent and runtime (immediate). When we start the firewall, it loads all the permanent configuration files into the runtime. Any chance you make either an add or update will be applied to the runtime configuration and will not be enabled automatically to the permanent configuration.
To make it a permanent rule, we need to use the '--permanent' parameter. In order to enable those changes in the firewalld, we need to reload or restart the firewall service.
12. How to add a service permanently?
$ sudo firewall-cmd --permanent --add-service=ftp
Output:
success
$ sudo firewall-cmd --reload
Output:
success
Note:
(a) Allow http and https service in firewalld click_here
(b) Allow DNS port in firewalld click_here
13. How do I migrate my runtime settings to permanent?
$ sudo firewall-cmd --runtime-to-permanent
Output:
success
Note:
Step 5: Port
The firewalld permits us to handle the network port directly. The beauty is, without even installing a specific service into the system, we can open and close the related port in the firewall.
14. How to open a port for samba service in the public zone?
$ sudo firewall-cmd --zone=public --add-port=137/udp
$ sudo firewall-cmd --zone=public --add-port=138/udp
$ sudo firewall-cmd --zone=public --add-port=139/tcp
$ sudo firewall-cmd --zone=public --add-port=445/tcp
Output:
success
Note:
$ sudo firewall-cmd --list-ports
Output:
137/udp 138/udp 139/tcp 445/tcp
Note:
Step 6: Timeout
Firewalld has another interesting feature called Timeout. This function will help many system administrators to add a quick rule in their run time setup. For example, if a user wants to download a file from the server via FTP service. Since this is just a one time action, permanent rules are not required. Downloading a file may take hardly 2-5 minutes (it may vary depending on the file size). In our case, we can allow the FTP service for 5 minutes and it automatically disconnects after the given time.
15. $ sudo firewall-cmd --zone=public --add-service=ftp --timeout=5m
Note:
That's it! In the next session, we will see how to configure the firewalld service step by step using advanced features with examples.
Thank you for taking your valuable time to read! I hope this article will help you to understand the basic usage of the 'firewall-cmd' command with examples. Drop me your feedback/comments. If you like this article, kindly share it and it may help others as well.
A few firewalld references are collected from this site
Thank you!
1 reply on “15 basic useful firewall-cmd commands in Linux”
Good