In computing, a good Firewall system can prevent any unauthorized access to the network security systems. Businesses and organizations invest a good amount of money in their cybersecurity infrastructure, depending on how crucial their business is.
In this article, we will see the fundamentals of a new firewall service introduced in CentOS 7 named FirewallD. It comes with an extremely powerful filtering system called Netfilter, which is built right into the kernel module to check every packet travel across to the system. This means it can inspect, modify, reject or drop on any of the network packets like incoming, outgoing or forwarded programmatically before reaching the destination. In Centos-7 onwards firewalld became a default tool to manage the host-based firewall service. The daemon of the firewalld is installed from the firewalld package and it will available on all the base installation of the OS but not on the minimal installation.
Advantages of using FirewallD than “iptables:
i. Any configuration changes made at runtime not required to re-load or restart the firewalld service.
ii. It simplifies firewall management by arranging the entire network traffic into zones.
iii. More than one firewall configuration can set the per system to change the network environment. It will be very useful for mobile devices like laptop users.
iv. It uses the D-Bus messaging system to interact/maintain firewall settings.
In CentOS 7 or higher versions, still we can use the classic iptables . For using the iptables we need to stop and disable the firewalld service. Using both (firewalld and iptables) together will mess up the system, as they are incompatible with each other. It is always recommended to use firewalld to manage your firewall service unless we have some specific reasons to continue using the classic iptables.
As we know the Firewalld has designed with a powerful filtering system and also more flexible to handle the firewall management. To take advantage of this design, the firewalld categorizes the incoming traffic into zones on interfaces defined by the source address. Each zone has designed to manage the traffic in specified criteria. The default zone will be set to the public and the associated network interfaces are attached to the public if there is no modification done. All the pre-defined zone rules are stored in two locations: The system specified zone rules are under ‘/usr/lib/firewalld/zones/’ and user-specified zone rules are under /etc/firewalld/zones/. If there is any modification done at the system zone configuration file will be copied automatically to the /etc/firewalld/zones/.
This guide will help you to strengthen your basic knowledge of firewalld service on how to use firewall-cmd command in RHEL/CentOS 7.
Prerequisites :
Operating System : CentOS 7 or higher version’s
package : firewalld
User account : root user or user account with sudo privileges
Recommended to run all the administrative command as with sudo privilege instead of root
Difficulties to setup sudo users? Click here to find the steps.
We can configure the firewall settings using three ways:
a. Direct editing in the ‘/etc/firewalld’ configuration files
b. Graphical interface ‘firewall-config’ tool
c. Command-line ‘firewall-cmd’ in Terminal
Note:
Step1: Install and enable firewallD Service
First, let’s update the latest current version of the package.
$ sudo yum update -y
Note:
$ sudo yum install firewalld -y
$ sudo systemctl start firewalld.service
$ sudo systemctl enable firewalld.service
You can verify the status of the firewall service by using the following commands:
$ sudo firewall-cmd –state
Output:
running
$ sudo systemctl status firewalld
Detailed output:
firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sat 2020-04-18 22:39:56 IST; 2h 52min ago
Main PID: 759 (firewalld)
CGroup: /system.slice/firewalld.service
└─759 /usr/bin/python -Es /usr/sbin/firewalld –nofork –nopidApr 18 22:39:56 localhost.localdomain systemd[1]: Started firewalld – dynamic…
Hint: Some lines were ellipsized, use -l to show in full.
Step2: Zones
Firewalld introduced several predefined zones and services for different purposes. One of the main purposes is used to handle the firewalld management easier. Based on these zones & services we can block any form of incoming traffic to the system unless it explicitly permits using some special rules into the zone.
1. How to check all the available zones in firewalld?
$ sudo firewall-cmd –get-zones
Note:
Let’s see the following pre-defined zones sorted based on the trust level:

Note:
2. How to find out which is the default zone?
$ firewall-cmd –get-default-zone
Output:
public
Note:
3. How to find the list of active zones and the associated network interfaces?
$ firewall-cmd –get-active-zones
Output:
public
interfaces: enp1s0
Note:
4. How to find out if there are any rules listed in the active public zone?
$ sudo firewall-cmd –list-all –zone=”public”

Note:
5. How to check the list of all the available zones?
$ sudo firewall-cmd –list-all-zones
Note:
6. How to change the default zone to the specific ones?
Before changing to the new zone, let’s check the existing available zone.
$ sudo firewall-cmd –get-default-zone
Output:
public
Note:
$ sudo firewall-cmd –set-default-zone=work
Output:
success
Note:
$ sudo firewall-cmd –get-default-zone
Output:
work <==
7. How to change the network interface from zone to another?
Note:
$ sudo firewall-cmd –zone=internal –change-interface=enp1s1
Note:
$ sudo firewall-cmd –get-active-zones
Note:
$ sudo vi /etc/firewalld/zones/linuxtecksecure.xml
<?xml version=”1.0″ encoding=”utf-8″?>
<zone>
<short>linuxtecksecure</short>
<description>For use in Corporate areas.</description>
<service name=”apache”/>
<service name=”ssh”/>
<port protocol=”tcp” port=”80″/>
<port protocol=”tcp” port=”22″/>
</zone>
Note:
$ sudo firewall-cmd –reload
Output:
success
Now, re-check the available zones in firewalld
$ sudo firewall-cmd –get-zones
Output:
block dmz drop external home internal “linuxtecksecure” public trusted work
Note:
Step3: Services
Similarly, a firewalld has another component named “Services”. These services can be used in the zone file to manage the traffic rules in the firewall settings. From the following list, each pre-defined “Services” that are used in the default configuration of zone files.
9. How to list all the available services in firewalld?
$ sudo firewall-cmd –get-services
Output:
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
Note:
10. How to list all the available services in a particular zone?
$ sudo firewall-cmd –zone=work –list-services
Output:
dhcpv6-client ssh
Note:
11. How to add an existing service to the default zone?
$ sudo firewall-cmd –add-service=samba
Output:
success
Note:
$ sudo firewall-cmd –zone=public –list-services
Output:
dhcpv6-client samba ssh
Note:
$ sudo firewall-cmd –zone=internal –add-service=ftp
Step 4: Firewalld Runtime and Permanent:
By default, firewalld supports two separate modes, permanent and runtime (immediate). When we start the firewall, it loads all the permanent configuration files into the runtime. If any chances you make either add or update will be applied to the runtime configuration and will not enable automatically to the permanent configuration.
To make as a permanent rule, we need to use the ‘–permanent’ parameter. In order to enable those changes in the firewalld, we need to reload or restart the firewall service.
12. How to add a service permanently?
$ sudo firewall-cmd –permanent –add-service=ftp
Output:
success
$ sudo firewall-cmd –reload
Output:
success
Note:
(a) Allow http and https service in firewalld click_here
(b) Allow DNS port in firewalld click_here
13. How to migrate runtime settings to permanent?
$ sudo firewall-cmd –runtime-to-permanent
Output:
success
Note:
Step 5: Port
The firewalld permits us to handle the network port directly. The beauty is, without even installing a specific service into the system, we can open and close the related port in the firewall.
14. How to open a port for samba service in the public zone?
$ sudo firewall-cmd –zone=public –add-port=137/udp
$ sudo firewall-cmd –zone=public –add-port=138/udp
$ sudo firewall-cmd –zone=public –add-port=139/tcp
$ sudo firewall-cmd –zone=public –add-port=445/tcp
Output:
success
Note:
$ sudo firewall-cmd –list-ports
Output:
137/udp 138/udp 139/tcp 445/tcp
Note:
Step 6: Timeout
The firewalld has another interesting feature named Timeout. This function will help many system administrators to add a quick rule in their run time setup. For example, if a user wants to download a file from the server via FTP service. This is just a one time action, so the permanent rule is not required. Downloading a file may take hardly 2-5 minutes (it may vary depends on the file size). In our case, we can permit the FTP service for 5 minutes and it automatically disconnects after the given time.
15. $ sudo firewall-cmd –zone=public –add-service=ftp –timeout=5m
Note:
That’s it! In the next session, we will see how to configure the firewalld service step by step using advanced features with examples.
Thank you for taking your valuable time to read! I hope this article will help you to understand the basic usage of ‘firewall-cmd’ command with examples. Drop me your feedback/comments. If you like this article, kindly share it and it may help others as well.
Few firewalld references are collected from this site
Thank you!