• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

CentOS / RHEL 7 : Beginners guide to firewalld

by admin

Introduction

– A packet filtering firewall reads incoming network packets and filters (allows or denies) each data packet based on the header information in the packet. The Linux kernel has built-in packet filtering functionality called Netfilter.
– Two services are available in RHEL 7 to create, maintain, and display the rules stored by Netfilter:
1. firewalld
2. iptables
– In RHEL 7, the default firewall service is firewalld.
– firewalld is a dynamic firewall manager which supports firewall (network) zones.
– The firewalld service has support for IPv4, IPv6, and for Ethernet bridges.
– The firewalld service also provides a D-BUS interface. Services or applications already using D-BUS can add or request changes to firewall rules directly through the D-BUS interface.

Advantages over iptables

firewalld has the following advantages over iptables :
1. Unlike the iptables command, the firewall-cmd command does not restart the firewall and disrupt established TCP connections.
2. firewalld supports dynamic zones.
3. firewalld supports D-Bus for better integration with services that depend on firewall configuration.

Configuration options

The firewalld service has two types of configuration options:
1. Runtime: Changes to firewall settings take effect immediately but are not permanent. Changes made in runtime configuration mode are lost when the firewalld service is restarted.
2. Permanent: Changes to firewall settings are written to configuration files. These changes are applied when the firewalld service restarts.

Configuration files

Configuration files for firewalld exist in two directories:
/usr/lib/firewalld: Contains default configuration files. Do not make changes to these files. An upgrade of the firewalld package overwrites this directory.
/etc/firewalld: Changes to the default configuration files are stored in this directory.Files in this directory overload the default configuration files.

firewalld zones

The firewalld service allows you to separate networks into different zones based on the level of trust you want to place on the devices and traffic within a specific network. For each zone you can define the following features:
Services: Predefined or custom services to trust. Trusted services are a combination of ports and protocols that are accessible from other systems and networks.
Ports: Additional ports or port ranges and associated protocols that are accessible from other systems and networks.
Masquerading: Translate IPv4 addresses to a single external address. With masquerading enabled, addresses of a private network are mapped to and hidden behind a public address.
Port Forwarding: Forward inbound network traffic from a specific port or port range to an alternative port on the local system, or to a port on another IPv4 address.
ICMP Filter: Block selected Internet Control Message Protocol messages.
Rich Rules: Extend existing firewalld rules to include additional source and destination addresses and logging and auditing actions.
Interfaces: Network interfaces bound to the zone. The zone for an interface is specified with the ZONE=option in the /etc/sysconfig/network-scripts/ifcfg file. If the option is missing, the interface is bound to the default zone.

Predefined firewalld Zones

The firewalld software package includes a set of predefined network zones in the following directory:

#  ls -lrt /usr/lib/firewalld/zones/
total 36
-rw-r----- 1 root root 342 Sep 15  2015 work.xml
-rw-r----- 1 root root 162 Sep 15  2015 trusted.xml
-rw-r----- 1 root root 315 Sep 15  2015 public.xml
-rw-r----- 1 root root 415 Sep 15  2015 internal.xml
-rw-r----- 1 root root 400 Sep 15  2015 home.xml
-rw-r----- 1 root root 304 Sep 15  2015 external.xml
-rw-r----- 1 root root 291 Sep 15  2015 drop.xml
-rw-r----- 1 root root 293 Sep 15  2015 dmz.xml
-rw-r----- 1 root root 299 Sep 15  2015 block.xml

The zone files contain preset settings, which can be applied to a network interface. For example:

# grep –i service /usr/lib/firewalld/zones/public.xml 
<service name=“ssh”/>
<service name=“dhcpv6-client”/>

In this example, network interfaces bound to the public zone trust only two services, ssh and dhcpv6-client.

A brief explanation of each zone follows:
drop: Any incoming network packets are dropped, there is no reply. Only outgoing
network connections are possible.
block: Any incoming network connections are rejected with an icmp-host- prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
home: For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
public: For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
work: For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmz: For computers in your demilitarized zone that are publicly accessible with limited access to your internal network. Only selected incoming connections are accepted.
external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted: All network connections are accepted.

Setting the Default firewalld Zone

After an initial installation, the public zone is the default zone as specified in the configuration file, /etc/firewalld/firewalld.conf.

# grep –i defaultzone /etc/firewalld/firewalld.conf 
DefaultZone=public

Network interfaces are bound to the default zone unless specified with ZONE=[zone] in the ifcfg file. The following command shows the interfaces that are bound to the public zone:

# firewall-cmd --get-active-zone
public
      interfaces: eth0 eth1

You can use the firewall-cmd command to change the default zone:

# firewall-cmd --set-default-zone=work 
success

You can also use the firewall-config GUI to change the default zone. From the menu bar, select Options->Change Default Zone, and then select a zone from a pop-up list.

firewalld Services

– A firewalld service is a combination of local ports and protocols and destination addresses.
– A firewalld service can also include Netfilter kernel modules that are automatically loaded when a service is enabled.
– The firewalld software package includes a set of predefined services in the following directory:

# ls -lrt /usr/lib/firewalld/zones/
total 36
-rw-r----- 1 root root 342 Sep 15  2015 work.xml
-rw-r----- 1 root root 162 Sep 15  2015 trusted.xml
-rw-r----- 1 root root 315 Sep 15  2015 public.xml
-rw-r----- 1 root root 415 Sep 15  2015 internal.xml
-rw-r----- 1 root root 400 Sep 15  2015 home.xml
-rw-r----- 1 root root 304 Sep 15  2015 external.xml
-rw-r----- 1 root root 291 Sep 15  2015 drop.xml
-rw-r----- 1 root root 293 Sep 15  2015 dmz.xml
-rw-r----- 1 root root 299 Sep 15  2015 block.xml

– Services can be enabled for a zone in Runtime mode.
– Service definitions can only be edited in Permanent mode.

Start firewalld

To start firewalld:

# systemctl start firewalld

To ensure firewalld starts at boot time:

# systemctl enable firewalld

To check if firewalld is running:

# systemctl status firewalld
# firewall-cmd --state

Three methods to configure the firewalld service:
– firewall-cmd : Command-line interface
– firewall-config : Graphical user interface
– Edit various XML configuration files.

CentOS / RHEL 7 : How to start / Stop Firewalld

The firewall-cmd Utility

The command-line tool firewall-cmd is part of the firewalld application, which is installed by default. To get help on the firewall-cmd command:

# firewall-cmd --help

The firewall-cmd command offers categories of options such as General, Status, Permanent, Zone, IcmpType, Service, Adapt and Query Zones, Direct, Lockdown, Lockdown Whitelist, and Panic. To list information for all zones:

# firewall-cmd --list-all-zones public (default, active)
      interfaces: eth0 eth1
      sources:
      services: dhcpv6-client ssh
      ports:
  ...

To permit access by HTTP clients for the public zone:

# firewall-cmd --zone=public --add-service=http 
success

To list services that are allowed for the public zone:

# firewall-cmd --zone=work --list-services
    dhcpv6-client http ssh

Using this command only changes the Runtime configuration and does not update the configuration files.
The configuration changes made in Runtime configuration mode are lost when the firewalld service is restarted:

# systemctl restart firewalld
# firewall-cmd --zone=work --list-services dhcpv6-client ssh

To make changes permanent, use the –permanent option. Example:

# firewall-cmd --permanent --zone=public --add-service=http 
success

Changes made in Permanent configuration mode are not implemented immediately. However, changes made in Permanent configuration are written to configuration files. Restarting the firewalld service reads the configuration files and implements the changes. Example:

# systemctl restart firewalld
# firewall-cmd --zone=work --list-services 
dhcpv6-client http ssh

Filed Under: CentOS/RHEL 7

Some more articles you might also be interested in …

  1. CentOS / RHEL : How to exclude kernel or other packages from getting updated using YUM Versionlock Plugin
  2. “WARNING: Failed to connect to lvmetad. Falling back to device scanning” – error while running LVM commands
  3. CentOS / RHEL 7 : How to Enable the Old ethX Style Network Interfaces Names
  4. CentOS / RHEL 7 : How to disable Transparent Huge pages (THP)
  5. How to Re-Create the Yum Cache and/or Force a Fetch of the Package List of the Enabled Repositories
  6. How to Execute Scripts/Commands using /etc/rc.d/rc.local in CentOS/RHEL 7
  7. How To Configure 802.1q VLAN On NIC On CentOS/RHEL 7 and 8
  8. Understanding dm-Multipath Identifiers in Linux
  9. CentOS / RHEL 7 : systemd-analyze command to find booting time delays
  10. “error: can’t find command ‘ffffffffff…..” GRUB2 error CentOS/RHEL 7

You May Also Like

Primary Sidebar

Recent Posts

  • JavaFX ComboBox: Set a value to the combo box
  • Nginx load balancing
  • nginx 504 gateway time-out
  • Images preview with ngx_http_image_filter_module

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright