Set Up a Firewall with FirewallD on CentOS 7

In this article, we want to teach you to Set up a Firewall with Firewalld on centos 7.

What is Firewalld?

Firewalld is a firewall management solution for many Linux distributions including, Ubuntu, Debian, CentOS, RHEL, and Fedora, and all versions of them. in this article, we use Centos 7.

Requirements for setting up a Firewall on Centos 7

You need to log in as a non-root user to set up a firewall. you can check our article about the Initial server setup with Centos 7.

Set Up a Firewall with FirewallD on CentOS 7

Before setting up a Firewall with Firewalld on centos 7 let’s see FirewallD zones first.

FirewallD uses zones and services instead of IP tables’ chains and rules. Zones are a set of rules that specify what traffic should be allowed depending on the level of trust you have in a network your computers are connected. Network interfaces assigned a zone to dictate behavior that the firewall should allow.

FirewallD zones

Here is a list of predefined zones for Firewalld:

1. Drop: This zone has the least level of trust and is used to drop all incoming traffic without sending any acknowledgment to the sender.

2. Block: This zone is very similar to the Drop zone, the incoming traffic is rejected and the sender gets a message.

3. Public: This allows traffic from certain public networks.

4. External: This zone is used when your system acts as a gateway or router.

5. Internal: The set of rules that apply to the computers in your private internal network.

6. DMZ: This zone is an isolated patch of computers in your internal network that may not access other internal resources.

7. Work: This zone is used for work machines. The trust level is high.

8. Home: Most computers in this zone trust each other. The trust level is higher than at work.

9. Trusted: This zone has the highest trust level. All computers in the network are trusted.

Installing Firewalld on Centos 7

Here you can set up a Firewall on centos 7 by following these steps.

Install Firewalld on centos 7 with the following command:

sudo yum install firewalld

Then enable it and reboot the system with the following commands:

sudo systemctl enable firewalld
sudo reboot

You can see that your service is verified and running with the following command:

sudo firewall-cmd –state

Firewall rules on Centos 7

After setting up a firewall with firewalld on centos 7 you can see firewall rules too.

You can see which zone is selected with the following command:

firewall-cmd --get-active-zones

You can see the default zone’s configuration with:

sudo firewall-cmd --list-all

Get a list of active zones with:

firewall-cmd --get-zones

Now You can see each active zone that you have with the following command for example for home:

sudo firewall-cmd --zone=home --list-all

Select zones for your interfaces of Firewall

When you have configured your network interfaces, each interface will be put in the default zone when the firewall is booted.

You can change the interface for example for home with the following command:

sudo firewall-cmd --zone=home --change-interface=eth0

See this was successful with the following command:

firewall-cmd --get-active-zones

Adjust a default zone for the Firewall

In setting up a firewall on centos 7, you can select zones for your interfaces you can adjust a default zone.
It’s better to adjust a default zone and use that for your configuration with the following command:

sudo firewall-cmd --set-default-zone=home

Add service in your zone

First, you can get a list of available services with the following command:

firewall-cmd --get-services

Enable a service of your list for example HTTP service with:

sudo firewall-cmd --zone=public --add-service=http

You can see it with:

sudo firewall-cmd --zone=public --list-services

Make your public zone change permanent by:

sudo firewall-cmd --zone=public --permanent --add-service=http

You can see it with:

sudo firewall-cmd --zone=public --permanent --list-services

Open a port for your zone

You can add a port for your zone with the following command:
For example, your application runs on port 8000 and uses TCP:

sudo firewall-cmd --zone=public --add-port=8000/tcp

List it with:

sudo firewall-cmd --zone=public --list-ports

If your application runs on port 3500-3700 and uses UDP run the following command:

sudo firewall-cmd --zone=public --add-port=3500-3700/udp

Permanent them by:

sudo firewall-cmd --zone=public --permanent --add-port=8000/tcp
sudo firewall-cmd --zone=public --permanent --add-port=3500-3700/udp
sudo firewall-cmd --zone=public --permanent --list-ports

Define a service

At this point, you learn How to set up a firewall with firewalld and learn about firewall rules on Centos 7. let’s see how to define a service.

If you forget a service on your server maybe it’s difficult to remember the port that opened it.
In this situation, you can define a service to solve that.

For example, you can copy the SSH service to use for the ‘example’ service definition with the following command:

sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/example.xml

You can set changes into it by Vi editor:

sudo vi /etc/firewalld/services/example.xml

You can change the short name for the service and add a description for it and put your port protocols in it. After you are finished save and close your file.

Reload the firewall:

sudo firewall-cmd –reload

Now you can see it in your available services:

firewall-cmd --get-services

Create your own zone

At this point, you set up a firewall on centos 7 and learn about its rules. You can also create your own zones. For example, you want to create a zone for your web server, named public web.

Use the following command:

sudo firewall-cmd --permanent --new-zone=publicweb

Then reload the firewall:

sudo firewall-cmd --reload
firewall-cmd --get-zones

Add services for your zone for example:

sudo firewall-cmd --zone=publicweb --add-service=ssh

Change your interfaces by:

sudo firewall-cmd --zone=publicweb --change-interface=eth0

You can set permanent configuration by:

sudo firewall-cmd --zone=publicweb --permanent --add-service=ssh

Restart your network and reload your firewall:

sudo systemctl restart network
sudo systemctl reload firewalld

You can set your zone as your default zone:

sudo firewall-cmd --set-default-zone=publicweb

Conclusion

At this point, you learn how to set up a firewall with firewalld on Centos 7 and you know about firewalld zones and create your own zone.

Hope you enjoy it.

Newsletter Updates

Enter your email address below and subscribe to our newsletter

Leave a Reply

Stay informed and not overwhelmed, subscribe now!