Firewalld is a firewall management tool that is used to allow or deny connection to the Linux system. It provides a set of rules to control the inbound traffic.
Firewalld acts as the front end for the Linux kernel Netfilter.
The permanent configuration is loaded from XML files in '/usr/lib/firewalld' or '/etc/firewalld'.
As of CentOS 7, firewalld (Dynamic Firewall Manager) is the default firewall tool on CentOS servers. We advise keeping firewalld active and enabled at all times.
In this context, we shall look into how to install and use firewalld in CentOS system.
How to Install firewalld in CentOS / RHEL ?
Firewalld comes with the basic installation of Redhat or Centos. If there is not, you can install it in the following ways.
On RHEL 7.X or centos 7.X install by,
$ sudo yum install firewalld -y
On RHEL 7.X or centos 8.X install by,
$ sudo dnf install firewalld -y
To start the service,
$ sudo systemctl start firewalld
To enable the firewalld service,
$ sudo systemctl enable firewalld
Check the status of firewalld,
$ systemctl status firewalld
Firewalld comes with different predefined zones also known as level of trust.
Zones are basically managed groups that have a set of rules.
However, the rules are not predefined.
For example, you can set a 'public' zone which contains public hosting ports, while 'home' zone allows ssh connections.
To list zones in firewalld use following command:
$ sudo firewall-cmd --get-zones
To see active zone among the zones use:
$ sudo firewall-cmd --get-active-zone
Now, let's add some ports to allow traffic into our system.
To add a tcp port you have to type the following.
Remember to add –permanent option otherwise, your rule will not be persistent on reload / restart of firewalld:
$ sudo firewall-cmd --add-port=443/tcp --permanent
Similarly, you can also allow UDP port:
$ sudo firewall-cmd --add-port=161/udp --permanent
You can also allow services such as DNS, HTTP. It will allow the default port of the service.
$ sudo firewall-cmd --add-service=http --permanent
After you add the port / Reload firewall service to take into an effect:
$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-all
Note: When you don't add any zone, the rule will be added to the 'public' zone by default.
To remove port from firewalld you can use:
$ sudo firewall-cmd --remove-port=443/tcp --permanent
To remove service from firewalld you can use:
$ sudo firewall-cmd --remove-service=http --permanent
Remember to reload the firewall after you add or remove the port/services.
Rich rules in Linux
Rich rules provide more granular options to firewall rules. They are used to configure port forwarding, rate limiting, logging etc.
For example, to accept ssh connection form a single IP say, 192.001.11.11 you should add a rich rule by specifying IP version, source address, port, protocol:
$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.001.11.11/32" port protocol="tcp" port="22" accept'
Also, you can drop all the ip source of a entire network not to allow 22 port as below:
$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.001.11.11/24" port protocol="tcp" port="22" drop'
To allow new IPv4 connections from address 192.168.0.0/24 for service tftp and log 1 per minutes using syslog you can do:
sudo firewall-cmd --permanent --zone=public --add-rich-rule=’rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept’
How to Uninstall firewalld from CentOS ?
If you like to remove firewall demon from CentOS / RHEL then stop the running service:
$ sudo systemctl stop firewalld
On RHEL 7.X or Centos 7.X:
$ sudo yum remove firewalld -y
On RHEL 8.X or Centos 8.X:
$ sudo dnf remove firewalld -y