Firewalld is a firewall management tool that is used to allow or deny connection to the Linux system. It provides a set of rules to control the inbound traffic.

Firewalld acts as the front end for the Linux kernel Netfilter.

The permanent configuration is loaded from XML files in '/usr/lib/firewalld' or '/etc/firewalld'.

As of CentOS 7, firewalld (Dynamic Firewall Manager) is the default firewall tool on CentOS servers. We advise keeping firewalld active and enabled at all times. 

Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to secure their Servers via Linux Firewalld.

In this context, we shall look into how to install and use firewalld in CentOS system.

How to Install firewalld in CentOS / RHEL ?

Firewalld comes with the basic installation of Redhat or Centos. If there is not, you can install it in the following ways.

On RHEL 7.X or centos 7.X install by,

$ sudo yum install firewalld -y

On RHEL 7.X or centos 8.X install by,

$ sudo dnf install firewalld -y

To start the service,

$ sudo systemctl start firewalld

To enable the firewalld service,

$ sudo systemctl enable firewalld

Check the status of firewalld,

$ systemctl status firewalld

Firewalld comes with different predefined zones also known as level of trust.

Zones are basically managed groups that have a set of rules.

However, the rules are not predefined. 

For example, you can set a 'public' zone which contains public hosting ports, while 'home' zone allows ssh connections. 

To list zones in firewalld use following command:

$ sudo firewall-cmd --get-zones

To see active zone among the zones use:

$ sudo firewall-cmd --get-active-zone

Now, let's add some ports to allow traffic into our system.

To add a tcp port you have to type the following. 

Remember to add –permanent option otherwise, your rule will not be persistent on reload / restart of firewalld:

$ sudo firewall-cmd --add-port=443/tcp --permanent

Similarly, you can also allow UDP port:

$ sudo firewall-cmd --add-port=161/udp --permanent

You can also allow services such as DNS, HTTP. It will allow the default port of the service. 

For example,

$ sudo firewall-cmd --add-service=http --permanent

After you add the port / Reload firewall service to take into an effect:

$ sudo firewall-cmd --reload

Verify using:

$ sudo firewall-cmd --list-all

Note: When you don't add any zone, the rule will be added to the 'public' zone by default.

To remove port from firewalld you can use:

$ sudo firewall-cmd --remove-port=443/tcp --permanent

To remove service from firewalld you can use:

$ sudo firewall-cmd --remove-service=http --permanent

Remember to reload the firewall after you add or remove the port/services.

Rich rules in Linux

Rich rules provide more granular options to firewall rules. They are used to configure port forwarding, rate limiting, logging etc.

For example, to accept ssh connection form a single IP say, you should add a rich rule by specifying IP version, source address, port, protocol:

$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="" port protocol="tcp" port="22" accept'

Also, you can drop all the ip source of a entire network not to allow 22 port as below:

$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="" port protocol="tcp" port="22" drop'

To allow new IPv4 connections from address for service tftp and log 1 per minutes using syslog you can do:

sudo firewall-cmd --permanent --zone=public --add-rich-rule=’rule family="ipv4" source address="" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept’

How to Uninstall firewalld from CentOS ?

If you like to remove firewall demon from CentOS / RHEL then stop the running service:

$ sudo systemctl stop firewalld

On RHEL 7.X or Centos 7.X:

$ sudo yum remove firewalld -y

On RHEL 8.X or Centos 8.X:

$ sudo dnf remove firewalld -y

[Need urgent assistance in fixing missing packages on CentOS system? Contact Our Support Experts Now. ]