This article covers method to Install and Use Firewalld in CentOS in order to increase the security of your Linux system. Note that the host-based firewall like firewalld is recommended by compliances like PCI DSS.
FirewallD is a complete firewall solution that manages the system's iptables rules and provides a D-Bus interface for operating on them. Starting with CentOS 7, FirewallD replaces iptables as the default firewall management tool.
Firewalld services are predefined rules that apply within a zone and define the necessary settings to allow incoming traffic for a specific service.
How to install Firewalld on CentOS?
Firewalld is installed by default on CentOS 7, but if it is not installed on your system, you can install the package by running the command:
$ sudo yum install firewalld
Firewalld service is disabled by default. You can check the firewall status with:
$ sudo firewall-cmd --state
If you just installed or never activated before, the command will print not running. Otherwise, you will see running.
To start the FirewallD service and enable it on boot type:
$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld
To open HTTP and HTTPS ports add permanent service rules to the dmz zone:
$ sudo firewall-cmd --permanent --zone=dmz --add-service=http
$ sudo firewall-cmd --permanent --zone=dmz --add-service=https
Make the changes effective immediately by reloading the firewall:
$ sudo firewall-cmd --reload
Zones provided by FirewallD:
1. drop: All incoming connections are dropped without any notification. Only outgoing connections are allowed.
2. block: All incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6n. Only outgoing connections are allowed.
3. public: For use in untrusted public areas. You do not trust other computers on the network, but you can allow selected incoming connections.
4. external: For use on external networks with NAT masquerading enabled when your system acts as a gateway or router. Only selected incoming connections are allowed.
5. internal: For use on internal networks when your system acts as a gateway or router. Other systems on the network are generally trusted. Only selected incoming connections are allowed.
6. dmz: Used for computers located in your demilitarized zone that have limited access to the rest of your network. Only selected incoming connections are allowed.
7. work: Used for work machines. Other computers on the network are generally trusted. Only selected incoming connections are allowed.
8. home: Used for home machines. Other computers on the network are generally trusted. Only selected incoming connections are allowed.
9. trusted: All network connections are accepted. Trust all of the computers in the network.