firewalld
- tags
- Security
Firewall #
Firewalld is a Firewall management solution available for many Linux distributions which acts as a frontend for the iptables packet filtering system provided by the Linux Kernel. In this guide, we will cover how to set up a firewall for your server and show you the basics of managing the firewall with the firewall-cmd administrative tool (if you’d rather use iptables with CentOS, follow this guide).
Zones #
The firewalld daemon manages groups of rules using entities called “zones”. Zones are basically sets of rules dictating what traffic should be allowed depending on the level of trust you have in the networks your computer is connected to. Network interfaces are assigned a zone to dictate the behavior that the firewall should allow.
drop #
The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
block #
Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
public #
Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
external #
External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
internal #
The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
dmzi #
Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
work #
Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
home #
A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
trusted #
Trust all of the machines in the network. The most open of the available options and should be used sparingly.
Install and Enable Your Firewall to Start at Boot #
sudo yum install firewalld
sudo systemctl enable firewalld
sudo reboot
sudo firewall-cmd --state
exploring defaults #
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
sudo firewall-cmd --list-all
get zones #
firewall-cmd --get-zones
add and remove ports #
# Check available zones and configurations
sudo firewall-cmd --get-zones
sudo firewall-cmd --zone=public --list-all
sudo firewall-cmd --zone=internal --list-all
# Add port 8000 to the appropriate zone (e.g., internal)
sudo firewall-cmd --zone=internal --add-port=8000/tcp
sudo firewall-cmd --zone=internal --add-port=8000/tcp --permanent
# Reload firewall to apply changes
sudo firewall-cmd --reload
# Verify the port configuration
sudo firewall-cmd --zone=internal --list-ports
sudo firewall-cmd --zone=internal --query-port=8000/tcp
# Optionally, set the internal zone as default
sudo firewall-cmd --set-default-zone=internal