FirewallD is known as firewall management solution accessible for many Linux distributions which serves as a frontend controller for the iptables used to execute persistent network traffic rules provided by the Linux kernel. In this article, we show you how to set up a firewall in the server and some of the basics controlling the firewall with the firewall-cmd administrative tool. The FirewallD having two main variations compared to directly controlling the iptables.
- Rather than chain and rules, FirewallD uses zones and services.
- This can manage rulesets dynamically and provide updates without any breaking existing sessions and connections.
Note: FirewallD is a layer for iptables to allow easier control of iptables, Here you can’t replace iptables just rules–it. While iptables commands are still open to FirewallD, it allows only FirewallD commands with FirewallD.
Managing and Maintaining FirewallD
In CentOS7 by default, the FirewallD is included but it is inactive. Managing it is related as with other systemd units.
Start and enable the FirewallD service.
sudo systemctl start firewalld sudo systemctl enable firewalld
Stop and disable the FirewallD service.
sudo systemctl stop firewalld sudo systemctl disable firewalld
If you need to check the firewall status this will help to know either firewall running or not use the following command.
sudo firewall-cmd --state
View the status of the FirewallD daemon
sudo systemctl status firewalld
Reload the FirewallD configuration.
sudo firewall-cmd --reload
Configuration of FirewallD
The FirewallD is set up with an XML file. Some of the particular configurations you won’t have to deal with them and firewall-cmd should be used preferably and the FirewallD configuration file is located in two different directories below you can see.
1. The below path contains configurations like common services and default zones.
2. The below path contains system configuration files. These files will overwrite a default configuration.
Basic Configuration Sets
Here the FirewallD have two configuration sets one is Runtime and another one is Permanent. Runtime configuration changes are not grasped on reboot or restarting FirewallD although permanent changes are not used to a running system. Default firewall-cmd commands refer to runtime configuration but using the constant flag will create a resolute configuration.
Using two methods you can add and activate a permanent rule.
Rule to both the permanent and runtime sets.
sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --add-service=http
Rule to the permanent set and reload FirewallD.
sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --reload
Firewall zones are predefined rulesets for several trust levels. If you would likely hold for a provided location or situation, For example, home, public, etc.. They are a different type of zones that allows different network services and incoming traffic types while rejecting everything else. Once you allowing FirewallD for the initial period, the Public will be the default zone.
View the default zone
sudo firewall-cmd --get-default-zone
Change the default zone
sudo firewall-cmd --set-default-zone=internal
View the zones managed by your network interface
sudo firewall-cmd --get-active-zones
Get all configurations for a particular zone
sudo firewall-cmd --zone=public --list-all
Get all configurations for all zones
sudo firewall-cmd --list-all-zones
The FirewallD can provide traffic based on predefined rules for particular network sets. Here you can create your own custom code services rules and you can add them to any zone in the services.
View the default running available services
sudo firewall-cmd --get-services
To enable or disable the HTTP service
sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --remove-service=http --permanent
Allowing or Denying an Arbitrary Port/Protocol
E.g. Allow or deny TCP traffic on port 55001.
sudo firewall-cmd --zone=public --add-port=55001/tcp --permanent sudo firewall-cmd --zone=public --remove-port=55001/tcp --permanent
E.g. Add the below code to forwards traffic from port 80 to port 55001 on the same server.
sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=55001
Activate masquerade in the zone.
sudo firewall-cmd --zone=public --add-masquerade
Add the forward rule traffic from local port 80 to port 8080 on a remote server located at the IP address: 192.321.21.1.
sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.321.21.1