Introduction to FirewallD and firewall-cmd command on CentOS

FirewallD is known as firewall management solution accessible for many Linux distributions which serves as a frontend controller for the iptables used to execute persistent network traffic rules provided by the Linux kernel. In this article, we show you how to set up a firewall in the server and some of the basics controlling the firewall with the firewall-cmd administrative tool. The FirewallD having two main variations compared to directly controlling the iptables.

  1. Rather than chain and rules, FirewallD uses zones and services.
  2. This can manage rulesets dynamically and provide updates without any breaking existing sessions and connections.

Note: FirewallD is a layer for iptables to allow easier control of iptables, Here you can’t replace iptables just rules–it. While iptables commands are still open to FirewallD, it allows only FirewallD commands with FirewallD.

Managing and Maintaining FirewallD

In CentOS7 by default, the FirewallD is included but it is inactive. Managing it is related as with other systemd units.

Start and enable the FirewallD service.

sudo systemctl start firewalld
sudo systemctl enable firewalld

Stop and disable the FirewallD service.

sudo systemctl stop firewalld
sudo systemctl disable firewalld

If you need to check the firewall status this will help to know either firewall running or not use the following command.

sudo firewall-cmd --state

View the status of the FirewallD daemon

sudo systemctl status firewalld

Reload the FirewallD configuration.

sudo firewall-cmd --reload

Configuration of FirewallD

The FirewallD is set up with an XML file. Some of the particular configurations you won’t have to deal with them and firewall-cmd should be used preferably and the FirewallD configuration file is located in two different directories below you can see.

1. The below path contains configurations like common services and default zones.

2. The below path contains system configuration files. These files will overwrite a default configuration.

Basic Configuration Sets

Here the FirewallD have two configuration sets one is Runtime and another one is Permanent. Runtime configuration changes are not grasped on reboot or restarting FirewallD although permanent changes are not used to a running system. Default firewall-cmd commands refer to runtime configuration but using the constant flag will create a resolute configuration.

Using two methods you can add and activate a permanent rule.

Rule to both the permanent and runtime sets.

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=http

Rule to the permanent set and reload FirewallD.

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --reload

Firewall Zones

Firewall zones are predefined rulesets for several trust levels. If you would likely hold for a provided location or situation, For example, home, public, etc.. They are a different type of zones that allows different network services and incoming traffic types while rejecting everything else. Once you allowing FirewallD for the initial period, the Public will be the default zone.

View the default zone

sudo firewall-cmd --get-default-zone

Change the default zone

sudo firewall-cmd --set-default-zone=internal

View the zones managed by your network interface

sudo firewall-cmd --get-active-zones

Get all configurations for a particular zone

sudo firewall-cmd --zone=public --list-all

Get all configurations for all zones

sudo firewall-cmd --list-all-zones

FirewallD Services

The FirewallD can provide traffic based on predefined rules for particular network sets. Here you can create your own custom code services rules and you can add them to any zone in the services.

View the default running available services

sudo firewall-cmd --get-services

To enable or disable the HTTP service

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --remove-service=http --permanent

Allowing or Denying an Arbitrary Port/Protocol

E.g. Allow or deny TCP traffic on port 55001.

sudo firewall-cmd --zone=public --add-port=55001/tcp --permanent
sudo firewall-cmd --zone=public --remove-port=55001/tcp --permanent

Port Forwarding

E.g. Add the below code to forwards traffic from port 80 to port 55001 on the same server.

sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=55001

Activate masquerade in the zone.

sudo firewall-cmd --zone=public --add-masquerade

Add the forward rule traffic from local port 80 to port 8080 on a remote server located at the IP address: 192.321.21.1.

sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.321.21.1

Was this article helpful?

Yes No

How can we improve it?


We appreciate your helpul feedback!

Your answer will be used to improve our content. The more feedback you give us, the better our pages can be.

Follow us on social media:

Facebook Pinterest
Share via:


Creative Designer & Developer specialist by the spirit and a loving blogger by thoughts.

Leave a Reply