Home » Linux » How to Configure a Firewall with FirewallD in CentOS 7

How to Configure a Firewall with FirewallD in CentOS 7

In this article, we show you how to configure a firewall with FirewallD in CentOS 7 and some of the basic FirewallD concepts. For system security, the main thing is a firewall so that you need to configure properly that is one of the most important for overall system security. FirewallD is the solution for a firewall that controls the system’s iptables rules to the proper interface for operating on them. FirewallD is a wrapper for iptables to enable more accessible management of iptables rule it is not an iptables replacement.

Basic FirewallD Concepts

In the FirewallD applies the concepts of zones and services, preferably of iptables chain and rules. Here you can configure your zones and services that help to control what traffic is allowed or refused from the system. The FirewallD is configured and maintained using the firewall-cmd command.

Firewall services

FirewallD services are predefined rules that you can use within a zone and specify the important settings to allow incoming traffic for a particular service.

FirewallD Configuration Sets

FirewallD uses two configuration sets. One is Runtime and another one is Permanent configuration. The runtime configuration is the real running configuration and it is not defined on reboots. Once the FirewallD service begins it loads the permanent configuration which transforms the runtime configuration. While doing modifications to the FirewallD configuration using the firewall-cmd utility the modifications are implemented to the runtime configuration if you like to change to permanent you want to use the –permanent flag.

Discussing FirewallD Zones

FirewallD Zones are predefined collections of rules defining what traffic should be permitted based on the faith of networks your workstation is connected to. You can able to add network interfaces and sources to a zone. By default, there are some available zones. A zone can hold services & ports. Below are the zones given by FirewallD required according to the faith level of the zone from untrusted to trusted.

Drop Zone: All incoming connections are lost without any warning. Only outgoing connections are enabled. If we use the drop rule means there is no answer, only outgoing network connections will be available.

Block Zone: All incoming connections will refuse the incoming network connections are denied with an icmp-host-prohibited. Simply outgoing connections are allowed.

Public Zone: Allow the preferred connections you can set rules in the public zone. That controls allow the particular port to initiate in our server and other connections will be dropped.

External Zone: Here zone will act as a gateway or router options with masquerading is allowed other connections will be dropped and will not trust only specified connection will be allowed.

Internal Zone: The use of private networks when your system acts as a gateway or router. Common systems on the network are usually trusted.

DMZ Zone: If we need to allow access to some of the services to the public, you can define in the demilitarized zone. This only selected incoming connections are allowed.

Work Zone: You can specify only internal networks. Other networks are usually trusted. Particularly incoming connections are allowed.

Home Zone: This is generally used for home network zone, Other computers on the network are usually trusted. Particularly selected incoming connections are allowed.

Trusted Zone: Use these network connections all the traffic are allowed.

Install and Enable FirewallD

Install FirewallD

By default on CentOS 7 Firewall in installed. If you not having in your system you can use the below command to install the package.

Check the firewall status

In the system, the FirewallD services are disabled by default. Here using the below command you check the status of your firewall.

Enabling FirewallD

To start and enable the FirewallD service on boot type.

Managing with FirewallD Zones

Once you completed enabling the FirewallD services for the start time, the public zone is set as a default zone.

To see a list of all available zones

All network interfaces are assigned the default zone. The below command is useful to check what zones are used by your network interfaces.

Here you can display the zone configuration settings using below command.

You can check enormous configurations for all the available zones using below command.

Modifying the Zone of an Interface

Here you can simply modify the Interface Zone by using the using –zone flag in sequence with the –change-interface flag. Here using the below command that allows the eth1 interface to the work zone.

Confirm the modification by typing

Replacing the Default Zone

You can change the default zone by using –set-default-zone flag.

Confirm the modification zone

Initiating a Service or Port

Using below command it allows incoming HTTP traffic port 80 for the public zone.

To check the services added successfully use the below command.

After reboot your server if you like to keep open the port 80, you need to use the below command but this time with the –permanent flag.

To verify changes use the below command.

If you like to remove the service, For example: below command will remove the HTTP service from the public zone.

To add any port for the public zone, use the following command this will help to activate the public port. For example, the following command will activate port 80 for the public zone.

To check the port

To you like remove the public port using the below command but the port 80 is main for the web if your requirement based on that means you can use the below code.

FirewallD Forwarding Port

If you like to forward your traffic from exiting to another port, for that first you need to enable masquerading for the desired zone using the following command.

FirewallD Forwarding traffic from one port to another port in the existing server

If you like to forward the port on the same server from one port 80 to port 8080 the following command will help to do that.

Forward traffic from the current server to another server

From the port 80 to port 80 on another server with IP address

For Forwarding traffic to another server with different port

Below command forward the traffic from the port 80 to port 8080 on another server with the IP

Was this article helpful?

Yes No

How can we improve it?


We appreciate your helpul feedback!

Your answer will be used to improve our content. The more feedback you give us, the better our pages can be.

Follow us on social media:

Facebook Pinterest


Creative Designer & Developer specialist by the spirit and a loving blogger by thoughts.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top