How to Setup and Install FirewallD on CentOS 7

By on January 20th, 2020

 

How to Setup and Install FirewallD on CentOS 7

Many Linux distributions have a firewalld as their firewall management solution, and it acts as a front-end controller for the iptables. The firewalld or firewall-cmd supports both IPV4 and IPV6 networks. Its daemon manages a different set of rules using entities, and these entities are “zones”. The zones are the set of rules that directs what traffic should be allowed in a network depending on the trust. The rules set in firewalld is either permanent or immediate. If any rule gets newly added or edited, then the behavior of firewalld also gets modified. But if the newly added or modified rules are not flagged as –permanent, then the old rules get reverted at the next boot. The prerequisite for enabling firewalld on CentOS 7 is a sudo privileged user and command-line access.

 

Install FirewallD and Enable to Start at Boot

By default, the firewalld is pre-installed in CentOS 7. To check if firewalld is running in the system, you can run the following command.

$ sudo systemctl status firewalld

If you are not able to see any active firewalld installed, you can install firewalld using the following command.

$ sudo yum install firewalld

If you want to start the firewalld service at boot, then you need to enable and reboot the service after firewalld installation.

$ sudo systemctl enable firewalld

$ sudo reboot

After the reboot, the firewall gets enabled, and your network interfaces get configured into zones. Also, the rules associated with the zones get applied to the associated interfaces.

To check if the service is running and reachable, you can run the following command. You should get the output as running if the firewall is up and running with the default configuration.

$ sudo firewall-cmd –state

If you get the output as masked, then we need to unmask the symlink by using the following command.

$ sudo systemctl unmask –now firewalld

 

Firewall Zones

A firewall establishes ‘zones’, and each network zones has its set of rules. This set of rules orders what traffic should be accepted or declined in a network. This set of rules provides flexibility compared to iptables. By using this approach, you can set different zones for specific networks.

To list all the available zones in the network, you can run the following command.

$ sudo firewall-cmd –get-zones

If you have just installed firewalld, then you should get an output similar to the one shown below.

Output:

block drop dmz external home internal public trusted work

The above output displays the pre-configured zones. If you want to check the default zone, run the following command.

$ sudo firewall-cmd –get-default-zone

 

Some of the pre-configured zones and zone descriptions are listed below:

drop:

If you want to set the lowest level of trust, then you can use the drop zone. This zone drops all the incoming connections without reply and only allow the outgoing connection.

block:

This zone is similar to that of the drop zone. But in this zone, all the incoming requests are rejected with an icmp-host-prohibited or icmp6-host-prohibited message

public:

The public zone allows only selected incoming connections on a case-by-case basis. This zone does not trust other computers and represents the public.

external:

External networks use the firewall as your gateway. We can configure the external zone for NAT masquerading. This zone makes your network private and but reachable.

internal:

This internal zone is just opposite to the external zone, and it gets used for the internal portion of a gateway.

dmz:

This zone is used by computers that don’t have access to the rest of your network. The dmz zone only allows certain incoming connections.

work:

Work machines use the work zone, and it trusts almost all computers in the network.

home:

A home computer uses the home zone, and this zone trusts most of the other computers.

trusted:

This zone is used casually and trusts all of the machines in the network.

 

To check the active firewall zone, run the following command.

$ sudo firewall-cmd –get-active-zones

 

Firewall Zone Rules

To list all the rules associated with the default zone, you need to run the following command.

$ sudo firewall-cmd –list-all

To list rules associated with a particular zone, you need to run the following command.

$ sudo firewall-cmd –zone=<zone_type> –list-all

For example,

$ sudo firewall-cmd –zone=home –list-all

 

How to Change Zone of an Interface

By using the below command, you can reassign a zone to a network interface. In this command, the –zone flag is used to specify the zone, and the –change-interface flag is used to specify the network interface.

$ sudo firewall-cmd –zone=<zone_type> –change-interface=<network_interface>

 

For example,

$ sudo firewall-cmd –zone=external –change-interface=eth0

 

With this above example, the firewalld should have applied the external zone on all traffic coming through the network interface eth0. After changing the zone of an interface, you can verify the same using the following command.

$ firewall-cmd –get-active-zones

The zone change of an interface can affect the status of active servers. For example, If you were working through SSH and moved the zone of the network interface to the one that does not support the SSH service, then your connection might drop, and you can not log in to the server.

 

Change the Default FirewallD Zone

If you want to change the default zone, then you can use the –set-default-zone flag to specify the default zone type in the following command.

$ sudo firewall-cmd –set-default-zone=<zone_type>

For example:

$ sudo firewall-cmd –set-default-zone=work

After changing the default zone, you can verify the same by running the following command.

$ sudo firewall-cmd –get-default-zone

 

Disable FirewallD on CentOS 7

You can disable firewalld permanently or temporarily. If you want to stop or disable the firewalld temporarily, then you can run the following command.

$ sudo systemctl stop firewalld

The above command disables the firewalld service until reboot. You can check the status of the firewalld using the below command. The output of this command should appear as “Active: inactive (dead)”, after disabling the firewalld.

$ sudo systemctl status firewalld

 

If you want to disable the firewalld service permanently, then you need to follow the below steps:

1) First, you need to stop the firewall service by running the following command.

$ sudo systemctl stop firewalld

2) After stopping the service, you need to check the status. The output of the status command should state that the service is inactive.

$ sudo systemctl status firewalld

3) Then, you need to disable the service from activating upon system reboot using the following command.

$ sudo systemctl disable firewalld

4) Now you have disabled firewalld, but there is a chance that other active services can activate firewalld. To prevent the other services from activating firewalld, you can run the following command. This command masks the firewalld from other services.

$ sudo systemctl mask –now firewalld

This above command creates a symbolic link from the firewalls service (/etc/systemd/system/firewalld.service) to ‘/dev/null’.

 

So this is how you setup and Install FirewallD on CentOS 7. If you need any further help, please do reach our support department.

Leave a Reply