How to Configure ‘FirewallD’ in RHEL/CentOS 7 and Fedora 21

Step 5: Assigning Services to Zones

14. Here we are going to see how to manage the firewall using ‘firewall-cmd‘ command. To know the current state of the firewall and all active zones, type the following command.

# firewall-cmd --state
# firewall-cmd --get-active-zones

15. To get the public zone for interface enp0s3, this is the default interface, which is defined in /etc/firewalld/firewalld.conf file as DefaultZone=public.

To list all available services in this default interface zone.

# firewall-cmd --get-service

Step 6: Adding Services to Zones

16. In the above examples, we have seen how to create own services by creating rtmp service, here we will see how to add the rtmp service to the zone as well.

# firewall-cmd --add-service=rtmp

17. To remove added zone, type.

# firewall-cmd --zone=public --remove-service=rtmp

The above step was temporary period only. To make it permanent we need to run the below command with option –permanent.

# firewall-cmd --add-service=rtmp --permanent
# firewall-cmd --reload

18. Define rules for network source range and open anyone of the port. For example, if you would like to open a network range say ‘192.168.0.0/24’ and port ‘1935’ use the following commands.

# firewall-cmd --permanent --add-source=192.168.0.0/24
# firewall-cmd --permanent --add-port=1935/tcp

Make sure to reload firewalld service after adding or removing any services or ports.

# firewall-cmd --reload 
# firewall-cmd --list-all
Open Port in CentOS 7

Open Port in Firewalld

Step 7: Adding Rich Rules for Network Range

19. If I want to allow the services such as http, https, vnc-server, PostgreSQL, you use the following rules. First add the rule and make it permanent and reload the rules and check the status.

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' 
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept' --permanent

Now, the Network range 192.168.0.0/24 can use the above service from my server. The option –permanent can be used in every rule, but we have to define the rule and check with the client access after that we have to make it permanent.

20. After adding above rules, don’t forget to reload the firewall rules and list the rules using:

# firewall-cmd --reload
# firewall-cmd --list-all
List All FirewallD Active Rules

List All FirewallD Active Rules

To know more about Firewalld.

# man firewalld

That’s it, we have seen how to setup net-filter using Firewalld in RHEL/CentOS 7 and Fedora 21.

Conclusion

Net-filter is the framework for firewall for each and every Linux distributions. Back in every RHEL and CentOS editions we used iptables but in version 7 they have introduced Firewalld. It’s easier to understand and use firewalld. Hope you have enjoyed the write-up.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Babin Lonston

I'm Working as a System Administrator for last 10 year's with 4 years experience with Linux Distributions, fall in love with text based operating systems.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

19 Responses

  1. Marian says:

    Hello again,

    This is the type of errors present on DNS co-related with my previous message

    63023 ServFail 0/0/0 (40)
    62993 ServFail 0/0/0 (40)
    62993 ServFail 0/0/0 (40)
    

    co-related with

    udp port 19316 unreachable, length 78
    udp port 16456 unreachable, length 78
    udp port 10163 unreachable, length 81
    

    Marian

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.