How to Configure ‘FirewallD’ in RHEL/CentOS 7 and Fedora 21

Net-filter as we all know it’s a firewall in Linux. Firewalld is a dynamic daemon to manage firewall with support for networks zones. In earlier version, RHEL & CentOS 6 we have been using iptables as a daemon for packet filtering framework. In RHEL/CentOS 7 and Fedora 21 iptables interface is being replaced by firewalld.

Configure and Use FirewallD

Configure and Use FirewallD

It’s recommended to start using Firewalld instead of iptables as this may discontinue in future. However, iptables is still supported and can be installed with YUM command. We can’t keep Firewalld and iptables both in same system which may lead to conflict.

In iptables, we used to configure as INPUT, OUTPUT & FORWARD CHAINS but here in Firewalld, the concept which uses Zones. By default, there are different zones available in firewalld, which will be discussed in this article.

The basic zone which are like public zone and private zone. To make things work around with these zones, we need to add the interface with the specified zone support and then we can add the services to firewalld.

By default, there are many services are available, one of the best feature of firewalld is, it comes with pre-defined services and we can take these services as example to add our services by simply copying them.

Firewalld works great with IPv4, IPv6 and Ethernet bridges too. We can have the separate run-time and permanent configuration in firewalld. Let’s get started how to work with zones and create our own services and much more exciting usage of firewalld.

Our Testing Environment
Operating System :	CentOS Linux release 7.0.1406 (Core)
IP Address       :	192.168.0.55
Host-name	:	server1.tecmintlocal.com
Our Setup Details

Our Setup Details

Step 1: Installing Firewalld Package

1. Firewalld package is installed by default in RHEL/CentOS 7 and Fedora 21. If not, you can install it using the following YUM command.

# yum install firewalld -y
Install Firewalld in CentOS 7

Install Firewalld

2. After firewalld package has been installed, it’s time to verify whether iptables service is running or not, if running, you need to stop and mask (not use anymore) the iptables service with below commands.

# systemctl status iptables
# systemctl stop iptables
# systemctl mask iptables
Disable Iptables in CentOS 7

Disable Iptables Service

Stpe 2: Discussing Firewalld Components

3. Before heading up for firewalld configuration, I would like to discuss about each zones. By default there are some zones available. We need to assign the interface to the zone. A zone define that the zone was trusted or denied level to the interface to get connection. A zone can contain services & ports. Here, we’re going describe each zones available in Firewalld.

  1. Drop Zone: Any incoming packets are dropped, if we use this drop zone. This is same as we use to add iptables -j drop. If we use the drop rule, means there is no reply, only outgoing network connections will be available.
  2. Block Zone: Block zone will deny the incoming network connections are rejected with an icmp-host-prohibited. Only established connections within the server will be allowed.
  3. Public Zone: To accept the selected connections we can define rules in public zone. This will only allow the specific port to open in our server other connections will be dropped.
  4. External Zone: This zone will act as router options with masquerading is enabled other connections will be dropped and will not accept, only specified connection will be allowed.
  5. DMZ Zone: If we need to allow access to some of the services to public, you can define in DMZ zone. This too have the feature of only selected incoming connections are accepted.
  6. Work Zone: In this zone, we can define only internal networks i.e. private networks traffic are allowed.
  7. Home Zone: This zone is specially used in home areas, we can use this zone to trust the other computers on networks to not harm your computer as every zone. This too allow only the selected incoming connections.
  8. Internal Zone: This one is similar to work zone with selected allowed connections.
  9. Trusted Zone: If we set the trusted zone all the traffic are accepted.

Now you’ve better idea about zones, now let’s find out available zones, default zones and list all zones using the following commands.

# firewall-cmd --get-zones
Find Available Firewalld Zones

Find Available Zones in Firewalld

# firewall-cmd --get-default-zone
Firewalld Default Zone

Firewalld Default Zone

# firewall-cmd --list-all-zones

Note: The output of above command won’t fit into single page as this will list every zones like block, dmz, drop, external, home, internal, public, trusted, and work. If the zones have any rich-rules, enabled services or ports will be also listed with those respective zone informations.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Babin Lonston

I'm Working as a System Administrator for last 10 year's with 4 years experience with Linux Distributions, fall in love with text based operating systems.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

19 Responses

  1. Marian says:

    Hello,

    I have a question since I cannot find this information in any way…

    Let’s assume the network setup is in place and I just want to change the firewall zone ordering [this because with standard zone ordering all the DNS requests are failing because ‘block‘ zone is the first one in list ]. More precisely:

    Is it possible to reorder from this default ordering towards new zone ordering based only on firewall-cmd commands ? Is there any other way to implement it if not possible with firewall-cmd commands ?

    I really appreciate an answer.

    Thank you very much!
    Marian

  2. RobbieTheK says:

    We are running the old NIS with ypserv & ypbind. We have these rules but it appears we are missing something else as this fails with: ypinit -s IP

    Can’t enumerate maps from IP. Please check that it is running. Any other suggestions?

    # firewall-cmd --list-all
    public
      target: default
      icmp-block-inversion: no
      interfaces: 
      sources: 
      services: ssh mdns dhcpv6-client nfs mountd smtp https http 
    rpc-bind dns samba samba-client
      ports: 944/tcp 945/tcp 945/udp 946/udp
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules:
    
  3. ARUN GK says:

    Dear Sir,

    I have below doubts in firewalld (RHEL7/CentOS7).

    1). How to flush all firewall rules in firewalld using single command?
    2). How to block all outgoing connections from Server using Firewalld?

    • Ravi Saive says:

      @Arun,

      FirewallD is based on zones, so it’s not possible to flush everything in one go. You should remove one by one as explained here – https://fedoraproject.org/wiki/Firewalld

      • ARUN GK says:

        Thanks Sir…

        2). How to block all outgoing connections from Server using Firewalld?

        • Ravi Saive says:

          @Arun,

          By default everything is blocked on firewalld, you need to open each port or service to allow access on server, for example to enable only outgoing open port 80 use:

          # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT
          # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP
          

          It will only enable port 80, rest everything blocks.

          • ARUN GK says:

            Sir, Thanks for the information.

            Actually I want to block all outgoing ports connections. ie inside to outside connections.

            By default(Active State of Firewalld) there is no blocking in firewall from inside to outside, I checked it my RHEL 7 Server and confirmed. So I want to Blocking outgoing ports with firewalld. Please Explain Sir…

    • @Arun,

      firewall-cmd –direct –add-rule ipv4 filter OUTPUT 2 -j DROP

      Thanks & Regards,
      Bobin Lonston

  4. Ben says:

    Another alternative to iptables is to use a service like HeatShield, which will let you set up a strong and powerful firewall to prevent unauthorized access to services running on your servers, such as SSH and MySQL. HeatShield also includes brute force blocking to prevent malicious SSH login attempts into your server.

  5. Bun Hin says:

    Hi Babin,
    I would like to transfer this below iptables rule to allow incoming nfs connection (example to allow only from 172.16.10.0/24 network) into the firewalld rule, how to get correct or equivalent in the firewalld?

    -A INPUT -s 172.16.10.0/24 -m state –state NEW -p udp –dport 111 -j ACCEPT
    -A INPUT -s 172.16.10.0/24 -m state –state NEW -p tcp –dport 111 -j ACCEPT
    -A INPUT -s 172.16.10.0/24 -m state –state NEW -p tcp –dport 2049 -j ACCEPT
    -A INPUT -s 172.16.10.0/24 -m state –state NEW -p tcp –dport 32803 -j ACCEPT
    -A INPUT -s 172.16.10.0/24 -m state –state NEW -p udp –dport 32769 -j ACCEPT
    -A INPUT -s 172.16.10.0/24 -m state –state NEW -p tcp –dport 892 -j ACCEPT
    -A INPUT -s 172.16.10.0/24 -m state –state NEW -p udp –dport 892 -j ACCEPT
    -A INPUT -s 172.16.10.0/24 -m state –state NEW -p tcp –dport 875 -j ACCEPT
    -A INPUT -s 172.16.10.0/24 -m state –state NEW -p udp –dport 875 -j ACCEPT
    -A INPUT -s 172.16.10.0/24 -m state –state NEW -p tcp –dport 662 -j ACCEPT
    -A INPUT -s 172.16.10.0/24 -m state –state NEW -p udp –dport 662 -j ACCEPT

    by reading your tutorial, i am assume to put the port in nfs.xml file, and add rich text rule in public zone? but not sure

    Could you please share to do it correctly.

    Thank you,
    Bun

  6. DR says:

    Very good article, thanks.

  7. Zoran says:

    Hi,

    Thanks for this! Would it be possible to add a “bittorrent/p2p” service to firewalld and try blocking it?

  8. seighalani says:

    thanks a lot for your kind of help

  9. henry says:

    It’s easier to understand and use firewalld

  10. Eduardo Hernacki says:

    Hello!

    When using firewalld, you should also disable and mask the “ip6tables” and “ibtables” services.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.