How to Configure and Set Up Firewalld on CentOS 7

Firewalld is a tool that helps manage firewall settings on CentOS 7. It’s dynamic, meaning you can make changes without restarting the service. Firewalld uses “zones” to define trust levels for different network connections. It also supports IPv4, IPv6, ethernet bridges, and IP sets.

Below, we’ll walk you through how to configure and set up Firewalld.

Why Use Firewalld?

  • Immediate Changes: You can apply changes instantly without restarting the service.

  • Easy Integration: Firewalld provides tools like firewall-cmd, firewall-config , and firewall-applet to adapt settings.

  • Supported OS: Firewalld is the default firewall tool for:

    • RHEL 7, CentOS 7

    • Fedora 18 and newer

Steps to Set Up Firewalld

  • Step 1: Install Firewalld

    1. Firewalld is usually pre-installed on CentOS 7. If not, install it:

    yum install firewalld -y

    2. Check if the iptables service is running. If it is, stop and disable it:

    systemctl status iptables
    systemctl stop iptables
    systemctl mask iptables

  • Step 2: Learn About Firewalld Zones

    Firewalld uses zones to manage trust levels for network connections:

    • Drop Zone: Blocks all incoming connections except outgoing ones.

    • Block Zone: Blocks incoming connections but sends rejection messages.

    • Public Zone: For untrusted networks; allows only specified connections.

    • External Zone: Acts as a router with masquerading enabled.

    • DMZ Zone: Allows public access to specific services.

    • Work Zone: For internal networks with limited access.

    • Home Zone: Trusts other devices on the network.

    • Internal Zone: Like the home zone but for internal gateway traffic.

    • Trusted Zone: Accepts all traffic.

    List available zones:

    firewall-cmd --get-zones

    Check the default zone:

    firewall-cmd --get-default-zone

  • Step 3: Set the Default Zone

    1. Set the default zone to internal (or another zone):

    firewall-cmd --set-default-zone=internal

    2. Verify the default zone

    firewall-cmd --get-default-zone

    3. Find out the zone for a specific interface (e.g., enp0s3):

    firewall-cmd --get-zone-of-interface=enp0s3

    4. List supported ICMP types:

    firewall-cmd --get-icmptypes

  • Step 4: Create Your Own Services

    Firewalld allows custom services. To create one:

    1. Get a list of current services:

    firewall-cmd --get-services

    2. Navigate to the services directory:

    cd /usr/lib/firewalld/services/

    3. Copy an existing service file and rename it (e.g., for RTMP on port 1935):

    cp ssh.xml /etc/firewalld/services/rtmp.xml

    4. Edit the file to include the RTMP settings (protocol, port, etc.).

    5. Reload Firewalld

    firewall-cmd --reload

    6. Confirm the new service:

    firewall-cmd --get-services

  • Step 5: Assign Services to Zones

    1. Check the current state and active zones:

    firewall-cmd --state
    firewall-cmd --get-active-zones

    2. Add your custom service to a zone:

    firewall-cmd --zone=public --add-service=rtmp

    To make it permanent:

    firewall-cmd --zone=public --add-service=rtmp --permanent
    firewall-cmd --reload

    3. Open specific IP ranges and ports:

    firewall-cmd --permanent --add-source=172.139.0.0/24
    firewall-cmd --permanent --add-port=2396/tcp
    firewall-cmd --reload

    4. List all settings in the current zone:

    firewall-cmd --list-all

Final Notes

To learn more about Firewalld, use the manual:

man firewalld