In this guide, we will explain the basics of the Firewalld tool. The Firewalld tool is used by default on CentOS 7.x and 8.x, but the tool can also be installed on other distributions of Linux.
With firewalld it is advised to use the firewall-cmd command. By default, this command only applies changes to your current running firewall. Upon reboot, any changes made will be lost. It is advised to use the option –permanent. This option will make sure that any changes made will be permanent.
[root@worldstream ~]# firewall-cmd --reload
In order to start the firewalld service the following command can be used:
[root@worldstream ~]# systemctl start firewalld
If you wish to make sure the firewalld service is also activated on boot the following command can be used:
[root@worldstream ~]# systemctl enable firewalld
In order to check if the firewalld service is running correctly you are able to use one of the following two commands:
[root@worldstream ~]# firewall-cmd --state [root@worldstream ~]# systemctl status firewalld
Firewalld has a various list of pre-defined zones. In these zones, certain rules are pre-configured rules which represent a certain security level. When firewalld is enabled on the server by default Public will be the default zone. In order to show the current configuration for the Public zone which is the default zone the following command can be used:
[root@worldstream ~]# firewall-cmd --zone=public --list-all
The output of the command will look like the output below. By default, the service ssh is already allowed by firewalld.
[root@worldstream ~]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: enp2s0 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
With the following command you are able to show all zones that are configured and available for use:
[root@worldstream ~]# firewall-cmd --list-all-zones
This section explains how you are able to allow certain services with firewalld. In the below situation we will use the default zone Public and we will allow certain services. There are two file locations that are used in this process. Located at /usr/lib/firewalld/services you will find the pre-configured rule sets for certain services. At /etc/firewalld/services you will be able to create your own rule sets for services.
The following command can be used to show a list of available services:
[root@worldstream ~]# firewall-cmd --get-services
Below you will see various examples where services are added to the default public zone:
[root@worldstream ~]# firewall-cmd --zone=public --add-service=mysql --permanent [root@worldstream ~]# firewall-cmd --zone=public --add-service=http --permanent [root@worldstream ~]# firewall-cmd --zone=public --add-service=tftp-client --permanent
In the above commands you are able to change the –add-service to –remove-service. This will make sure that the rules for this service are removed.
How to secure your own connection to the server
In order to make sure that your own connection is allowed in firewalld the service ssh will need to be enabled. On the default zone Public ssh is enabled by default. However if ssh is not allowed, the following command can be used in order to allow ssh:
[root@worldstream ~]# firewall-cmd --zone=public --add-service=ssh --permanent
The second and last step is to add your public IP address you use at home or work. The following command can be used to add the IP to the Public zone:
[root@worldstream ~]# firewall-cmd --zone=public --add-source=[Your public IP addres]
If you are facing any difficulties with the configuration of firewalld feel free to contact us at my.ws.