Firewalld daemon is a firewall service that provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.
In this guide, we will cover how to set up a firewall for your CentOS 7 server and show you the basics of managing the firewall with the command-line client, firewall-cmd.
Firewalld can be installed on CentOS from the official CentOS repository using the yum package manager. Type the command below to install:
sudo yum install firewalld
After installation, enable firewalld to start at boot and reboot the server after with the command below:
sudo systemctl enable firewalld
There are only two possible outputs - running or not running for the firewall status. To check the status, type the command below:
sudo firewall-cmd –state
Before we begin configurations on the firewall-cmd utility to manage your firewall , there are a few basic concepts that the tool uses that we need to get familiar with.
A firewall zone defines the trust level of the interface used for a connection. They are a group of rules managed by the firewalld daemon using entities. These rules dictate what traffic should be allowed depending on the level of trust you have in the networks your computer is connected to. We can create rules and alter the properties of our zones and then assign our network interfaces to whichever zones are most appropriate for our firewall.
There are several predefined zones provided by firewalld an in order from most trusted to least trusted are: Trusted, Home, Work, Dmz, Internal, External, Public, Block, Drop.
More information about firewalld zones can be found here and on the man page (
In firewalld, rules can be chosen as either either permanent or immediate. When a rule is added or modified without the --permanent flag, they are deemed by default as immediate rules and are reverted to the old rules once the system has been rebooted.
Therefore a rule with the --permanent flag is reloaded to the rule set even after the system has been rebooted. The --permanent flag can also be used to build out an entire set of rules over time that will be applied at once when the reload command is issued.
This distinction allows you to test rules in your active firewall instance and reloading the firewall if any problems occurs upon the next boot before making it permanent.
To get a list of the available zone types, type the following command:
sudo firewall-cmd –get-zones
To view which zone is currently selected as the default, type the following command:
sudo firewall-cmd --get-default-zone
You can change the default zone with the --set-default-zone= parameter with the command below:
sudo firewall-cmd –set-default-zone=work
We have successfully changed our default zone from public to work.
To view the active zone (the zone that is controlling the traffic for our interfaces), type the following command:
sudo firewall-cmd --get-active-zones
To view the default zone's configuration, type the following command:
sudo firewall-cmd --list-all
To view all of the zone definitions, type the command:
sudo firewall-cmd --list-all-zones
You can also change the zone of an Interface but note that whenever you change the zone of an interface, you are also modifying the services that will be operational.
sudo firewall-cmd --zone=work –change-interface=eth0
In the illustration below, we are changing our eth0 interface to the "work" zone by typing this.
To verify that our change was successful, we can check the active zones again with the command:
sudo firewall-cmd --get-active-zones
Adding a Service to your Zones
Using the firewall-cmd utility on the command line, you can add a new and empty service using the --new-service altogether with the --permanent option:
sudo firewall-cmd --permanent --new-service=myservice
myservice here refers to the name of the service you want to add.
You can get a list of the available services with the --get-services option by typing the command below:
sudo firewall-cmd –get-services
For instance, if we are running a web server serving HTTPS traffic, we can allow this traffic for interfaces in our "work" zone for this session by typing:
sudo firewall-cmd --zone=work --add-service=https
Note that you can omit “--zone=” but only if you wish to modify the default zone.
To verify that the operation was successful, type the following command:
sudo firewall-cmd --zone=public --list-services
From the screenshot above, the service addition was successful and verified, the next phase is to modify the permanent firewall rules in order for the added service to be available after a reboot. We can make our "work" zone change permanent by typing:
sudo firewall-cmd --zone=work --permanent --add-service=https
To verify that this was successful, add the --permanent flag to the –list-services operation by typing:
sudo firewall-cmd --zone=work --permanent --list-services
Opening a Port for your Zones
In cases where the service to be added is not available, you can add support for your specific application by opening up the ports that it uses in the appropriate zone(s). This is as easy as specifying the port or port range, and the associated protocol for the ports you need to open. Protocols can be either tcp or udp.
For instance, the Odoo server runs on port 8069 and uses TCP, we could add this to the "work" zone for this session using the --add-port= parameter. This is done by typing the command below:
sudo firewall-cmd --zone=public –add-port=8069/tcp
We can verify that this was successful using the --list-ports operation by typing:
sudo firewall-cmd --zone=work –list-ports
To make this port addition permanent that is to be present even after reloading, type the command below:
sudo firewall-cmd --zone=work --permanent –add-port=8069/tcp
You can also add a sequential range of ports by separating the beginning and ending port in the range with a dash. For instance, if our application uses TCP ports 8060 to 8069, we could open these up on "work" by typing:
sudo firewall-cmd –zone=work –add-port=8060-8070/tcp
sudo firewall-cmd --zone=work --permanent --list-ports
** To read more on Adding services to Firewalld, check the official documentation here.
Creating Your Own Zones
Firewalld also allows you to define your own zones that are more descriptive of their function. For example, in the next illustration, we are going to create a zone for our web server, called "office". It is also important to add the new zone to the permanent firewall configuration which allows you to reload to bring the configuration into your running session. Type the command below:
sudo firewall-cmd --permanent –-new-zone=office
Verify by typing:
sudo firewall-cmd --permanent --get-zones
Reload the firewall to bring these new zones into the running instance:
sudo firewall-cmd --reload
After successfully creating our zone, we can begin allocating the appropriate services and ports to our zone. In this case, for the "office" zone, we are going to add the SSH and HTTPS services, and check that it has been added.
sudo firewall-cmd --zone=office --add-service=ssh
sudo firewall-cmd --zone=office --add-service=https
sudo firewall-cmd --zone=office --list-all
We could then change our interfaces over to these new zones to test them out:
sudo firewall-cmd --zone=office --change-interface=eth0
From the screenshot below, we:
Made the rules permanent:
sudo firewall-cmd --zone=office --permanent --add-service=ssh
sudo firewall-cmd --zone=office --permanent --add-service=https
Restart the network and reload your firewall service:
sudo systemctl restart network
sudo systemctl reload firewalld
Validate that the correct zones were assigned:
sudo firewall-cmd --get-active-zones
Validate that the appropriate services are available for both of the zones:
sudo firewall-cmd --zone=office --list-services
We have successfully set up our own zones.
Cloudwafer provides simple, fast and yet reliable high-performance Cloud, Custom Dedicated, and Enterprise Infrastructure hosting services. Whatever your business needs, we've got you covered! Check out our mouthwatering Cloud server offers here.