Firewalld daemon is a firewall service that provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.

In this guide, we will cover how to set up a firewall for your CentOS 7 server and show you the basics of managing the firewall with the command-line client, firewall-cmd.

Installing firewalld

Firewalld can be installed on CentOS from the official CentOS repository using the yum package manager. Type the command below to install:
sudo yum install firewalld

After installation, enable firewalld to start at boot and reboot the server after with the command below:
sudo systemctl enable firewalld
sudo reboot

There are only two possible outputs - running or not running for the firewall status. To check the status, type the command below:

sudo firewall-cmd –state

Before we begin configurations on the firewall-cmd utility to manage your firewall , there are a few basic concepts that the tool uses that we need to get familiar with.

Firewall Zones
A firewall zone defines the trust level of the interface used for a connection. They are a group of rules managed by the firewalld daemon using entities. These rules dictate what traffic should be allowed depending on the level of trust you have in the networks your computer is connected to. We can create rules and alter the properties of our zones and then assign our network interfaces to whichever zones are most appropriate for our firewall.

There are several predefined zones provided by firewalld an in order from most trusted to least trusted are: Trusted, Home, Work, Dmz, Internal, External, Public, Block, Drop.
More information about firewalld zones can be found here and on the man page (man firewalld.zones)

Rule Permanence
In firewalld, rules can be chosen as either either permanent or immediate. When a rule is added or modified without the --permanent flag, they are deemed by default as immediate rules and are reverted to the old rules once the system has been rebooted.

Therefore a rule with the --permanent flag is reloaded to the rule set even after the system has been rebooted. The --permanent flag can also be used to build out an entire set of rules over time that will be applied at once when the reload command is issued.

This distinction allows you to test rules in your active firewall instance and reloading the firewall if any problems occurs upon the next boot before making it permanent.

Zones Configurations
To get a list of the available zone types, type the following command:
sudo firewall-cmd –get-zones

To view which zone is currently selected as the default, type the following command:
sudo firewall-cmd --get-default-zone

You can change the default zone with the --set-default-zone= parameter with the command below:
sudo firewall-cmd –set-default-zone=work

We have successfully changed our default zone from public to work.

To view the active zone (the zone that is controlling the traffic for our interfaces), type the following command:
sudo firewall-cmd --get-active-zones

To view the default zone's configuration, type the following command:
sudo firewall-cmd --list-all

To view all of the zone definitions, type the command:
sudo firewall-cmd --list-all-zones

You can also change the zone of an Interface but note that whenever you change the zone of an interface, you are also modifying the services that will be operational.
sudo firewall-cmd --zone=work –change-interface=eth0
In the illustration below, we are changing our eth0 interface to the "work" zone by typing this.

To verify that our change was successful, we can check the active zones again with the command:
sudo firewall-cmd --get-active-zones

Adding a Service to your Zones
Using the firewall-cmd utility on the command line, you can add a new and empty service using the --new-service altogether with the --permanent option:
sudo firewall-cmd --permanent --new-service=myservice

myservice here refers to the name of the service you want to add.

You can get a list of the available services with the --get-services option by typing the command below:
sudo firewall-cmd –get-services

For instance, if we are running a web server serving HTTPS traffic, we can allow this traffic for interfaces in our "work" zone for this session by typing:
sudo firewall-cmd --zone=work --add-service=https

Note that you can omit “--zone=” but only if you wish to modify the default zone.

To verify that the operation was successful, type the following command:
sudo firewall-cmd --zone=public --list-services

From the screenshot above, the service addition was successful and verified, the next phase is to modify the permanent firewall rules in order for the added service to be available after a reboot. We can make our "work" zone change permanent by typing:
sudo firewall-cmd --zone=work --permanent --add-service=https

To verify that this was successful, add the --permanent flag to the –list-services operation by typing:
sudo firewall-cmd --zone=work --permanent --list-services

Opening a Port for your Zones
In cases where the service to be added is not available, you can add support for your specific application by opening up the ports that it uses in the appropriate zone(s). This is as easy as specifying the port or port range, and the associated protocol for the ports you need to open. Protocols can be either tcp or udp.

For instance, the Odoo server runs on port 8069 and uses TCP, we could add this to the "work" zone for this session using the --add-port= parameter. This is done by typing the command below:
sudo firewall-cmd --zone=public –add-port=8069/tcp

We can verify that this was successful using the --list-ports operation by typing:
sudo firewall-cmd --zone=work –list-ports
To make this port addition permanent that is to be present even after reloading, type the command below:
sudo firewall-cmd --zone=work --permanent –add-port=8069/tcp
You can also add a sequential range of ports by separating the beginning and ending port in the range with a dash. For instance, if our application uses TCP ports 8060 to 8069, we could open these up on "work" by typing:
sudo firewall-cmd –zone=work –add-port=8060-8070/tcp

To check, sudo firewall-cmd --zone=work --permanent --list-ports
** To read more on Adding services to Firewalld, check the official documentation here.

Creating Your Own Zones
Firewalld also allows you to define your own zones that are more descriptive of their function. For example, in the next illustration, we are going to create a zone for our web server, called "office". It is also important to add the new zone to the permanent firewall configuration which allows you to reload to bring the configuration into your running session. Type the command below:
sudo firewall-cmd --permanent –-new-zone=office

Verify by typing:
sudo firewall-cmd --permanent --get-zones

Reload the firewall to bring these new zones into the running instance:
sudo firewall-cmd --reload
firewall-cmd --get-zones

After successfully creating our zone, we can begin allocating the appropriate services and ports to our zone. In this case, for the "office" zone, we are going to add the SSH and HTTPS services, and check that it has been added.
sudo firewall-cmd --zone=office --add-service=ssh
sudo firewall-cmd --zone=office --add-service=https
sudo firewall-cmd --zone=office --list-all

We could then change our interfaces over to these new zones to test them out:
sudo firewall-cmd --zone=office --change-interface=eth0

From the screenshot below, we:

  • Made the rules permanent:
    sudo firewall-cmd --zone=office --permanent --add-service=ssh
    sudo firewall-cmd --zone=office --permanent --add-service=https

  • Restart the network and reload your firewall service:
    sudo systemctl restart network
    sudo systemctl reload firewalld

  • Validate that the correct zones were assigned:
    sudo firewall-cmd --get-active-zones

  • Validate that the appropriate services are available for both of the zones:
    sudo firewall-cmd --zone=office --list-services

We have successfully set up our own zones.

Cloudwafer provides simple, fast and yet reliable high-performance Cloud, Custom Dedicated, and Enterprise Infrastructure hosting services. Whatever your business needs, we've got you covered! Check out our mouthwatering Cloud server offers here.

Reference: Firewalld