Introduction

In this guide we will explain the basics of the Firewalld tool. The Firewalld tool is used by default on CentOS 7.x and 8.x, but the tool can also be installed on other distributions of Linux.

Basic commands

With firewalld it is advised to use the firewall-cmd command. By default this command only applies changes to the your current running firewall. Upon reboot any changes made will be lost. It is advised to use the option –permanent. This option will make sure that any changes made will be permanent.

# sudo firewall-cmd --reload

In order to start the firewalld service the following command can be used:

# sudo systemctl start firewalld

If you wish to make sure the firewalld service is also activated on boot the following command can be used:

# sudo systemctl enable firewalld

In order to check if the firewalld service is running correctly you are able to use one of the following two commands:

# sudo firewall-cmd --state
# sudo systemctl status firewalld

Firewalld has a various list of pre-defined zones. In these zones certain rules are pre-configured rules which represent a certain security level. When firewalld is enabled on the server by default Public will be the default zone. In order to show the current configuration for the Public zone which is default the following command can be used:

# sudo firewall-cmd --zone=public --list-all

The output of the command will look like the output below. By default the service ssh is already allowed by firewalld.

[root@Dedifix ~]# sudo firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

With the following command you are able to show all zones that are configured and available for use:

# sudo firewall-cmd --list-all-zones

Allowing services

This section explains how you are able to allow certain services with firewalld. In the below situation we will use the default zone Public and we will allow certain services. There are two file locations which are used in this process. Located at /usr/lib/firewalld/services you will find the pre-configured rule sets for certain services. At /etc/firewalld/services you will be able to create your own rule sets for services.

The following command can be used to show a list of available services:

# sudo firewall-cmd --get-services

Below you will see various examples where services are added to the default public zone:

# sudo firewall-cmd --zone=public --add-service=mysql --permanent
# sudo firewall-cmd --zone=public --add-service=http --permanent
# sudo firewall-cmd --zone=public --add-service=tftp-client --permanent

In the above commands you are able to change the –add-service to –remove-service. This will make sure that the rules for this service are removed.

How to secure your own connection to the server

In order to make sure that your own connection is allowed in firewalld the service ssh will need to be enabled. On the default zone Public ssh is enabled by default. However if ssh is not allowed, the following command can be used in order to allow ssh:

# sudo firewall-cmd --zone=public --add-service=ssh --permanent

The second and last step is to add your public IP address you use at home or work. The following command can be used to add the IP to the Public zone:

# sudo firewall-cmd --zone=public --add-source=[Your public IP addres]

In case firewalld is not the firewall tool you wish to use make sure to check out our articles on iptables and ufw.

Was this answer helpful? 0 Users Found This Useful (0 Votes)