Enterprises usually attach great importance to network security because of the importance of business, so a good firewall system is a powerful weapon!
In this article, we will learn about the basic principle of the new firewall service firewalld of CentOS 7. It has a very powerful filtering system called Netfilter, which is built into the kernel module to check each packet passing through the system.
This means that it can programmatically check, modify, reject or discard any network data packets, such as incoming, outgoing or forwarding, before reaching the destination. Starting from Centos-7, firewalld has become the default tool for managing host based firewall services. Firewalld's daemon is installed from firewalld package, which will be available on all basic installations of the operating system, But not available on a minimal installation.
Advantages of using FirewallD over iptables:
- Any configuration changes made at runtime do not require reloading or restarting the firewalld service
- Simplify firewall management by scheduling the entire network traffic into the area
- Each system can set up multiple firewall configurations to change the network environment
- Use the D-Bus messaging system to interact / maintain firewall settings
In CentOS 7 or later, we can still use the classic iptables. If we want to use iptables, we need to stop and disable the firewalld service. Using firewalld and iptables at the same time can confuse the system because they are incompatible with each other.
It is recommended to use firewalld to manage firewall services, unless we have some specific reasons to continue to use classic iptables.
Firewall has designed a powerful filtering system and is more flexible in dealing with firewall management. To take advantage of this design, firewalld classifies incoming traffic into areas on the interface defined by the source address.
Each area is designed to manage traffic according to specified standards. If no changes are made, the default area will be set to public, and the associated network interface will be attached to public.
All predefined area rules are stored in two locations: the area rules specified by the system are under "/ usr/lib/firewalld/zones /" and the area rules specified by the user are under / etc/firewalld/zones /. If any changes are made in the system zone configuration file, it is automatically copied to / etc/firewalld/zones /.
This article will introduce the basic knowledge of firewalld service in detail and learn how to use the firewall CMD command in RHEL/CentOS 7.
The contents of this article are as follows
- Operating system: CentOS 7 or later
- Package: firewalld
- User account: root user or user account with sudo permission
- It is recommended that you use sudo privileges instead of root to run all administrative commands
There are three ways to configure a firewall:
- Edit directly in the "/ etc/firewalld" configuration file
- Graphical interface "firewall config" tool
- Command line "firewall CMD" in terminal
Note: we will focus only on the "firewall CMD" command in this article.
Install and enable firewallD service
First, update the latest current version of the package.
sudo yum update -y
Firewall is available on all basic installations of CentOS 7, but not on the minimum installation. In this case, we can use the following command to install:
$ sudo yum install firewalld -y
Start and enable the service using the following command
$ sudo systemctl start firewalld.service $ sudo systemctl Enable firewalld.service
Verify the status of the firewall service using the following command:
$ sudo firewall-cmd --state
$ sudo systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Sat 2020-04-18 22:39:56 IST; 2h 52min ago Main PID: 759 (firewalld) CGroup: /system.slice/firewalld.service └─759 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Apr 18 22:39:56 localhost.localdomain systemd: Started firewalld - dynamic...
Tip: some lines are omitted. Use - l to display the complete line.
Firewall has introduced several predefined areas and services for different purposes. One of the main purposes is to handle firewalld management more easily.
Based on these regions and services, we can block any form of system incoming traffic unless it explicitly allows the use of some special rules in the region.
1. How to view all available areas in firewalld?
$ sudo firewall-cmd --get-zones
This is the default predefined area in firewalld
2. How to find out which is the default area?
$ firewall-cmd --get-default-zone
According to the above output, we can see that the public area is marked as the default area, and we can change it according to our requirements. We will discuss it further in the next example.
3. How to find the list of active areas and related network interfaces?
$ firewall-cmd --get-active-zones
Output: public interfaces: enp1s0
In the above output, you can see that the public area is active and associated with the "enp1s0" network interface. If no interface is not assigned to a specific area, it will be automatically attached to the default area.
4. How to check whether there are any rules listed in the activity public area?
$ sudo firewall-cmd --list-all --zone="public"
The above output shows that the public area is active and set to the default value. The network interface "enp1so" is associated with the active area. In this area, DHCPv6 client and ssh are allowed to serve through the firewall.
5. How to view the list of all available areas?
$ sudo firewall-cmd --list-all-zones
Similar to the previous example, the detailed configuration pages of each available area will be listed here. Please check yourself because the output list will be very long.
6. How to change the default area to a specific area?
Before changing to a new area, let's check the existing available areas.
$ sudo firewall-cmd --get-default-zone
In the output, you can see that the public area is set as the default area. Now let's try to change the area from public to working.
$ sudo firewall-cmd --set-default-zone=work
As you can see, the output of the above command is successful. Let's verify it.
$ sudo firewall-cmd --get-default-zone
Output: work <==
7. How to change the network interface from one region to another?
If the system has two network interfaces, such as "enp1s0 and enp1s1", by default, all interfaces will be assigned to the default area. You can change the interface to another area by using the following command.
$ sudo firewall-cmd --zone=internal --change-interface=enp1s1
You can verify with the following command:
$ sudo firewall-cmd --get-active-zones
8. How to create a custom firewalld zone?
As we know, all system specified configuration files are located in "/ usr/lib/firewalld/zones", and user specified files are located in "/ etc/firewalld/zones".
Use the following command to create a custom zone file that allows ssh and apache services using port numbers 80 and 22.
Make sure that the new file should be saved in a user-defined location in. xml format. Currently, the length of the name area file is limited to 17 characters.
$ sudo vi /etc/firewalld/zones/ linuxtecksecure .xml
<?xml version="1.0" encoding="utf-8"?> <zone> <short>linuxtecksecure</short> <description>For the enterprise domain.</description> <service name="apache"/> <service name="ssh"/> <port protocol="tcp" port="80"/> <port protocol="tcp" port="22"/> </zone>
Save and exit.
Reload firewall service:
$ sudo firewall-cmd --reload
Now recheck the available areas in firewalld
$ sudo firewall-cmd --get-zones
Output: block dmz drop external home internal "linuxtecksecure" public trusted work
Using the above command, we can create a new (Linux techsecure) zone to enable only apache and ssh services by default. After creating the file, we need to "reload" the firewalld service to activate the zone to firewalld
Remember: after making any changes / updates to the existing zone file, be sure to reload your firewalld service activation, otherwise the changes in the firewall will not be affected.
firewalld has another component called "services". These services can be used in the zone file to manage the traffic rules in firewall settings. Each predefined "service" is used in the default configuration of the zone file
Manage the local traffic of DHCP v6 client and use udp port 546.
Manage the local traffic of ssh server service and use tcp port 22.
Manage the local traffic of Windows FLES / printer sharing service and use 137(UDP) and 138(UDP) ports
Manage the local traffic for the print server service and use udp port 631.
Manage the multicast local link service and use udp port 5353.
1. How to list all available services in firewalld?
$ sudo firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
2. How to list all available services in a specific area?
$ sudo firewall-cmd --zone=work --list-services
Output: dhcpv6-client ssh
The output shows that only two services are enabled in the work area.
3. How to add an existing service to the default area?
$ sudo firewall-cmd --add-service=samba
In this example, I have added an existing service named samba to the default zone, which you can verify with the following command:
$ sudo firewall-cmd --zone=public --list-services
Output: dhcpv6-client samba ssh
Similarly, we can add services to areas other than the default area. Use the following command:
$ sudo firewall-cmd --zone=internal --add-service=ftp
firewalld two modes
By default, firewalld supports two independent modes, permanent and runtime (immediate).
When we start the firewall, it loads all persistent configuration files into the runtime.
Any opportunity you have to add or update is applied to the runtime configuration and is not automatically enabled to the persistent configuration.
In order to make it a permanent rule, we need to use the "- permanent" parameter. In order to enable these changes in firewalld, we need to reload or restart the firewall service.
1. How to permanently add a service?
$ sudo firewall-cmd --permanent --add-service=ftp
$ sudo firewall-cmd --reload
Remember, whenever you use the "- permanent" flag, don't forget to reload the firewall service.
2. How do I migrate my runtime settings to permanent settings?
$ sudo firewall-cmd --runtime-to-permanent
Generally, we test all rules in the runtime environment. Once the rules run successfully, we use the "- permanent" option to make them permanent. We use the above command to migrate all runtime settings to the permanent mode at one time. If the firewall settings are invalid, we only need to reload / restart the firewall service to make these rules work in the permanent configuration.
firewalld allows us to handle network ports directly. The beauty is that we can open and close relevant ports in the firewall even without installing specific services in the system.
1. How to open ports for samba services in public areas?
$ sudo firewall-cmd --zone=public --add-port=137/udp $ sudo firewall-cmd --zone=public --add-port=138/udp $ sudo firewall-cmd --zone=public --add-port=139/tcp $ sudo firewall-cmd --zone=public --add-port=445/tcp
Using the above command, we have successfully opened the samba service port
$ sudo firewall-cmd --list-ports
Output: 137/udp 138/udp 139/tcp 445/tcp
After the successful test, if you want to continue to use these rules as permanent rules of the firewall, use the "- permanent" flag with the above command or use the runtime as permanent command. Don't forget to reload the service.
Firewall also has an interesting feature called timeout. This feature will help many system administrators add temporary rules to their runtime settings, for example, if users want to download files from the server through the FTP service.
Since this is a one-time operation, no permanent rules are required.
Downloading a file may take only 2-5 minutes (depending on the file size).
In our example, we can allow the FTP service for 5 minutes, which will automatically disconnect after a given time.
$ sudo firewall-cmd --zone=public --add-service=ftp --timeout=5m
We can specify the timeout in seconds (s), minutes (m), or hours (h).
Thank you for taking the time to read! I hope this article can help you understand the basic usage of "firewall CMD" command through examples. If you like this article, please share it with others.