An Introduction of Firewalld in Redhat 7/CentOS 7


Firewalld in CentOS 7 || Redhat 7

Firewall is used to control incoming and outgoing traffic. Below is what we use in RHEL 6 and RHEL 7:

RHEL 6 and Previous versions --> iptables
RHEL 7 -->  Firewalld and iptables 

Firewall service has changed in RHEL7, the default firewall service is firewalld. We can use iptables service as well, we can do it by disabling or uninstalling firewalld. 

Firewalld Advantages: In iptables, suppose you have 10 rules and the firewall is active. If we have created a new rule and applied it, the iptable removes all previous 10 rules and then reapplies all the 11 rules. That means it removes old configuration and applies the new configuration.

Whereas in firewalld, it applies only the differences. That means, it will apply only the 11th rule and will not flush the rules which were already applied. So, the active connections won’t get reset because of it. This is the main advantage of firewalld.

These packages should be installed in RHEL7 which are by default installed:   

# rpm -q firewalld
# rpm -q firewall-config
# systemctl start firewalld-service
# systemctl enable firewall-service --> Enable does the same thing as chkconfig ON
# firewall-config --> To open graphical utility to configure firewall
# firewall-cmd --get-active-zones --> To check active zones
# firewall-cmd --get-services --> To check the services which are active
# rpm -qc | grep firewalld --> To check the firewall config files.
# cat /etc/firewalld/firewalld.conf --> Config file, it will have all the details
 like default zone, etc.
# firewall-cmd --zone=public --list-all -->To list all active services, ports, 
  rich rules for public zone.
# firewall-cmd --permanent --zone=public --add-port=80/tcp --> To add a port. 

Note: If we don’t use permanent, then it will only change it on run time, it won’t be permanent, it will be gone after the reboot.

# firewall-cmd --reload
# firewall-cmd --reload --> To reload firewall
# firewall-cmd --zone=public --list-ports --> To list the ports of
  public zone 80/tcp
# firewall-cmd --permanent --zone=public --remove-port=80/tcp -->To remove
  the added port in public zone
# firewall-cmd --reload
# firewall-cmd --zone=public --list-ports
# firewall-cmd --zone-public --list-services --> To list the services of public
# firewall-cmd --zone=public --add-service=ftp --> To add a service in public zone
# firewall-cmd --zone=public --remove-service=ftp --> To remove a service from 
                 public zone

If you wish to block any incoming or outgoing connection, you need to use panic mode to block such requests.

# firewall-cmd --panic-on --> Now we won’t be able to ping anything
# firewall-cmd --query-panic --> It will show whether panic mode is active or not.
# firewall-cmd --panic-off --> To turn off the panic mode
# firewall-cmd --get-default-zone --> It will tell us the default zone

If we don’t put the option –zone=public, then it will take the configuration to its default zone.

# firewall-cmd --set-default-zone=internal --> To set the default zone
# firewall-cmd --add-port={80/tcp,4000/tcp,8008/tcp} --> To add multiple ports
# firewall-cmd --add-port=5000-5010/tcp --> To add multiple ports
# firewall-cmd --add-service={mysql,http,https} --> To add multiple services
We can use the remove for the above as well by using remove instead of add.
# firewall-cmd --add-forward-port=8080:porto=tcp:toport=80 --> Traffic coming 
                 on to 8080 will be redirected to 80.
# firewall-cmd --add-forward-port=8080:proto=tcp:toport=80:toaddr=192.168.x.x --> 
                 Redirecting traffic to different host

Rich Rules:

# firewall-cmd --add-rich-rule ‘rule family=”ipv4” source address=”192.168.x.x” accept’
--> It will accept all traffic from the mentioned IP.
--> firewall-cmd --add-rich-rule ‘rule family=”ipv4” source address=”192.168.x.y” drop’ 
--> It will drop all traffic from the mentioned IP.
# firewall-cmd --list-rich-rules --> To list rich rules
# firewall-cmd --get-zone-of-interface eth0 --> To check the zone of the interface
# firewall-cmd --zone=public --list-interfaces --> To check the interface on a 
                 particular zone
# firewall-cmd --zone=internal --change-interface=eth0

That’s it in this article, hope you enjoyed it. Please share it across if you think it’s good.

Leave a Reply

Your email address will not be published. Required fields are marked *