What Is firewall-cmd And How To Use It

 A properly configured firewall is one of the most important tasks of any Linux system administrator. Firewalld is a complete firewall solution and an alternative to the iptables service that can be used for dynamically managing a system's firewall. It is used to protect your server from unwanted traffic. Firewalld is the default firewall management tool in RHEL, CentOS and Fedora operating system. The firewall-cmd is part of the firewalld application that can be used for managing the firewall. Firewalld provides a dynamically managed firewall and has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets.

In this tutorial, we will show you how to use firewalld using the firewall-cmd utility on CentOS 7.

Requirements

  • A server running CentOS 7.
  • A root password is configured on your server.

Lets check if firewall-cmd on Centos exists. Type firewall-cmd

firewall-cmd
-bash: firewall-cmd: command not found

If you got above error, it means, firewalld is not installed. We need to install it. On yum install firewalld using following command...

yum -y install firewalld

Working with Firewalld Zones

Firewalld is a zone-based firewall, each zone can be associated with one or more network interfaces. You can configure each zone to allow or deny services with a different level of security.

 By default, firewalld comes with a set of preconfigured zones. You can list all available zones with the following command:

firewall-cmd --get-zones

 You should see the following output:

 block dmz drop external home internal public trusted work

You can all see all zones by running the following ls command:

ls /usr/lib/firewalld/zones/

You should see the following output:

block.xml drop.xml     home.xml     public.xml  work.xml
dmz.xml   external.xml internal.xml trusted.xml

 Detail explanation of each zone are shown below:

  • block : This zone will reject all incoming network connections with an icmp-host-prohibited message.
  • dmz : This zone publicly-accessible with limited access to your internal network.
  • drop : This zone will drop all incoming network connections and only outgoing network connections allowed.
  • external : This zone is used for the internal portion of a gateway especially for routers.
  • home : This zone is useful for home computers such as laptop and desktop.
  • internal : This zone is used for internal networks when other systems on this network are trusted.
  • public : This zone is used in untrusted public areas.
  • trusted : This zone is used for dedicated servers connected to WAN.
  • work : This zone is used for work machines where other systems on this network are trusted.

You can list your default zone with the following command:

 firewall-cmd --get-default-zone

You should see the following output:

 public

You can see more details about the public zone with the following command:

firewall-cmd --zone=public --list-all

You should see the following output:

 public (active)
 target: default
 icmp-block-inversion: no
 interfaces: enp0s3
 sources: 
 services: dhcpv6-client ssh
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 

 You can see the active zone and associate interface with the following command:

 firewall-cmd --get-active-zones

You should get the following output:

public
interfaces: enp0s3

If you want to change your default zone from public to external, run the following command:

firewall-cmd --set-default=external

You can get a list of all available services using the following command:

firewall-cmd --get-services

Output:

 RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mongodb mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

You can list all added services in public zone using the following command:

firewall-cmd --zone=public --list-services

 Output:

 dhcpv6-client ssh

After making any modification in firewall zones or rules, you will need to reload firewalld daemon to make it permanent.

 firewall-cmd --reload

 Manage Firewalld Service

 You can manage the firewalld service using the systemctl command.

 To start the firewalld service, run the following command:

 systemctl start firewalld

 To stop the firewalld service, run the following command:

 systemctl stop firewalld

 To enable the firewalld service to auto-start at boot time, run the following command:

 systemctl enable firewalld

 To disable the firewalld service, run the following command:

 systemctl disable firewalld

 To get the status of the firewalld service, run the following command:

 systemctl status firewalld

 You should see the following output:

 firewalld.service - firewalld - dynamic firewall daemon
  Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
  Active: active (running) since Fri 2019-12-13 22:51:27 EST; 1h 38min ago
    Docs: man:firewalld(1)
 Main PID: 2697 (firewalld)
  CGroup: /system.slice/firewalld.service
          └─2697 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
 
Dec 13 22:51:23 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 13 22:51:27 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.

 To reload the firewall rules, run the following command:

 firewall-cmd --reload

 Allow Ports and Services in Firewalld

 You can allow ports and services in firewalld using the firewall-cmd utility. Check out how to find listening ports in Linux.

firewall-cmd add service 

For example, you can allow http and https services permanently using the following command:

firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent

 Next, reload the firewalld to make it permanent using the following command:

 firewall-cmd --reload

 You can now verify it with the following command:

 firewall-cmd --list-services --permanent

 You should see the following output:

dhcpv6-client ssh http https

firewall-cmd add port

To allow ports 21 and 25 in firewalld, run the following command:

firewall-cmd --zone=public --add-port=21/tcp --permanent
firewall-cmd --zone=public --add-port=25/tcp --permanent

 Next, reload the firewalld to make it permanent using the following command:

 firewall-cmd --reload

 Next, verify the added ports with the following command:

 firewall-cmd --list-ports --permanent

 You should see the following output:

 21/tcp 25/tcp

 Deny Ports and Services in Firewalld

 You can deny ports and services in firewalld using the firewall-cmd utility.

 For example, you can deny http and https services permanently using the following command:

firewall-cmd --zone=public --remove-service=http --permanent
firewall-cmd --zone=public --remove-service=https --permanent

firewall-cmd remove port 

To remove ports 21 and 25 in firewalld, run the following command:

firewall-cmd --zone=public --remove-port=21/tcp --permanent
firewall-cmd --zone=public --remove-port=25/tcp --permanent

 Next, reload the firewalld to make it permanent using the following command:

firewall-cmd --reload

 Firewalld advance rules

 To forward TCP port 22 to 8088 on the same server, run the following command:

firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=8088 --permanent
firewall-cmd --reload

 You can forward http traffic from your server to the server hosted on IP 192.168.0.104 with the following command:

firewall-cmd --zone=public --add-masquerade
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=80:toaddr=192.168.0.104 --permanent
firewall-cmd --reload

 If you want to allow access to FTP port 21 only from IP 192.168.0.100, run the following command:

firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.0.100" port port=21 protocol=tcp accept'
firewall-cmd --reload

 Conclusion

In the above tutorial, we learned what is firewalld, working with firewalld zone and manage firewall with firewall-cmd utility. I hope you have now enough knowledge to manage the firewall with firewall-cmd easily. Feel free to ask me if you have any questions.

Related Topics:

Linux ip Command usage ip link, ip addr, ip route