How to Setup Firewall on CentOS using FirewallD

Introduction

Setting up a firewall on your server can be one of the best defences against cyberattacks. It provides network security by blocking unwanted access to the server. It filters incoming and outgoing network traffic based on a set of user-defined rules.

A firewall provides an essential layer of security to the server. When combined with other measures, it can prevent attackers from accessing your servers in malicious ways. In general, the purpose of a firewall is to reduce or eliminate the occurrence of unwanted network communications while allowing all legitimate communication to flow freely. It mainly improves the security rules management by allowing configuration changes without stopping the current connections.

In this tutorial, we’re going to show you how to setup firewalld (firewall daemon) on CentOS. While there are many other firewall-related packages, we are going to use firewalld, a firewall management solution available for many Linux distributions. This allows you to configure maintainable rules and rule-sets that take into consideration your network environment.

Tutorial

Step 1 – Install firewalld

The firewalld is installed by default on some Linux distributions. However, you may need to install firewalld yourself if it is not installed on your server.

You may verify the status of the firewalld in your server using the command below:

systemctl status firewalld

If it is not installed on your server, you can install the package by using this command:

yum install firewalld

Step 2 – Enable and Reboot firewalld

After installing the firewalld, enable the service and reboot your server.

sudo systemctl enable firewalld

sudo reboot

After the server restarted, the firewall should be brought up, your network interfaces should be put into the zones you configured or fall back to the configured default zone, and any rules associated with the zone/s will be applied to the associated interfaces.

Step 3 – Verify If the firewalld is Running or Not

We can verify that the service is running and reachable by typing this command:

sudo firewall-cmd --state

The output of the command should be “running”. This indicates that our firewall is up and running with the default configuration.

Step 4 – Configure Zones

A firewall zone defines the trust level of the interface used for a connection. They are a group of rules managed by the firewalld daemon using entities.

Below are the predefined zones provided by FirewallD ordered according to the trust level (from least trusted to most trusted) of the zone:

• drop: The lowest level of trust. All incoming connections are dropped without any notification and outgoing connections are only allowed.
• block: Almost same like drop that only outgoing connections are allowed but in block, all incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6n.
• public: This represents untrusted public areas. You do not trust other computers on the network but you can allow selected incoming connections depending on the case.
• external: This is for use on external networks with NAT masquerading enabled when your system acts as a gateway or router. Only selected incoming connections are allowed.
• internal: For use on internal networks when your system acts as a gateway or router. Other systems on the network are generally trusted. Only selected incoming connections are allowed.
• dmz: Used for computers located in your demilitarized zone that will have limited access to the rest of your network. Only certain incoming connections are allowed.
• work: Used for work machines and trust most computers in the network. Only selected incoming connections are allowed.
• home: Used for home which generally implies that other computers on the network are generally trusted. Only selected incoming connections are allowed.
• trusted: This is the most open among the available options since all network connections are accepted. All of the computers in the network are trusted.

To get a list of the available zone types:

sudo firewall-cmd --get-zones

To view which zone is currently selected as the default:

sudo firewall-cmd --get-default-zone

To view the active zone (the zone that is controlling the traffic for our interfaces):

sudo firewall-cmd --get-active-zones

To view the default zone’s configuration, type the following command:

sudo firewall-cmd --list-all

Create Your Own Zones

Firewalld also allows you to define your own zones that are more descriptive of their function.

It is also important to add the new zone to the permanent firewall configuration which allows you to reload to bring the configuration into your running session. Type the command below:

sudo firewall-cmd --permanent --new-zone=office

Verify by typing:

sudo firewall-cmd --permanent --get-zones

Reload the firewall to bring these new zones into the running instance:

sudo firewall-cmd --reload

Step 5 – Allocate Service to a Zone

After successfully creating our zone, we can begin allocating the appropriate services and ports to our zone.

You can get a list of the available services with the --get-services option by typing the command below:

sudo firewall-cmd --get-services

To Add a New Service to a Zone

You can add a new and empty service using the --new-service altogether with the --permanent option:

sudo firewall-cmd --permanent --new-service=<service that you want to add>

To Add a Service to a Zone

For instance, if you are running a web server serving HTTPS traffic, we can allow this traffic for interfaces in our "public" zone and make it "permanent" by typing:

firewall-cmd --zone=public --permanent --add-service=https

Other sample services you can add in the firewall:

firewall-cmd --zone=public --permanent --add-service=http 

firewall-cmd --zone=public --permanent --add-service=mysql

To verify that the operation was successful, input the following command:

sudo firewall-cmd --zone=public --list-services

Step 6 – Configure Appropriate Ports

To list all ports allowed in firewall:

sudo firewall-cmd --zone=public --list-ports

Opening Ports in Firewall

To open up ports, specify the port or port range, and the associated protocol for the ports you need to open in the zone. See commands below:

sudo firewall-cmd --zone=public --add-port=14000/udp

sudo firewall-cmd --zone=public --add-port=6001/tcp

We can verify that this was successful using the --list-ports operation by typing:

sudo firewall-cmd --zone=work --list-ports

To make this port addition permanent and present even after reloading, type the command below:

sudo firewall-cmd --zone=public --permanent --add-port=14000/udp 

sudo firewall-cmd --zone=public --permanent --add-port=6001/tcp 

To verify the added ports, run the command below:

sudo firewall-cmd --zone=work --permanent --list-ports

History

• 14^th May, 2019: Initial version