Introduction

In this guide, we will explain the basics of the Firewalld tool. The Firewalld tool is used by default on CentOS 7.x and 8.x, but the tool can also be installed on other distributions of Linux.

Basic commands

With firewalld it is advised to use the firewall-cmd command. By default, this command only applies changes to your current running firewall. Upon reboot, any changes made will be lost. It is advised to use the option –permanent. This option will make sure that any changes made will be permanent.

[root@worldstream ~]# firewall-cmd --reload

In order to start the firewalld service the following command can be used:

[root@worldstream ~]# systemctl start firewalld

If you wish to make sure the firewalld service is also activated on boot the following command can be used:

[root@worldstream ~]# systemctl enable firewalld

In order to check if the firewalld service is running correctly you are able to use one of the following two commands:

[root@worldstream ~]# firewall-cmd --state
[root@worldstream ~]# systemctl status firewalld

Firewalld has a various list of pre-defined zones. In these zones, certain rules are pre-configured rules which represent a certain security level. When firewalld is enabled on the server by default Public will be the default zone. In order to show the current configuration for the Public zone which is the default zone the following command can be used:

[root@worldstream ~]# firewall-cmd --zone=public --list-all

The output of the command will look like the output below. By default, the service ssh is already allowed by firewalld.

[root@worldstream ~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp2s0
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

With the following command you are able to show all zones that are configured and available for use:

[root@worldstream ~]# firewall-cmd --list-all-zones

Allowing services

This section explains how you are able to allow certain services with firewalld. In the below situation we will use the default zone Public and we will allow certain services. There are two file locations that are used in this process. Located at /usr/lib/firewalld/services you will find the pre-configured rule sets for certain services. At /etc/firewalld/services you will be able to create your own rule sets for services.

The following command can be used to show a list of available services:

[root@worldstream ~]# firewall-cmd --get-services

Below you will see various examples where services are added to the default public zone:

[root@worldstream ~]# firewall-cmd --zone=public --add-service=mysql --permanent
[root@worldstream ~]# firewall-cmd --zone=public --add-service=http --permanent
[root@worldstream ~]# firewall-cmd --zone=public --add-service=tftp-client --permanent

In the above commands you are able to change the –add-service to –remove-service. This will make sure that the rules for this service are removed.

How to secure your own connection to the server

In order to make sure that your own connection is allowed in firewalld the service ssh will need to be enabled. On the default zone Public ssh is enabled by default. However if ssh is not allowed, the following command can be used in order to allow ssh:

[root@worldstream ~]# firewall-cmd --zone=public --add-service=ssh --permanent

The second and last step is to add your public IP address you use at home or work. The following command can be used to add the IP to the Public zone:

[root@worldstream ~]# firewall-cmd --zone=public --add-source=[Your public IP addres]

In case firewalld is not the firewall tool you wish to use make sure to check out our articles on iptables and ufw.

If you are facing any difficulties with the configuration of firewalld feel free to contact us at my.ws.