Blog Post

What is FirewallD (Linux Firewall)?

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.

Open Specific Port

Opening a port in firewalld is fairly straightforward, in the below example we allow traffic in from any source IP address to TCP port 80. First we modify the persistent configuration, then we reload firewall-cmd to load this change into the running configuration.

[root@centos7 ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@centos7 ~]# firewall-cmd --reload
success

If the –permanent flag is not specified, this will only change the running configuration but will not be saved. We can check the ports that are opened in the current default zone with ‘–list-ports’.

[root@centos7 ~]# firewall-cmd --list-ports
80/tcp

Should we wish to remove a port, we can use ‘–remove-port=’ instead. We can also open a range of ports in the same way.

[root@centos7 ~]# firewall-cmd --permanent --add-port=5900-7000/tcp
success

Open Predefined Service

Rather than manually specifying a port number to allow through the firewall, we can make use of a bunch of predefined services which may be easier. For example instead of opening TCP port 80, we can use the ‘http’ service.

[root@centos7 ~]# firewall-cmd --permanent --add-service=http
success
[root@centos7 ~]# firewall-cmd --reload
success

Now if we list the services that are accepted through the firewall, we will see http listed along with ssh and dhcpv6-client, which are allowed through by default.

[root@centos7 ~]# firewall-cmd --list-services
dhcpv6-client http ssh

This is a predefined service and can be found as an XML file in the /usr/lib/firewalld/services/ directory. Here’s what the http service we just used looks like.

[root@centos7 ~]# cat /usr/lib/firewalld/services/http.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>WWW (HTTP)</short>
<description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
<port protocol="tcp" port="80"/>
</service>

We can create custom services by copying one of these into the /etc/firewalld/services/ directory and then customizing it. The services in the /usr/lib/firewalld/services/ directory should NOT be modified, changes should be copied into /etc/firewalld/services/ followed by a reload of firewall-cmd to pick up the changes.

Disable firewalld

To disable firewalld, execute the following command as root or using sudo:

systemctl disable firewalld

Enable firewalld

To enable firewalld, execute the following command as root or using sudo:

systemctl enable firewalld

Stop firewalld

To stop (or deactivate) firewalld,execute the following command as root or using sudo:

systemctl stop firewalld

Start firewalld

To start (or activate) firewalld, execute the following command as root or using sudo:

systemctl start firewalld

Status of firewalld

To check the status of firewalld, execute the following command as root or using sudo:

systemctl status firewalld


Posted in Hosting Tips & Trickson Sep 19, 2017