how to configure firewalld on rhel 7 or centos 7

How To Configure FirewallD on RHEL 7 or CentOS 7

Page | i

Table of Contents

Overview ....................................................................................................................................................... 1

Applies To .................................................................................................................................................. 1

Firewall Rules – Configuration Methods ................................................................................................... 1

Online Configurator .................................................................................................................................. 1

Offline Configurator .................................................................................................................................. 1

Firewall Service Daemon Management – Commands .................................................................................. 2

Service start .............................................................................................................................................. 2

Service Stop ............................................................................................................................................... 2

Service Restart .......................................................................................................................................... 3

Service Status ............................................................................................................................................ 3

Service Disable .......................................................................................................................................... 3

Service Enable ........................................................................................................................................... 4

Service Mask ............................................................................................................................................. 4

Service Mask ............................................................................................................................................. 4

Configure Firewall Rules ............................................................................................................................... 5

Add Rule by Service Name ........................................................................................................................ 5

Add Rule by Port ....................................................................................................................................... 6

Add Rule for Port Range ............................................................................................................................ 6

Remove Rule by Service Name ................................................................................................................. 7

Remove Rule by Port ................................................................................................................................. 7

Remove Rule for Port Range ..................................................................................................................... 8

List Services – Firewall configurable ......................................................................................................... 8

List Zones – Firewall configurable ............................................................................................................. 9

List ICMP – Firewall configurable .............................................................................................................. 9

List All Rules Configured............................................................................................................................ 9

Reload Firewall Rules .............................................................................................................................. 10

Add Rich Rule – HTTP Accept .................................................................................................................. 10

Add Rich Rule – HTTP Reject ................................................................................................................... 11

Remove Rich Rule – HTTP Reject ............................................................................................................ 11

Firewall Rule – Add ICMP Block .............................................................................................................. 12

Firewall Rule – Remove ICMP Block ........................................................................................................ 12


Page | ii

Query ICMP Block ................................................................................................................................... 12

Firewall Rule – Remove ICMP Block ........................................................................................................ 13

Converting Runtime to Permanent Rules ................................................................................................... 13

Firewall Zones ............................................................................................................................................. 13

Predefined Configurations .......................................................................................................................... 14

Sample Firewalld Configuration Definition File .......................................................................................... 14


1 | P a g e

Overview

Firewall provides basic security for the server. It is responsible for denying traffic to every port on server with exceptions for ports/services is granted / approved for communication.

One of the major features of firewall is block unwanted traffic. This can be done on fly without server being reboot and without disrupting current connections.

Firewalld uses Zones and services instead of chains and rules.

Rulesets can be managed dynamically, it also allows modifying rules without breaking existing sessions and connections.

Applies To

CentOS 7, RHEL 7

Firewall Rules – Configuration Methods

Online Configurator

To configure the firewall rules when the firewall is running / active state, execute the command with appropriate attributes “firewall-cmd”

Online firewall-cmd To be executed when the firewall is running state

Offline Configurator

To configure the firewall rules when the firewall is not running / not active state, execute the command with appropriate attributes “firewall-cmd”

Offline firewall-offline-cmd To be executed when the firewall is turned off state


2 | P a g e

Firewall Service Daemon Management – Commands

Firewalld service daemon controls firewall state.

Service start

Start the firewall daemon on the server, start the firewall daemon run the command;

systemctl start firewalld

Service Stop

Stop the firewall daemon on the server, run the command;

systemctl stop firewalld


3 | P a g e

Service Restart

Stop the firewall daemon on the server, run the command;

systemctl restart firewalld

Service Status

To check the current status of the daemon, to know the current status of the firewall daemon run the command;

systemctl status firewalld

Service Disable

Disable the firewall daemon to restrict starting of service automatically at system boot up, run the command to disable the service;

systemctl disable firewalld


4 | P a g e

Service Enable

Enable the firewall daemon to start automatically at OS boot up, run the command ;

systemctl enable firewalld

Service Mask

Mask the firewall daemon, which disable so that the service can’t be started manually as well. To mask the firewalld service run the command;

systemctl mask firewalld

Service Mask

To unmask the firewall daemon, to revoke masking of the service. To unmask the firewalld service run the command;

systemctl unmask firewalld


5 | P a g e

Daemon Action Purpose

systemctl start firewalld To start the daemon service

systemctl stop firewalld To stop the daemon service

systemctl status firewalld To check status the daemon service

systemctl enable firewalld To enable daemon service at OS startup

systemctl disable firewalld To disable daemon service at OS startup

systemctl mask firewalld To mask daemon service to prohibits all kinds activation

systemctl unmask firewalld To unmask daemon service to exclude prohibits activation

Configure Firewall Rules

Before you start configuring the firewall rules, you need to be aware of as to what type of service / port / protocol that you like to add / revoke from the rules.

Add Rule by Service Name

To add a permanent rule by service name, run the command below;

Firewall Rule Purpose

firewall-cmd --permanent --add-service=ssh open ssh service (port 22) access

firewall-cmd --permanent --add-service=smtp open smtp service (port 25) access

firewall-cmd --permanent --add-service=http open http service (port 80) access

firewall-cmd --permanent --add-service=https open https service (port 443) access


6 | P a g e

Add Rule by Port

To add a permanent rule by port and protocol type, run the command as below:


firewall-cmd --permanent --add-port=2222/tcp Open TCP port 2222

Add Rule for Port Range

To add a permanent rule for a port range and protocol type, run the command as below:


firewall-cmd --permanent --add-port=5901-5905/tcp Open VNC access port for port range and protocol type


7 | P a g e

Remove Rule by Service Name

To remove an existing permanent rule by service name, run the below command;


firewall-cmd --permanent --remove-service=smtp Revoke smtp service access (port 25)

Remove Rule by Port

To remove an existing permanent rule by port and protocol type, run the below command.


firewall-cmd --permanent --remove-port=2222/tcp Revoke port access


8 | P a g e

Remove Rule for Port Range

To add a permanent rule for a port range and protocol type, run the command as below:


firewall-cmd --permanent --remove-port=5901-5905/tcp

Open VNC access port for port range and protocol type

List Services – Firewall configurable

To get the services that can be configured by name on the server, run the below command.


firewall-cmd --get-services List services, can be configured by service name


9 | P a g e

List Zones – Firewall configurable

To get the zones that could be configured on the server, run the below command.


firewall-cmd --get-zones List zones, can be configured for the server

List ICMP – Firewall configurable

To get the ICMP that could be configured on the server, run the below command.


firewall-cmd --get-icmp List ICMP, can be configured for the server

List All Rules Configured

List all the firewall rules that are configured on the server.


firewall-cmd --permanent --list-all Listing Permanent rules


10 | P a g e

Reload Firewall Rules

Reloading firewall rules without changing the state of the firewall.


firewall-cmd --reload Reload firewall and keep state information

Note: Reloading of firewall rules is mandatory after making changes to the firewall rule(s). In order to activate the firewall rules that are modified.

Add Rich Rule – HTTP Accept

Rich firewall rules are configured for additional complexity. For example if you want to configure a firewall rule to open http access to a specific IP Range, wherein the application is hosted for specific departmental use.


firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.2.0/24" service name="http" accept"

Add rich rule for accessing http access for source IP range


11 | P a g e

Add Rich Rule – HTTP Reject

Configure a firewall rule to reject http access to a specific IP Range, wherein the application is hosted for specific departmental use.


firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.3.0/24" service name="http" reject"

Add rich rule for http access for source IP range to reject traffic

Remove Rich Rule – HTTP Reject

Configure a firewall rule to remove existing rich rule to a specific IP Range, wherein the application is hosted for specific departmental use.


firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" source address="192.168.3.0/24" service name="http" reject"

Remove rich rule for http access for source IP range to reject traffic


12 | P a g e

Firewall Rule – Add ICMP Block

Add firewall rule to block ICMP traffic for echo reply. Run the command;

firewall-cmd --add-icmp-block=echo-reply

firewall-cmd --list-icmp-blocks

Firewall Rule – Remove ICMP Block

Revoke firewall rule blocking ICMP traffic for echo reply. Run the command;

firewall-cmd --zone=public --remove-icmp-block=echo-reply

firewall-cmd --list-icmp-blocks

Query ICMP Block

Query whether specific ICMP block type is enabled. To verify run the command;

firewall-cmd --zone=public --query-icmp-block=echo-reply


13 | P a g e

Firewall Rule – Remove ICMP Block

To list the ICMP rules supported by firewall for ICMP traffic. Run the command;

firewall-cmd --get-icmp

Converting Runtime to Permanent Rules

To convert all existing runtime firewall rules to permanent rules, run the command;

firewall-cmd --runtime-to-permanent

firewall-cmd --reload

Examples of runtime and permanent firewall rules;

Rule Type Command

Runtime Rule firewall-cmd --add-service=ssh

Permanent Rule firewall-cmd --permanent --add-service=ssh

Firewall Zones

Firewall zone defines the level of trust for network connections, interfaces and sources addresses bound to the zone.

The zone combines services, ports, masquerading, ICMP filters and rich rules. To list the zones that can be configured


firewall-cmd --get-zones To list of available zones that can be configured on the server

firewall-cmd --list-zones To list of available zones that are configured on the server


14 | P a g e

Predefined Configurations

Firewalld services, which are stored in “/usr/lib/firewalld/services” folder.

Firewalld zones are stored in “/usr/lib/firewalld/zones” folder.

Firewalld icmptypes are stored in “/usr/lib/firewalld/icmptypes” folder.

Sample Firewalld Configuration Definition File

Shown below is the sample configuration file for DNS service.

cat /usr/lib/firewalld/services/dns.xml

how to configure firewalld on rhel 7 or centos 7

Technology