Configuring a Basic Firewall with firewalld RHEL7

In this CentOS 7 or Red Hat Enterprise 7 Linux tutorial we take a look at firewalld, which is the new way of configuring a basic firewall. We will take a look at firewalld and firewall-cmd.

Netfilter

The Linux kernel has some powerful subsystems onboard, that allows kernel modules to interact with the rest of the system. One of those subsystems is the network filtering subsystem called netfilter. This netfilter subsystem is the main component to build a firewall on a CentOS 7 or Red Hat Enterprise 7 Linux system. The netfilter subsystem allows kernel modules to interact with every single network packet that the system receives or send.

Firewalld

Firewalld system daemon is the new way of communicating with netfilter/iptables. This system daemon is used to configure and monitor the firewall rules on the system. All network traffic is cut into zones by firewalld and based on rules traffic is send to such zone. An example of such rule is for instance the source IP address of a packet.

There are a number of ways to interact with firewalld:

  • The command-line tool firewall-cmd
  • The graphical tool called firewall-config
  • Or by editing the configuration files under /etc/firewalld

Note: you need to restart or reload the firewalld daemon to make changes active.

Order of Checking

A packet will be first checked for its source address and if this source address is configured to a specific zone, the rules of that zone are used. If there is no match found on the source address then the incoming interface will be checked if for a configured zone. The rules of that zone will then be used. If there are no zones configured then the default zone will be used which by default is the public zone. Of course the default zone can be changed to other zones if needed. More information about zones can be found in the manual using: man 5 firewalld.zone


# man 5 firewalld.zone

Firewall-cmd
As said before the tool firewall-cmd can be used to interact with firewalld from the command-line. You should note that unless you give the option – -permanent you are changing the running configuration of firewalld only! Below you’ll find some commonly used firewall-cmd examples and there output:


// Show the help
# firewall-cmd --help

Print predefined zones:


# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
# 

List everything added for or enabled in all zones


# firewall-cmd —list-all-zones
(The output is to long, try it yourself!)

Print currently active zones


# firewall-cmd --get-active-zones 
public
  interfaces: enp0s25
#

Apply the configuration file and drop the runtime configuration


# firewall-cmd --reload
success
#

Add a service for a zone. The default zone is used unless you use –zone


// firewall-cmd --add-service=
# firewall-cmd --add-service=http
success
#

Remove a service from a zone. The default zone is used unless you use –zone


# firewall-cmd --remove-service=http
success
#

Bind[/] to a zone. The default zone is used unless you use –zone


// firewall-cmd --add-source=
# firewall-cmd --add-source=127.0.0.1
success
# 

And remove a source


# firewall-cmd --remove-source=127.0.0.1
success
#

Bind the to a zone. The default zone is used unless you use –zone


// firewall-cmd --add-interface=
# firewall-cmd --add-interface=enp0s25 
Warning: ZONE_ALREADY_SET
#

Note: in this case we get warning because there is only one NIC on the system, so it is already set.

Change the default zone in this case dmz


# firewall-cmd --set-default-zone=dmz
success
// And back to public
# firewall-cmd --set-default-zone=public
success
#

Take a look at the help of the firewall-cmd for the many other options you can use.

Configuration /etc/firewalld/ Directory

In the /etc/firewalld/ directory you’ll find the firewalld configuration files. The main configuration file is called: firewalld.conf.

Below you’ll find a ls -l of /etc/firewalld directory:


-rw-------. 1 root root 1026 Aug  4 19:52 firewalld.conf
drwxr-x---. 2 root root    6 Jun 10 09:19 icmptypes
-rw-r-----. 1 root root  267 Jun 10 09:19 lockdown-whitelist.xml
drwxr-x---. 2 root root    6 Jun 10 09:19 services
drwxr-x---. 2 root root   23 Jul 24 21:32 zones

As you can see there are also some other directories under this directory. With iptables everything is configured using /etc/sysconfig/iptables file, but firewalld also uses some xml files. For instance in the zones directory you’ll find a file public.xml which has the following content:


<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the 
  other computers on networks to not harm your computer. 
  Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
</zone>

Now if you add a service for instance http this will be added to this file. (Note: you need to add of course the option –permanent to see it in the file).


# firewall-cmd --add-service=http --permanent
success
# cat ./zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other 
  computers on networks to not harm your computer. 
  Only selected incoming connections are accepted. </description>
  <service name="dhcpv6-client"/>
  <service name="http"/>
  <service name="ssh"/>
</zone>

To remove the service:


# firewall-cmd --remove-service=http --permanent
success
#

That’s all for this tutorial. By now you should know the basics of the new firewalld and firewall-cmd. Try to make some changes yourself and see what happens (also in the config files).

This entry was posted in Linux Administration. You can follow any responses to this entry through the RSS 2.0 feed. You can trackback from your own site. Tweet This! Tweet This! or use to share this post with others.

There is currently one response to “Configuring a Basic Firewall with firewalld RHEL7”

Why not let us know what you think by adding your own comment!

  1. coding on January 24th, 2015:

    Great tutorial on how too use the new firewall features of rhel7! Thx

Leave a Reply: