How to Enable and Use firewalld on CentOS 7

Introduction

Disabling the firewall in CentOS is sometimes necessary for testing purposes. For security reasons, running a firewall on a production server is a must. We cannot stress enough the importance of a properly configured firewall management tool.

In this tutorial, learn how to enable and use firewalld on CentOS 7.

Prerequisites

• A user with sudo privileges
• Access to a command line (Ctrl-Alt-T)
• A CentOS 7 machine

How To Check firewalld Status

Start by booting up your CentOS 7 server and checking whether firewalld is running. To do so, open the terminal (CTRL-ALT-T) and run the following command:

sudo systemctl status firewalld

There are several outputs you may receive.

Active: active (running)

If the output reads Active: active (running), the firewall is active. If you’re unsure whether the firewall manager started after a system reboot, consider issuing the following command:

sudo systemctl enable firewalld

That command configures the system to start the firewall after each server reboot.

Active: inactive (dead)

If the output reads Active: inactive (dead), the firewall is not running. Proceed to the How to Enable and Start firewalld section of the article.

Loaded: masked (/dev/null; bad)

The output might indicate that the service is inactive and masked. See the image below for further details.

Here, the firewalld service is being masked with a symlink. Admins may mask the service so other software packages wouldn’t activate it automatically. You MUST unmask the service before enabling it.

To unmask the firewalld service, run the following command:

sudo systemctl unmask --now firewalld

The output should indicate that the symlink has been removed.

You may now proceed to the How to Enable and Start firewalld section of the article.

How to Enable and Start firewalld

To enable the firewall on CentOS 7, run the following command as sudo:

sudo systemctl enable firewalld

After enabling the firewall, start the firewalld service:

sudo systemctl start firewalld

When the system executes the command, there is no output. Therefore, it is wise to verify whether the firewall has been activated successfully.

Check firewall status with:

sudo systemctl status firewalld

The output should indicate that firewalld is active and running.

Firewall Zones

Firewalld establishes ‘zones’ and categorizes all incoming traffic into said zones. Each network zone has its own set of rules based on which it accepts or declines incoming traffic.

In other words, zones govern over which packet is allowed and which is declined to function. This approach provides more flexibility compared to iptables as you can set different zones for the specific networks your device is connected to.

To view a full list of all available zones, type:

sudo firewall-cmd  --get-zones

For a fresh install, most likely you’ll get the following output:

Output
block dmz drop external home internal public trusted work

Those are the pre-configured zones. To verify which zone is set as the default one, run the following command:

sudo firewall-cmd --get-default-zone

Firewalld has provided a list of all pre-configured zones and zone descriptions. The list below is ordered according to the level of trust, from the least trusted to the most trusted.

drop: The lowest level of trust. All incoming connections are dropped without reply, and only outgoing connections are possible.

block: Similar to the one above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.

public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.

external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.

internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy, and some additional services are available.

dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.

work: Used for work machines. Trusts most of the computers in the network. A few more services might be allowed.

home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.

trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.

Verify Active Firewall Zone

To verify which zone is active, type:

sudo firewall-cmd --get-active-zones

The output indicates the active zone as well as the network interfaces governed by it. If you don’t configure it otherwise, the default zone is the only active zone.

Firewall Zone Rules

To see which rules are associated with the default zone, run the following command:

sudo firewall-cmd --list-all

Let’s consider all the listed elements and define them:

target: Default indicates that the zone is a default zone. It may also indicate that a zone is active. In the example above, the public zone is not active, as it does not have any network interface associated with it.

icmp-block-inversion: This is an optional element which inverts icmp-block handling.

interfaces: All network interfaces governed by this zone.

sources: Sources for this zone (IP addresses).

services: Displays allowed services. In the example above, it’s ssh dhcpv6-client. For a full list of services available through firewalld, run the firewall-cmd --get-services command.

ports: A list of ports allowed through the firewall. It is very useful for allowing services that are not defined in firewalld.

masquerade: If none, then IP masquerading is disabled. When enabled, it allows IP forwarding. This effectively means that your server would act as a router.

forward-ports: Shows a list of all forwarded ports.

source-ports: Lists all source ports and protocols relating to this zone.

icmp-blocks: Displays blocked icmp traffic.

rich rules: A list of all advanced rules associated to the zone.
To get a list of rules associated to a specific zone, add the --zone= parameter to the --list-all command. For example,

sudo firewall-cmd --zone=work --list-all

The command above will generate a list of rules associated to the work zone.

How to Change the Zone of an Interface

It is easy to reassign another zone to a network interface. Use the --zone flag to specify the zone and then add the --change-interface flag to specify the network interface.

sudo firewall-cmd --zone=home --change-interface=eth1

Verify whether the changes took effect:

firewall-cmd --get-active-zones

Firewalld should have applied the home zone on all traffic coming through the eth1 network interface.

Change the Default firewalld Zone

You can easily change the default zone. Use the --set-default-zone flag to indicate which zone you want to set as the default one. In the example below, we will set the work zone as the default one.

sudo firewall-cmd --set-default-zone=work

Upon changing the default zone, you should receive an output indicating that the change was successful. For further details, see the image above.

You may also verify the modification by running this command:

sudo firewall-cmd --get-default-zone

The output should display that the work zone is indeed the default one.

Conclusion

By following this tutorial, you should have been able to successfully check firewalld status, as well as enable and start the firewall on CentOS 7.

We also covered basic firewall concepts, such as zones. You also learned how to manipulate the usage of default firewalld zones as well as how to unmask the service. All important first steps to understanding how firewalld works on CentOS 7.