Configuring the network firewall with FirewallD
Now you'll learn how to configure the networking firewall using FirewallD. Starting with CentOS 7, FirewallD replaces iptables as the default firewall configuration utility (although iptables is still used behind the scenes by FirewallD). Based on which zones and services you configure, you can increase the network security of your server by controlling what traffic is allowed or disallowed to and from the system.
Getting ready
This recipe requires a CentOS system with a working network connection. You'll also need administrative privileges provided by logging in with the root account.
How to do it...
This collection of commands will show you how to perform several basic configuration tasks using FirewallD's command-line client, firewall-cmd:
- To identify the currently active zones and which Ethernet devices are assigned to them, use the
--get-active-zonesflag:firewall-cmd --get-active-zones - To temporarily change which zone a device is assigned to, use the
--zoneargument to specify the target zone and--change-interfaceto specify the Ethernet device:firewall-cmd --zone=public --change-interface=enp0s3 - To permanently assign a device to a zone, add a
ZONEentry to the device's configuration file. This change will not take effect until the service has been restarted:vi /etc/sysconfig/network-scripts/ifcfg-enp0s3 ZONE="public"
- To identify the current configuration for a zone, use the
--zoneargument to specify the target zone and include--list-all:firewall-cmd --zone=public --list-all - To allow traffic through the firewall, use the
--add-serviceor--add-portarguments:Traffic for common services and protocols such as HTTP and SMTP can be allowed by name. The following adds the
httpservice which opens port80(the port used by Apache and other HTTP servers):firewall-cmd --zone=public --permanent --add-service=httpTraffic can always be allowed directly given the port and network protocol. The following opens port 8080 to TCP traffic, another port commonly used to serve web content:
firewall-cmd --zone=public --permanent --add-port=8080/tcp - To disallow traffic that is currently allowed through the firewall, use the
--remove-serviceor--remove-portarguments:firewall-cmd --zone=public --permanent --remove-service=http firewall-cmd --zone=public --permanent --remove- port=8080/tcp
- To reload the firewall after making a change, use
--reload:firewall-cmd --reload
How it works...
The default installation of FirewallD makes several preconfigured zones available, for example, public, dmz, work, home, and trusted. Different interfaces can be assigned to different zones and have different rules applied. To see all of the available zones and their configuration, we can invoke firewall-cmd with the --list-all-zones flag:
firewall-cmd --list-all-zones
Most updates made to the firewall rules will take effect immediately but are temporary. We saw this earlier when we had to update the device's configuration file and restart the service to make a zone change permanent. This lets us experiment with different settings before finalizing the configuration. When configuring services and ports, the --permanent flag is used to make the changes permanent. If you don't provide the flag, the changes will take effect immediately but will only be temporary (not persist across a system reboot or restart of the firewall service):
firewall-cmd --zone=public --permanent --remove-service=http
Named services are preconfigured port settings that are common to a specific network service and are available for our convenience. For example, SSH traffic commonly consists of TCP packets destined for port 22, so the ssh service reflects this. In the examples, we used the http service, which configured port 80, the standard port used to serve web pages. While assigning the port directly has the same effect, services provide convenient, human-readable names and should be used when possible. To get a list of all available services, use --get-services:
firewall-cmd --get-services
firewall-cmd is a command-line client for configuring firewall rules
Note
Named services are defined as XML files under /usr/lib/firewalld/services. If you want to allow access for some traffic but a service isn't defined, and you would prefer to perform the configuration using a service instead of the port and protocol for the sake of readability, you can create a new service file in this directory. Copy an existing file as your starting point and modify it to suit your needs.
See also
For more information on working with FirewallD, refer to the following resources:
- RHEL 7 Migration Planning Guide: Security and Access Control (https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_%20Linux/7/html/Migration_Planning_Guide/sect-Red_Hat_Enterprise_%20Linux-Migration_Planning_Guide-Security_and_Access_%20Control.html)
- FirewallD (http://fedoraproject.org/wiki/FirewallD)
- How To Set Up a Firewall Using FirewallD on CentOS 7 (https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7)