How to manage firewallD (on CentOS 7 and all the other distro)

Old, rusty padlock

A firewall is a security system used to control network traffic going in and out of computers. Today we might take it for granted, however the firewall still remains one of the most important security devices in our systems. Historically, the Linux firewall par excellence has always been IPtables, however its rules are quite difficult to master, hence the need for something new, more manageable. FirewallD is a relatively new system firewall employed by a crescent number of distributions, mainly Red Hat-based ones, to secure, log and manage network access, on top of that, it aims to ease firewall management.

FirewallD and IPtables, which is better?

One of the most common concerns about FirewallD is how it compares with the other big player in the field: Iptables. The answer is pretty simple: they don’t.

Both firewalls are built to perform the same actions in different ways, but under the hood FirewallD interfaces with Iptables, both of them ultimately connect to the Linux module NetFilter. So there’s really no reason to prefer one or the other if we exclude manageability.

Writing an IPtables rule is a difficult task for many Linux administrators, and mastering IPtables rules takes more than just skimming a manual. FirewallD on the other hand is easy to use and comes with many different improvements over IPtables. Getting started with the former takes a matter of minutes, for easy tasks there’s no need to know any complicated rule-set.

Getting to know FirewallD

Although FirewallD was born to simplify firewall management compared to raw IPtables rules, taking a look at it might look intimidating at first:

  • Services
  • Ports
  • Zones
  • Interfaces
  • Sources
  • and more…

You will soon realize there is more to it than meets the eye. That is because FirewallD is modular and enables complex configurations using a predefined set of commands. But fear not, to get started you will only need a few commands, nearing the end of the guide you will find advanced topics such as zones, interfaces and sources.

FirewallD management: starting

FirewallD, as you might guess from the last character is a daemon, a persistent service that runs on Linux. In order to manage it using the commands described in this guide you will need to start FirewallD, in most distribution this will be handled by systemD, in case you’re using a different manager please refer to your distribution documentation. In case you’re using systemD (e.g. on CentOS 7) you can simply do:

# systemctl start firewalld

This will start the firewall, to verify it is now started you can do:

# firewall-cmd --state

Now that it is started you will be able to use firewall-cmd to manage it.

Reloading the firewall

The most common operation you will perform, excluding rule management, is reloading the firewall:

# firewall-cmd --reload

Stopping the firewall

Again, this operation is usually managed by systemD, if you’re using a different manager please refer to your distribution documentation.

# systemctl stop firewalld

Enabling the firewall (start at boot)

Again, this operation is usually managed by systemD, if you’re using a different manager please refer to your distribution documentation.

# systemctl enable firewalld

Into the CLI firewall jungle: firewall-cmd

Although FirewallD can be managed using graphical tools, it is mostly managed using the CLI through the firewall-cmd command. By using firewall-cmd you can tweak everything related to the firewall, from ports to zones.

A note on persistence
Most of the rules set using firewall-cmd are active immediately and do not survive a reboot.

In order to preserve the rule across reboots, you can add the –permanent flag:

# firewal-cmd --add-service http --permanent

However, a rule applied using the –permanent flag will not be active immediately and will not figure in the current firewall configuration. In order to “activate” it you can either repeat the same command without –permanent or do:

# firewall-cmd --reload

This command will reload the firewall and load the rules set with the –permanent flag.

Using services

The most common entity you’ll be dealing with when using FirewallD is the service. Services are convenient wrappers around ports. Remembering http rather than port 80 is better, isn’t it? Well, maybe most of you know that http uses port 80/tcp; but what about samba? Kerberos? There are countless programs using countless ports, for the most common ones FirewallD has services to quickly enable/disable network access.

Adding services

In order to open the ports associated with http you can simply do:

# firewall-cmd --add-service=http

Easy right? But what about complex services like samba?

# firewall-cmd --add-service=samba

Although samba uses many ports, one simple command will take care of this for you.

Removing services

What about removing services? Not a big deal:

# firewall-cmd --remove-service=samba

Listing active (enabled) services

In order to take a look at enabled services simply do:

# firewall-cmd --list-services
dhcpv6-client ssh

In this example ssh and DHCPv6 (what’s IPv6?) are enabled.

Listing available services (available, but not necessarily enabled)

If you’re wondering about what services are installed (not enabled) you can us the following command to get a comprehensive list of services:

# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

All the listed services can be used with precedent commands.

Managing ports

If the application you’re trying to enable is not defined in a service, you can use ports just like any other firewall. Ports are defined using a number and a protocol.

Opening ports

To open a port you can simply do:

# firewall-cmd --add-port=80/tcp

This will open port 80 using TCP.

Closing ports

The procedure to close a port is similar:

# firewall-cmd --remove-port=80/tcp

Listing open ports

To list open ports simply do:

# firewall-cmd --list-ports
The ports listed by this command will not include services-related ports.

Port forwarding

Port forwarding isn’t a common setting for a firewall, it is far more popular in routers, nevertheless it comes in handy sometimes (especially if your Linux machine is a router). Port forwarding allows an administrator to direct the traffic to a specific port to another port.

Adding forwarded ports

# firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2022

On the opposite of other common operations, port forwarding is a bit counterintuitive. Let’s break down the command:

  • –add-forward-port= is the actual command, ignore the = sign to avoid confusion.
  • port=22: is the port you want to direct from, the colon is just a divisor within the command.
  • proto=tcp: is the protocol of the port from which the packets will be forwarded, again notice the colon that delimits the end of the proto statement.
  • toport=2022 this is the port where all the traffic will be sent to, notice the absence of the colon since this is the last statement.

Removing forwarded ports

Removing a forwarded port is just as difficult as it is adding one: you should rewrite the statement using a different command:

# firewall-cmd --remove-forward-port=port=22:proto=tcp:toport=2022

The only thing that is changed is the –add-forward-port= which becomes –remove-forward-port.

FirewallD zones, sources and interfaces (advanced)

One peculiar entity in firewalld is the zone. Generally speaking Zones are a set of services, ports, interfaces, sources and rules. All the rules, ports and services defined using the previously described commands used the default zone: public.

Understanding zones

Zones are a fundamental concept within the firewall, to understand how they work imagine a real-world scenario:

You’re in your home, of course your home is private, only a few people can access them hence it is internal, then you suddenly have to go outside to buy milk.
You head out in the streets which is a public place so you have to follow different rules compared to your own home.
Finally you reach the supermarket which is another zone with different rules, since they had many robberies no one can enter and you can’t buy milk.

Zones are abstractions made to simplify management of multiple networks, when a packet enters the machine it is sorted into a particular zone, and only then the rules associated with the zone are applied.

Managing zones

To get around using zones, you first need to know which zones are defined in your system:

# firewall-cmd --get-zones

This will list all the zones defined in your system. But what’s important here is to know which rules are defined within the zones:

# firewall-cmd --list-all-zones

The previous command will list everything in all the zones available, but that’s a bit too much information. What’s most important is to know what rules, interfaces and sources are defined within a defined zone. To do so you can simply do:

# firewall-cmd --list-all --zone=public

Where public is the zone you want to inspect.

The –zone flag can be applied to most of the commands (servicesportsforwarded ports) previously described in order to apply rules to a certain zone only.

Understanding interfaces

Whenever a packet enters the machine, it must be sorted into a zone. Interfaces are a convenient way to sort all packets coming from/to an interface to flow into a zone. Interfaces use the same name as network card names (e.g. eth0).

Adding an interface to a zone

Let’s say you want to move your eth0 interface to the trusted zone (which allows all traffic by default):

# firewall-cmd --change-zone=eth0 --zone=trusted

Now the traffic coming in from eth0 will be accepted by default without any filtering. Remember that you must use –permanent to make this change available after a reboot.

Listing interfaces assigned to a zone

Although the –list-all command previously described will include interfaces, you can get only the interfaces by issuing:

# firewall-cmd --list-interfaces --zone=public

This will print all the interfaces assigned to the public zone.

Listing the zone to which an interfaces is assigned

In order to know which zone is a given interface you can do:

# firewall-cmd --get-zone-of-interface=eth0

Where eth0 is the name of the interface you want to know about.

Understanding sources

Interfaces are a good way to direct all the traffic through a set of rule but, sometimes most of the times, that will be too broad. Sources represent IP addresses that can be used to filter or allow packets through the zone. It is important to understand that sources, just like interfaces, are just a mean to decide what zone will the packet be sorted into. Both sources and interfaces do not decide whether to filter or allow a package.

Adding a source to a zone

In order to add an IP to a zone simply do:

# firewall-cmd --add-source= --zone=trusted

This will place all the packages coming from into the trusted zone.

Listing sources of a zone

Although the –list-all command previously described will include sources, you can get only the sources by issuing:

# firewall-cmd --list-sources --zone=public

This will print all the interfaces assigned to the public zone.

Removing sources from a zone

In order to remove an IP from a zone simply do:

# firewall-cmd --remove-source= --zone=trusted

From now on all the packages coming from will no longer be placed in the trusted zone, although it may happen depending on interfaces.

Image courtesy of mark | marksei

You may also like...

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.