Everything you need to know about Firewalld

Tags: Security

Published on: September 13, 2019 by Albert Reilly

Everything you need to know about Firewalld


What is a firewall?

In real life, we can say a firewall is a barrier that’s put in place to limit the damage a fire can cause.

A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting outward communication and to provide important logging and auditing functions.

Types of firewalls

Types of firewalls include packet-filtering firewalls, stateful inspection firewalls, proxy firewalls and next-generation firewalls (NGFWs).

  • Packet-filtering firewall :

When a packet passes through the firewall, its source and destination address, protocol and destination port number are checked. The packet is dropped if it does not comply with the firewall’s ruleset. It examines packets in isolation and does not know the packet’s context.

For example, if a firewall is configured with a rule to block Telnet access, then the firewall will drop packets destined for Transmission Control Protocol (TCP) port number 23, the port where a Telnet server application would be listening.

  • Stateful inspection firewall :

Dynamic packet-filtering firewalls maintain a table that keeps track of all open connections. When new packets arrive, the firewall compares information in the packet header to the state table and determines whether it is part of an established connection, if it is, then the packet is allowed through without further analysis. If the packet doesn’t match an existing connection, it is evaluated according to the rule set for new connections.

  • Proxy firewall :

Provide application layer filtering and can examine the payload of a packet and distinguish among valid requests, data and malicious code disguised as a valid request or data.

For example, it can allow or deny a specific incoming Telnet command from a particular user, whereas other firewalls can only control general incoming requests from a particular host.

  • A Next-Generation Firewall :

Uses a multi-layered approach and combine the capabilities of traditional enterprise firewalls including network address translation (NAT), Uniform Resource Locator (URL) blocking and virtual private networks (VPNs) with quality of service (QoS) functionality and features not traditionally found in firewall products. These products support intent-based networking by including Secure Sockets Layer (SSL) and Secure Shell (SSH) inspection, deep packet inspection(DPI) and reputation-based malware detection, as well as application awareness.

A properly configured firewall is one of the most important aspects of overall system security. Firewalld is a complete firewall solution that manages the system’s iptables rules. Starting with CentOS 7, firewalld replaces iptables as the default firewall management tool.

Basic Firewalld Concepts

Firewalld uses the concepts of zones and services, instead of iptables chain and rules. You can control what traffic is allowed or disallowed to and from the system based on the zones and services you’ll configure. Firewalld can be configured and managed using the firewall-cmd command line utility.

Installing and enabling Firewalld

Firewalld is installed by default on CentOS 7, but if it is not installed on your system, you can install the package by typing:

# yum install firewalld

Firewalld service is disabled by default. If you just installed or never activated before, the command will print not running otherwise you will see running. You can check the firewall status with:

# firewall-cmd --state

To start the firewalld service and enable it on boot type:

# systemctl start firewalld
# systemctl enable firewalld

Firewalld Zones

Zones are predefined sets of rules specifying what traffic should be allowed based on the level of trust on the networks your computer is connected to. You can assign network interfaces and sources to a zone.

Below are the zones provided by firewalld ordered according to the trust level of the zone from untrusted to trusted:

  • drop: All incoming connections are dropped without any notification. Only outgoing connections are allowed.
  • block: All incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6n. Only outgoing connections are allowed.
  • public: For use in untrusted public areas. You do not trust other computers on the network but you can allow selected incoming connections.
  • external: For use on external networks with NAT masquerading enabled when your system acts as a gateway or router. Only selected incoming connections are allowed.
  • internal: For use on internal networks when your system acts as a gateway or router. Other systems on the network are generally trusted. Only selected incoming connections are allowed.
  • dmz: Used for computers located in your demilitarized zone that will have limited access to the rest of your network. Only selected incoming connections are allowed.
  • work: Used for work machines. Other computers on the network are generally trusted. Only selected incoming connections are allowed.
  • home: Used for home machines. Other computers on the network are generally trusted. Only selected incoming connections are allowed.
  • trusted: All network connections are accepted. Trust all of the computers in the network.

View Default Zone

After enabling the firewalld service for the first time, the public zone is set as a default zone. To view the default zone, type in:

# firewall-cmd --get-default-zone

List Available Zones

To list all the available zones, use:

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

Zones used by Network Interfaces

By default, all network interfaces are assigned the default zone. To check what zones are used by your network interfaces, type:

# firewall-cmd --get-active-zones
interfaces: eth0 eth1

Print Zone Configuration Settings

To print the zone configuration settings:

# firewall-cmd --zone=public --list-all
public (active)
   target: default
   icmp-block-inversion: no
   interfaces: eth1 eth2
   services: ssh dhcpv6-client
   masquerade: no
   rich rules:

We can see that the public zone is active and set as default, used by both eth1 and eth2 interfaces and connections related to the DHCP client and SSH are allowed.

Configurations of all Available Zones

To check the configurations of all available zones type:

# firewall-cmd --list-all-zones

Change the Interface Zone

You can easily change the Interface Zone by using the using --zone in combination with the --change-interface. The following command will assign the eth1 interface to the work zone:

# firewall-cmd --zone=work --change-interface=eth1

Verify the changes by typing:

# firewall-cmd --get-active-zones

   interfaces: eth1
   interfaces: eth0

Change Default Zone

To change the default zone use --set-default-zone followed by the name of the zone you want to make default.

# firewall-cmd --set-default-zone=home

Verify the changes with:

# firewall-cmd --get-default-zone

Firewalld services

Firewalld services are predefined rules that apply within a zone and define the necessary settings to allow incoming traffic for a specific service.

Firewalld uses two separated configuration sets, runtime, and permanent configuration.

The runtime configuration is the actual running configuration and it is not persistent on reboots. When the firewalld service starts it loads the permanent configuration which becomes the runtime configuration.

By default, when making changes to the firewalld configuration using the firewall-cmd utility the changes are applied to the runtime configuration, to make the changes permanent you need to use the –permanent flag.

With firewalld you can allow traffic for specific ports based on the services. To get a list of all default available services type:

# firewall-cmd --get-services

You can find more information about each service by opening the associated .xml file within the /usr/lib/firewalld/services directory. For example, the HTTP service is defined like this:

# cat /usr/lib/firewalld/services/http.xml

<?xml version="1.0" encoding="utf-8"?>
<short>WWW (HTTP)</short>
<description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
<port protocol="tcp" port="80"/>

Allow Services

To allow incoming HTTP traffic for interfaces in the public zone, only for the current session, type:

# firewall-cmd --zone=public --add-service=http

If you are modifying the default zone you can leave out the --zone flag.

You can verify the service was added successfully use the --list-services flag:

# firewall-cmd --zone=public --list-services

ssh dhcpv6-client http

Allow Services Permanently

If you want to keep the port 80 open after a reboot you’ll need to type the same command once again but this time with the --permanent flag:

# firewall-cmd --permanent --zone=public --add-service=http

Use the --list-services along with the --permanent flag to verify your changes:

# firewall-cmd --permanent --zone=public --list-services
ssh dhcpv6-client http

Removing Services

For removing a service use --remove-service instead of the --add-service flag. To remove the http service from the public zone permanent configuration use:

# firewall-cmd --zone=public --remove-service=http --permanent

Open a Port

If you are running an application for which there is no appropriate service available, you have two options – either open up the appropriate ports or define a new firewalld service.

To open port a port, say 2086 in the public zone for the current session which uses TCP, use the --add-port= flag.

# firewall-cmd --zone=public --add-port=2086/tcp

Protocols can be either TCP or UDP. To keep the port 2086 open after a reboot, add the rule to the permanent settings by running the same command using the --permanent flag.

List Added Ports

To verify that the port was added successfully use the --list-ports flag.

# firewall-cmd --zone=public --list-ports

Remove Added Ports

The syntax for removing a port is similar to adding a port. Just use --remove-port instead of the --add-port flag.

# firewall-cmd --zone=public --remove-port=2086/tcp

Creating new Firewalld Service

The default services are stored in the /usr/lib/firewalld/services directory. The easiest way to create a new service is to copy an existing service file to the /etc/firewalld/services directory which is the location for user-created services and modify the file settings.

/usr/lib/firewalld holds default configurations like default zones and common services. Avoid updating them because those files will be overwritten by each firewalld package update. /etc/firewalld holds system configuration files. These files will overwrite a default configuration.

# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/newservice.xml

Open the newly created newservice.xml file and change the short name and description for the service within the <short> and <description> tags. The most important tag you need to change is the port tag which defines the port number and protocol you want to open.

In the following example, we are opening ports 2086 UDP and 2085 TCP.

# vi /etc/firewalld/services/newservice.xml

<?xml version="1.0" encoding="utf-8"?>
<service version="1.0">
<description>This service is to open the ports 2086 and 2085</description>
<port protocol="udp" port="2086"/>
<port protocol="tcp" port="2085"/>

Save the file and reload the Firewalld service:

# firewall-cmd --reload

You can now use the newservice service in your zones same as any other service.

Forwarding Port

For forwarding traffic from one port to another port or address, first, enable masquerading for the desired zone using the --add-masquerade switch.

# firewall-cmd --zone=external --add-masquerade

To forward traffic from one port to another on the same server, for example, forward the traffic from port 80 to port 8080 on the same server, use:

# firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080

To forward traffic to another server, for example, forward the traffic from port 80 to port 80 on a server with IP, use:

# firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toaddr=

To forward traffic to another server on a different port, for example forwarding the traffic from port 80 to port 8080 on a server with IP

# firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=

If you want to make the forward permanent just append the --permanent flag.

In this article, we have gone through how to configure and manage the Firewalld service on a CentOS system and some basic concepts of firewalld.

Secure your server

Category : Firewalls, Linux

Albert Reilly

Albert Reilly

Albert likes to explore and learn new things. He is hardworking, enthusiastic and is getting expertise in Linux administration, Networking and Security areas. He understands client requirements and is able to act accordingly. He has been working for 2 years with us.

You may also read:


Add new commentSIGN IN

Let's Connect


Your Cart

Cart is empty.

Send this to a friend