CentOS 7 FirewallD Initial Setup
Published: 2014-07-26
I fired up my first CentOS 7 instance and there are a lot of new things that I’ve been avoiding learning. Namely, FirewallD. According to the wiki page:
firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces
tl;dr; it’s kind of an abstraction layer for your firewall stuff. For instance, you may notice after configuring some rules with firewall-cmd
that when you run iptables -L
, you see a bunch of rules that reflect your changes, without having to write iptables rules.
Anyway, this post is just going to cover a few quick commands to implement a very basic firewall for those new to FirewallD. Follow the bouncing ball.
As mentioned in the quote from the wiki page, FirewallD has a concept of zones.
$ sudo firewall-cmd --get-zones
block dmz drop external home internal public trusted work
$ sudo firewall-cmd --get-active-zone
public
interfaces: eth0
FirewallD also knows about services. As you can see below, FirewallD knows about lots of services, but I only have three of them enabled/open.
$ sudo firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp
$ sudo firewall-cmd --zone=public --list-services
dhcpv6-client http ssh
Enabling a service is easy. Make sure to include the --permanent
flag to make this persistent across reboots.
$ sudo firewall-cmd --permanent --zone=public --add-service=http
And of course, make sure this sucker’s going to be running on boot (WELCOME TO SYSTEMD HAVE A NICE DAY).
$ sudo systemctl enable firewalld
I always recommend a reboot to make sure your server comes up clean without your help.