Red Hat CentOS Linux Firewalld

A firewall is a network security system, either hardware- or software-based, that uses rules to control incoming and outgoing network traffic.

Stateful firewalls

In order to recognize a packet’s connection state, a firewall needs to record all connections passing through it to ensure it has enough information to assess whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. This is what’s called “stateful packet inspection“.

Application-layer firewalls

As attacks against Web servers became more common, so too did the need for a firewall that could protect servers and the applications running on them, not merely the network resources behind them. Application-layer firewall technology enabling firewalls to inspect and filter packets on any OSI layer up to the application layer, providing the block specific content from protocols like HTTP , FTP , DNS , .. .

Proxy firewalls

Also operate at the firewall’s application layer, acting as an intermediary for requests from one network to another for a specific network application. It prevents direct connections between either sides of the firewall; both sides are forced to conduct the session through the proxy, which can block or allow traffic based on its rule set. A proxy service must be run for each type of Internet application the firewall will support, such as an HTTP proxy for Web services.

 

In Linux , firewall is implemented by a kernel module called netfilter which is managed by iptables rules, there is many interfaces and services to set iptables rules like iptables service , firewalld service , ….

01. What is Firewalld:

FirewallD is frontend controller for iptables used to implement persistent network traffic rules. It provides command line and graphical interfaces and is available in the repositories of most Linux distributions. Working with FirewallD has two main differences compared to directly controlling iptables:

1. FirewallD uses zones and services instead of chain and rules.
2. It manages rulesets dynamically, allowing updates without breaking existing sessions and connections.

FirewallD is a wrapper for iptables to allow easier management of iptables rules–it is not an iptables replacement. While iptables commands are still available to FirewallD, it’s recommended to use only FirewallD commands with FirewallD.

 

02. Installing and running firewalld:

It is included by default with CentOS , Red Hat but it may be inactive. Controlling it is the same as with other systemd units , even if not installed or want to install it to you favorite Linux distribution like UBUNTU , you can do it .

Install it for yum based (like CentOS, Fedore, Red hat ,..)

yum -y install firewalld

Install for apt based (like UBUNTU , Linux Mint , .. )

apt-get install firewalld -y

Enable and run firewalld

systemctl enable firewalld
systemctl start firewalld
systemctl status firewalld

03. Managing Firewalld :

You can manage firewalld rules using a command line tool called firewall-cmd , which is our primary target and may be the only option specially on servers , but also there is a GUI tool called firewall-config which has a nice simple GUI to manage everything.

firewall-config may not be installed by default, install it if required (available for yum and apt based on your distribution).

yum -y install firewall-config
apt-get install firewall-config -y

From now on , we will use firewall-cmd command line tool , once you understand it , it will be easy to use GUI firewall-config.

Firewalld Modes:

Runtime mode: you can apply rules immediately without any reload , but is is not persistent , it will be lost once you reload or restart firewalld service or reboot system , it is good for testing purpose.

Permanent mode: it will not take effect unless you reload or restart firewalld service , It is persistent and will survive after a reboot, use –permanent option with your command to make it permanent rule and reload using –reload , it is your choice for production purpose.

04. Firewall-cmd basics :

Firewall-cmd is an easy command line to manage firewalld rules, it uses action based options ( like –verb-object ) for example to get all service available use ( –get-services ) , to add service to listen on use ( –add-service=) , …

To show all available services

[root@localhost ~]# firewall-cmd --get-services 
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
[root@localhost ~]#

To show all zones and active zone with its interfaces

[root@localhost ~]# firewall-cmd --get-zones 
block dmz drop external home internal public trusted work
[root@localhost ~]# firewall-cmd --get-active-zones 
public
  interfaces: eth0
[root@localhost ~]#

*You can use Tab key twice for autocompletion to list all options, for example to show all –list- options:

[root@localhost ~]# firewall-cmd --list-
--list-all                          --list-lockdown-whitelist-uids
--list-all-zones                    --list-lockdown-whitelist-users
--list-forward-ports                --list-ports
--list-icmp-blocks                  --list-rich-rules
--list-interfaces                   --list-services
--list-lockdown-whitelist-commands  --list-sources
--list-lockdown-whitelist-contexts

It is self explanatory , but the most used is –list-all to show all current configuration :

[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

As we see , we are on Public Zone , interface eth0 , no rules allowed except for tow services allowed for dhcpv6-client and ssh , we will talk about other rules soon.

To add a service or ports ( portNumber/Protocol : 70/tcp , 88/udp , …)
*remember runtime and permanent.

[root@localhost ~]# firewall-cmd --add-service=http
success
[root@localhost ~]# firewall-cmd --add-port=55/tcp
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client http ssh
  ports: 55/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
    
[root@localhost ~]# 

Now what will happen if system rebooted or firewalld service restarted or used –reload option to reread configuration , we will lost our new rules.

[root@localhost ~]# firewall-cmd --reload 
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
    
[root@localhost ~]#

Did you notice? ,  service and port that we added previously are gone.
To make it persistent use –permanent , it will not take effect till we reload.

[root@localhost ~]# firewall-cmd --add-service=http --permanent 
success
[root@localhost ~]# firewall-cmd --add-port=55/tcp --permanent 
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
    
[root@localhost ~]# firewall-cmd --reload 
success
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client http ssh
  ports: 55/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

That was some basics about firewall and opening some services or ports , Please read this tutorials to know more about Zones and services , Port-Forwarding and NAT , Rich rules .

That is enough for now , i hope it was simple , thanks for joining me.
Enjoy !.