A firewall is a way to protect your system from unwanted traffic from outside networks. Free and commercial firewall tools are plentiful; some of them include Iptables, UFW, Juniper, pfSense, SonicWall, and more.
Among them, FirewallD is a free firewall software tool for CentOS/RHEL/Fedora operating system. It is a frontend controller for iptables and provides a command-line interface to implement firewall rules. Compared to Iptables, FirewallD uses zones and services instead of chains and rules and manages rulesets dynamically. FirewallD provides the firewall-cmd command line tool to manage runtime and permanent configuration.
Step 1: Install Firewalld
By default, FirewallD comes pre-installed in the CentOS operating system. If not installed, you can install it by running the following command:
dnf install firewalld -y
Once installed, start the FirewallD service and enable it to start at system reboot with the following command:
systemctl start firewalld systemctl enable firewalld
You can also verify FirewallD’s status using the following command:
firewall-cmd --state
Output:
running
Step 2: Basic FirewallD Usage
FirewallD manages a set of rules using zones. Each zone has its own configuration to accept or deny packets depending on the level of trust you have in the networks your computer is connected to.
You can list all available zones using the following command:
firewall-cmd --get-zones
You should see the following list:
block dmz drop external home internal public trusted work
To get a list of all active zones, run the following command:
firewall-cmd --get-active-zones
You should see the following list:
public interfaces: eth0 eth1
You can list the default zone set for network connections using the following command:
firewall-cmd --get-default-zone
Output:
public
To change the default zone from public to home using the following command:
firewall-cmd --set-default-zone=home --permanent
To display more information about any zone using the following command:
firewall-cmd --info-zone public
You should get the following output:
public (active) target: default icmp-block-inversion: no interfaces: eth0 eth1 sources: services: cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
You can also list all available services by running the following command:
firewall-cmd --get-services
You should get the following output:
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
Step 3: Allow and Deny Ports with Firewalld
Firewalld provides firewall-cmd command line tool to add and remove ports in your system.
For example, to allow TCP port 80 and 22 in the public zone, run the following command:
firewall-cmd --zone=public --permanent --add-port=80/tcp --add-port=22/tcp
Next, reload the FirewallD daemon to save the configuration:
firewall-cmd --reload
Now, list the added port with the following command:
firewall-cmd --info-zone public
You should see the following output:
public (active) target: default icmp-block-inversion: no interfaces: eth0 eth1 sources: services: cockpit dhcpv6-client ssh ports: 80/tcp 22/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
You can also deny or remove the port from the zone easily using the option –remove-port.
For example, to deny or remove the port 80 from the public zone, run the following command:
firewall-cmd --zone=public --permanent --remove-port=80/tcp
Step 4: Allow and Deny Services with FirewallD
You can also allow and deny by service name instead of using a port with the FirewallD.
For example, allow FTP service in the public zone by running the following command:
firewall-cmd --zone=public --permanent --add-service=ftp firewall-cmd --reload
You can deny or remove the FTP service from the public zone using the following command:
:
firewall-cmd --zone=public --permanent --remove-service=ftp firewall-cmd --reload
Step 5: Setup IP Masquerading with FirewallD
IP masquerading is a process or method that allows your computers in a network with private IP addresses to communicate with the Internet using your server’s address. It is very useful when you want another computer to communicate to the Internet without buying additional IPs from your ISP.
Before setting up IP masquerading, check if masquerading is active or not with the following command:
firewall-cmd --zone=public --query-masquerade
You should see that IP masquerading is disabled in the public zone as shown below:
no
Now, set the IP masquerading using the following command:
firewall-cmd --zone=public --add-masquerade firewall-cmd --reload
You can also disable the IP masquerading using the option –remove-masquerade:
firewall-cmd --zone=public --remove-masquerade firewall-cmd --reload
Conclusion
In the above guide, you learned how to use FirewallD to block unwanted traffic in your system. You should now be able to limit all unnecessary connections and protect your server from attackers. Try FirewallD on an Atlantic.Net VPS!
