An Introduction to Firewalld

Reading Time: 5 minutes

In some ways, firewalld on systemd systems is easier to manage and configure than iptables. There are, for the most part, no long series of chains, jumps, accepts and denies that you need to memorize in order to get firewalld up and running in a basic configuration. The rules are simple and straightforward, but there is no reason you cannot still have all the power that iptables afforded.

firewalld uses the command line utility firewall-cmd to configure and manipulate rules. Before we get to configuring we need to make sure that the service is running. Using the systemctl command, you can enable, disable, start, stop, and restart the firewalld service. For most of these commands, there is no meaningful output from systemctl, to verify each of these, you should always check the status of firewalld.

 

Systemctl and Firewalld

Enable firewalld

This makes sure that firewalld will be started automatically with the server.

systemctl enable firewalld

Start firewalld

After the firewalld service is enabled, you’ll need to start it manually the first time. This is how you would manually start firewalld if it were not already running.

systemctl start firewalld

Stop firewalld

When troubleshooting rules and connection issues, you may need to stop the fireawlld service momentarily. You can stop the service with the following command.

systemctl stop firewalld

Restart firewalld

If for some reason you need to restart the service you can do that with the systemctl restart command.

systemctl restart firewalld

Firewalld status

Checking the status of the service gives us the most meaningful and informative output. Here you can see whether the service is enabled, running, failed, or anything else.

systemctl status firewalld

In this example output, you can see that the service is enabled, active and running on the server. If it was not running, or in a failed state this would be displayed.

[root@centos-7 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-01-22 22:50:32 EST; 1h 0min ago
Main PID: 808 (firewalld)
CGroup: /system.slice/firewalld.service
└─808 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

 

Managing Firewalld and Configuring Rules

Now that we have firewalld running we can get down to set the configuration. We can open ports, allow services, whitelist IPs for access and more. In all of these examples, we include the –permanent flag. This is important to make sure a rule is saved even after you restart firewalld, or reboot the server. Once you’re done adding new rules, you need to reload the firewall to make the new rules active.

Add a Port for TCP or UDP

You do have to specify TCP or UDP and to open a port for both you will need to add rules for each protocol.

firewall-cmd --permanent --add-port=22/TCP
firewall-cmd --permanent --add-port=53/UDP

Remove a Port for TCP or UDP

Using a slight variation on the above structure, you can remove a currently open port, effectively closing off that port.

firewall-cmd --permanent --remove-port=444/tcp

Add a Service

These services assume the default ports configured within the /etc/services configuration file, if you wish to use a service on a non-standard port you will have to open the specific port, as in the example above.

firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http

Remove a Service

As above, you specify the remove-service option, and you can close off the port that is defined for that service.

firewall-cmd --permanent --remove-service=mysql

Whitelist an IP Address

To whitelist or allow access from an IP or range of IPs, you can tell the firewall to add a trusted source.

firewall-cmd --permanent --add-source=192.168.1.100

You can also allow a range of IPs using what is called CIDR notation. CIDR is outside the scope of this article but is a shorthand that can be used for noting ranges of IP addresses.

firewall-cmd --permanent --add-source=192.168.1.0/24

Remove a Whitelisted IP Address

To remove a whitelisted IP or IP range, you can use the –remove-source option.

firewall-cmd --permanent --remove-source=192.168.1.100

Block an IP Address

As the firewall-cmd tool is mostly used for opening or allowing access, rich rules are needed to block an IP. Rich rules are similar in form to the way iptables rules are written.

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"

You can again use CIDR notation also block a range of IP addresses.

firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' reject"

Whitelist and IP Address for a Specific Port (More Rich Rules)

We have to reach back to iptables and create another rich rule, however we are using the accept statement at the end to allow the IP access, rather than reject its access.

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'

Removing a Rich Rule

To remove a rich rule, use the option —remove-rich-rule, but you have to fully specify the rule being removed, so it is best to copy and paste the full rule, rather than try to type it all out from memory.

firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'

Saving Firewall Rules

After you have completed all the additions and subtractions of rules you need to reload the firewall rules to make them active. To do this, you again use the firewall-cmd tool but using the option –reload.

firewall-cmd --reload

Viewing Firewall Rules

After reloading the rules, you can confirm if the new rules are in place correctly with the following.

firewall-cmd --list-all

Here is an example output from the –list-all option, you can see that this server has a number of ports, and services open in the firewall along with a rich rule (that forwards one port to another).

[root@centos-7 ~]# firewall-cmd --list-all
public (default, active)
interfaces: enp1s0
sources: 192.168.1.0/24
services: dhcpv6-client dns http https mysql nfs samba smtp ssh
ports: 443/tcp 80/tcp 5900-5902/tcp 83/tcp 444/tcp 3260/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.0/24" forward-port port="5423" protocol="tcp" to-port="80"

 

 Bonus #1 :: Firewalld GUI Configuration 

While this article focuses mainly on the use of the command line utility firewall-cmd, there are graphical tools for working with firewalld rules. You can find these under Applications > Sundry menu on CentOS 7.x and RedHat 7.x servers that have graphical access to. To install this application, from command line, you can run the command:

sudo yum install firewall-config

From within the Firewall utility, you can more easily create and add more complex “Rich Rules” that would otherwise be much more tedious to do at the command line. Note that even in the graphical utility, you still need to specify that you are making a persistent rule with the permanent option.

 

 Bonus #2 :: Firewalld Direct Rules 

The direct rules are a special separate zone of rules and are intended to be a more “direct” way of interacting with the firewall. You can edit the rules in the /etc/firewalld/direct.xml file and reload the firewall to make those rules active. The rules look just like rich rules, or the older iptables style rules, but are written in an XML format.

The direct interface is mainly used by services or applications to add specific firewall rules. Below is an example of a block of rules from the firewalld manual pages. This particular example illustrates matching a set of source IP addresses against a rule chain called “blacklist.” This “blacklist” chain then says to log when the IPs are matched, and finally to drop the connections from those IPs.

<?xml version="1.0" encoding="utf-8"?>
<direct>
<chain ipv="ipv4" table="raw" chain="blacklist"/>
<rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0">-s 192.168.1.0/24 -j blacklist</rule>
<rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1">-s 192.168.5.0/24 -j blacklist</rule>
<rule ipv="ipv4" table="raw" chain="blacklist" priority="0">-m limit --limit 1/min -j LOG --log-prefix "blacklisted: "</rule>
<rule ipv="ipv4" table="raw" chain="blacklist" priority="1">-j DROP</rule>
</direct>

You can also interact with these rules through the command line utility firewall-cmd, but you will need to include the –direct flag to indicate that you are working with the direct rule set.

Further Reading:

https://fedoraproject.org/wiki/Firewalld

https://firewalld.org/documentation/man-pages/firewalld

 

Author Bio

About the Author: Mark Cunningham

Mark currently works as an Enterprise System Administrator, whose long-term goal is to actually turn his job into a series of tiny shell scripts. He also enjoys making things outside of cyberspace. You might find him woodworking, machining, or on a photography outing when not working on servers all day.

Here's 75 % off, Launch a New VPS Today. Find out why 30,000 customers have chosen our Best-in-Class Performance & 24x7 Heroic Support