Basic Firewalld Firewall Management

This article provides basic information about how to use your firewalld software firewall. This firewall is the default firewall solution for RHEL® 7 and CentOS® 7 based Linux® distributions.

📘

If you need to make changes to your firewall on a RackConnect® server, you need to do this through your Dedicated Firewall Manager.

Prerequisites

You need to have the following prerequisites:

  • Basic understanding of Secure Shell (SSH®)
  • Sudo or administrative access to your server
  • A non-RackConnect Cloud Server running RHEL 7 or CentOS 7

What is firewalld?

The firewalld service is the default and most common software firewall solution used in RHEL and CentOS 7. It is a wrapper on iptables that uses different syntax to apply new rules.

How does firewalld work?

The firewalld service uses zones to control the firewall access. Zones are preconstructed rule sets for various trust levels. You likely have a zone for a given location or scenario, such as home, public, or trusted. Different zones enable different network services and incoming traffic types while denying everything else. After you enable firewalld for the first time, public is the default zone.

Here are some examples of zones:

ZoneWhat it does
publicThis is the external zone or Internet-facing zone. You don't trust connections originating from the outside world and allow only specific services.
internalThis is traditionally the inside of the network behind the firewall.
dmzThis zone is for use on computers located in a DMZ (demilitarized zone). Only certain incoming connections can access the restricted internal network.
dropTraffic destined for the drop zone is dropped without any reply. Use this as a black hole for malicious IPs.
trustedtrusted accepts all connections. Use this zone sparingly.

Enabling and checking the status of firewalld

Before getting started, you need to make sure that firewalld is running on your server. You can check with the following command:

   firewall-cmd --state

If the service is started, you should receive output indicating the service is running.

If the service is not running, you can start the service by running the following command:

   systemctl start firewalld

You can also enable firewalld to start on boot by running the following command:

   systemctl enable firewalld

Zones in firewalld

Before you add rules, you need to review your default settings in firewalld.

To check the default zone in firewalld, you can run the following command:

   firewall-cmd --get-default-zone

By default, this zone is set to public. You can see other zones by using the following command:

   firewall-cmd --get-zones

This command lists the available zones in firewalld.

As noted previously, the different zones in firewalld have different functionality. You can specify the zone and ethernet controller connections to get more control over the access to your server, but for Rackspace purposes, you use the default configuration and modify the public zone.

Basic firewalld rule anatomy

When you write a firewalld rule, you need a few basic items in the rule.

  1. Specify the command.

  2. Specify the zone and change.

  3. Set persistence.

Putting all that together, you get something like the following example:

   firewall-cmd --zone=public --add-source=127.0.0.1 --permanent

This command enables access from the IP 127.0.0.1 to the public zone. There are other available flags, but this is the basic construction of a firewalld rule.

Permanent flag and rich rules

The permanent flag can set rule persistence and enable fine-tuning of rules by using rich rules.

Permanent flag

Using the permanent flag doesn't activate the rule in the running configuration. To ensure the rule persists, you need to add the rule a second time with the permanent flag.

Permanent flag example:

   firewall-cmd --add-source=12.345.67.89 --zone=trusted --permanent

Rich rules

Rich rules offer more control by having custom granular options. Rich rules can configure logging, masquerading, port forwarding, and rate limiting.

Rich rules example:

   firewall-cmd --add-rich-rule='rule family=ipv4 source address="123.45.69.78" port port="11" protocol=tcp accept' --permanent

📘

A mixture of rich rules and regular rules can lead to a messy configuration. Using only rich rules for certain rules, such as SSH access, can help keep your setup clean.

Example commands

Finally, here are a few examples of firewalld commands.

CommandWhat it does
firewall-cmd --add-source=12.345.67.89 --zone=trustedThis command accepts traffic from the specified IP to the trusted zone.
firewall-cmd --zone=drop --add-source=12.345.67.89/24This command drops traffic from the specified IP range.
firewall-cmd --zone=public --add-service=sshThis command allows traffic via SSH on the public zone.
firewall-cmd --zone=public --list-allThis command lists out all of the specifications set for the zone, such as sources, services, rich rules, and so on.
firewall-cmd --add-rich-rule='rule family=ipv4 source address="123.456.789.123" port port="22" protocol=tcp accept' --permanentThis command adds a rich rule to allow access from the specified IP on port 22 over TCP on the public zone.

Further reading

This document only scratches the surface of the possibilities with firewalld. You can review the man page for firewalld or review the official documentation for firewalld at https://firewalld.org/documentation/man-pages/firewall-cmd.html.