Basic firewalld firewall management
Last updated on: 2020-06-10
Authored by: Chris Silva
This article provides basic information about how to use your
firewalld software firewall. This firewall is the default firewall solution for RHEL® 7 and CentOS® 7 based Linux® distributions.
Note: If you need to make changes to your firewall on a RackConnect® server, you need to do this through your Dedicated Firewall Manager.
You need to have the following prerequisites:
- Basic understanding of Secure Shell (SSH®)
- Sudo or administrative access to your server
- A non-RackConnect Cloud Server running RHEL 7 or CentOS 7
What is firewalld?
firewalld service is the default and most common software firewall solution used in RHEL and CentOS 7. It is a wrapper on
iptables that uses different syntax to apply new rules.
How does firewalld work?
firewalld service uses zones to control the firewall access. Zones are preconstructed rule sets for various trust levels. You likely have a zone for a given location or scenario, such as
trusted. Different zones enable different network services and incoming traffic types while denying everything else. After you enable
firewalld for the first time,
public is the default zone.
Here are some examples of zones:
|Zone||What it does|
||This is the external zone or Internet-facing zone. You don’t trust connections originating from the outside world and allow only specific services.|
||This is traditionally the inside of the network behind the firewall.|
||This zone is for use on computers located in a DMZ (demilitarized zone). Only certain incoming connections can access the restricted internal network.|
||Traffic destined for the
Enabling and checking the status of firewalld
Before getting started, you need to make sure that
firewalld is running on your server. You can check with the following command:
If the service is started, you should receive output indicating the service is running.
If the service is not running, you can start the service by running the following command:
systemctl start firewalld
You can also enable
firewalld to start on boot by running the following command:
systemctl enable firewalld
Before you add rules, you need to review your default settings in
To check the default zone in
firewalld, you can run the following command:
By default, this zone is set to
public. You can see other zones by using the following command:
This command lists the available zones in
As noted previously, the different zones in
firewalld have different functionality. You can specify the zone and ethernet controller connections to get more control over the access to your server, but for Rackspace purposes, you use the default configuration and modify the
firewalld rule anatomy
When you write a
firewalld rule, you need a few basic items in the rule.
Specify the command.
Specify the zone and change.
Putting all that together, you get something like the following example:
firewall-cmd --zone=public --add-source=127.0.0.1 --permanent
This command enables access from the IP
127.0.0.1 to the
public zone. There are other available flags, but this is the basic construction of a
Permanent flag and rich rules
The permanent flag can set rule persistence and enable fine-tuning of rules by using rich rules.
Using the permanent flag doesn’t activate the rule in the running configuration. To ensure the rule persists, you need to add the rule a second time with the permanent flag.
Permanent flag example:
firewall-cmd --add-source=12.345.67.89 --zone=trusted --permanent
Rich rules offer more control by having custom granular options. Rich rules can configure logging, masquerading, port forwarding, and rate limiting.
Rich rules example:
firewall-cmd --add-rich-rule='rule family=ipv4 source address="220.127.116.11" port port="11" protocol=tcp accept' --permanent
Note: A mixture of rich rules and regular rules can lead to a messy configuration. Using only rich rules for certain rules, such as SSH access, can help keep your setup clean.
Finally, here are a few examples of
|Command||What it does|
||This command accepts traffic from the specified IP to the trusted zone.|
||This command drops traffic from the specified IP range.|
||This command allows traffic via SSH on the public zone.|
||This command lists out all of the specifications set for the zone, such as sources, services, rich rules, and so on.|
||This command adds a rich rule to allow access from the specified IP on port 22 over TCP on the
This document only scratches the surface of the possibilities with
firewalld. You can review the
man page for
firewalld or review the official documentation for
firewalld at https://firewalld.org/documentation/man-pages/firewall-cmd.html.