{"id":3652,"date":"2017-12-07T16:47:54","date_gmt":"2017-12-07T16:47:54","guid":{"rendered":"https:\/\/qbytes.cloud\/?p=3652"},"modified":"2017-12-07T16:47:54","modified_gmt":"2017-12-07T16:47:54","slug":"set-firewall-using-firewalld-centos-7","status":"publish","type":"post","link":"https:\/\/www.qbytes.cloud\/index.php\/2017\/12\/07\/set-firewall-using-firewalld-centos-7\/","title":{"rendered":"How To Set Up a Firewall Using Firewalld on CentOS 7"},"content":{"rendered":"


\nTurning on the Firewall<\/p>\n

\n# sudo systemctl start firewalld.service\n<\/pre>\n
We can verify that the service is running and reachable by typing:<\/p>\n
\n# firewall-cmd --state\noutput\nrunning\n<\/pre>\n
We can see which zone is currently selected as the default by typing:<\/p>\n
\n# firewall-cmd --get-default-zone\noutput\npublic\n<\/pre>\n
\nfirewall-cmd --get-active-zones\noutput\npublic\ninterfaces: eth0 eth1\n<\/pre>\n
We can print out the default zone’s configuration by typing:<\/p>\n
\n# firewall-cmd --list-all\noutput\npublic (default, active)\n  interfaces: eth0 eth1\n  sources: \n  services: dhcpv6-client ssh\n  ports: \n  masquerade: no\n  forward-ports: \n  icmp-blocks: \n  rich rules:\n<\/pre>\n
Exploring Alternative Zones. To get a list of the available zones, type:<\/p>\n
\n# firewall-cmd --get-zones\noutput\nblock dmz drop external home internal public trusted work\n<\/pre>\n
We can see the specific configuration associated with a zone by including the –zone= parameter in our –list-all command:<\/p>\n
\n# firewall-cmd --zone=home --list-all\noutput\nhome\n  interfaces: \n  sources: \n  services: dhcpv6-client ipp-client mdns samba-client ssh\n  ports: \n  masquerade: no\n  forward-ports: \n  icmp-blocks: \n  rich rules:\n<\/pre>\n
You can output all of the zone definitions by using the –list-all-zones option. You will probably want to pipe the output into a pager for easier viewing:<\/p>\n
\n# firewall-cmd --list-all-zones | less\n<\/pre>\n
Selecting Zones for your Interfaces
\nUnless you have configured your network interfaces otherwise, each interface will be put in the default zone when the firewall is booted.<\/p>\n
Changing the Zone of an Interface for the Current Session<\/p>\n
You can transition an interface between zones during a session by using the –zone= parameter in combination with the –change-interface= parameter. As with all commands that modify the firewall, you will need to use sudo.<\/p>\n
For instance, we can transition our eth0 interface to the “home” zone by typing this:<\/p>\n
\n# sudo firewall-cmd --zone=home --change-interface=eth0\noutput\nsuccess\n<\/pre>\n
\n# firewall-cmd --get-active-zones\noutput\nhome\n  interfaces: eth0\npublic\n  interfaces: eth1\n<\/pre>\n
If the firewall is completely restarted, the interface will revert to the default zone:<\/p>\n
\nsudo systemctl restart firewalld.service\nfirewall-cmd --get-active-zones\noutput\npublic\n  interfaces: eth0 eth1\n<\/pre>\n
Changing the Zone of your Interface Permanently<\/p>\n
\n# sudo nano \/etc\/sysconfig\/network-scripts\/ifcfg-eth0\n<\/pre>\n
At the bottom of the file, set the ZONE= variable to the zone you wish to associate with the interface. In our case, this would be the “home” interface:<\/p>\n
\n\/etc\/sysconfig\/network-scripts\/ifcfg-eth0\n. . .\n\nDNS1=2001:4860:4860::8844\nDNS2=2001:4860:4860::8888\nDNS3=8.8.8.8\nZONE=home\n<\/pre>\n
Save and close the file.<\/p>\n
To implement your changes, you’ll have to restart the network service, followed by the firewall service:<\/p>\n
\nsudo systemctl restart network.service\nsudo systemctl restart firewalld.service\n<\/pre>\n
After your firewall restarts, you can see that your eth0 interface is automatically placed in the “home” zone:<\/p>\n
\n# firewall-cmd --get-active-zones\noutput\nhome\n  interfaces: eth0\npublic\n  interfaces: eth1\n<\/pre>\n
Adjusting the Default Zone<\/p>\n
\n# sudo firewall-cmd --set-default-zone=home\noutput\nhome\n  interfaces: eth0 eth1<\/pre>\n
Setting Rules for your Applications<\/p>\n
Adding a Service to your Zones<\/p>\n
The easiest method is to add the services or ports you need to the zones you are using. Again, you can get a list of the available services with the –get-services option:<\/p>\n
\nfirewall-cmd --get-services\noutput\nRH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https\n<\/pre>\n
You can get more details about each of these services by looking at their associated .xml file within the \/usr\/lib\/firewalld\/services directory. For instance, the SSH service is defined like this:<\/p>\n
\n\/usr\/lib\/firewalld\/services\/ssh.xml\n<?xml version="1.0" encoding="utf-8"?>\n<service>\n  <short>SSH<\/short>\n  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.<\/description>\n  <port protocol="tcp" port="22"\/>\n<\/service>\n<\/pre>\n
You can enable a service for a zone using the –add-service= parameter.<\/p>\n
For instance, if we are running a web server serving conventional HTTP traffic, we can allow this traffic for interfaces in our “public” zone for this session by typing:<\/p>\n
\nsudo firewall-cmd --zone=public --add-service=http\n<\/pre>\n
You can leave out the –zone= if you wish to modify the default zone. We can verify the operation was successful by using the –list-all or –list-services operations:<\/p>\n
\nfirewall-cmd --zone=public --list-services\noutput\ndhcpv6-client http ssh\n<\/pre>\n
 We can make our “public” zone change permanent by typing:<\/p>\n
\n# sudo firewall-cmd --zone=public --permanent --add-service=http\n<\/pre>\n
You can verify that this was successful by adding the –permanent flag to the –list-services operation. You need to use sudo for any –permanent operations:<\/p>\n
\nsudo firewall-cmd --zone=public --permanent --list-services\noutput\ndhcpv6-client http ssh\n<\/pre>\n
Your “public” zone will now allow HTTP web traffic on port 80. Add https:<\/p>\n
\nsudo firewall-cmd --zone=public --add-service=https\nsudo firewall-cmd --zone=public --permanent --add-service=https\n<\/pre>\n
Adding Other ports
\nWe can verify that this was successful using the –list-ports operation:<\/p>\n
\nfirewall-cmd --list-ports\noutput\n5000\/tcp\n<\/pre>\n
It is also possible to specify a sequential range of ports by separating the beginning and ending port in the range with a dash. For instance, if our application uses UDP ports 4990 to 4999, we could open these up on “public” by typing:<\/p>\n
\n# sudo firewall-cmd --zone=public --add-port=4990-4999\/udp\nAfter testing, we would likely want to add these to the permanent firewall. You can do that by typing:\nsudo firewall-cmd --zone=public --permanent --add-port=5000\/tcp\nsudo firewall-cmd --zone=public --permanent --add-port=4990-4999\/udp\nsudo firewall-cmd --zone=public --permanent --list-ports\noutput\nsuccess\nsuccess\n4990-4999\/udp 5000\/tcp\n<\/pre>\n
Creating Your Own Zones
\nWhile the predefined zones will probably be more than enough for most users, it can be helpful to define your own zones that are more descriptive of their function.<\/p>\n
For instance, we could create the two zones we discussed above by typing:<\/p>\n
\nsudo firewall-cmd --permanent --new-zone=publicweb\nsudo firewall-cmd --permanent --new-zone=privateDNS\nYou can verify that these are present in your permanent configuration by typing:\n<\/pre>\n
\n# sudo firewall-cmd --permanent --get-zones\noutput\n<\/pre>\n
block dmz drop external home internal privateDNS public publicweb trusted work
\nAs stated before, these won’t be available in the current instance of the firewall yet:<\/p>\n
\nfirewall-cmd --get-zones\noutput\nblock dmz drop external home internal public trusted work\n<\/pre>\n
Reload the firewall to bring these new zones into the active configuration:<\/p>\n
\nsudo firewall-cmd --reload\nfirewall-cmd --get-zones\noutput\nblock dmz drop external home internal privateDNS public publicweb trusted work\n<\/pre>\n
Now, you can begin assigning the appropriate services and ports to your zones. It’s usually a good idea to adjust the active instance and then transfer those changes to the permanent configuration after testing. For instance, for the “publicweb” zone, you might want to add the SSH, HTTP, and HTTPS services:<\/p>\n
\nsudo firewall-cmd --zone=publicweb --add-service=ssh\nsudo firewall-cmd --zone=publicweb --add-service=http\nsudo firewall-cmd --zone=publicweb --add-service=https\nfirewall-cmd --zone=publicweb --list-all\noutput\npublicweb\n  interfaces: \n  sources: \n  services: http https ssh\n  ports: \n  masquerade: no\n  forward-ports: \n  icmp-blocks: \n  rich rules:\n<\/pre>\n
Likewise, we can add the DNS service to our “privateDNS” zone:<\/p>\n
\nsudo firewall-cmd --zone=privateDNS --add-service=dns\nfirewall-cmd --zone=privateDNS --list-all\noutput\nprivateDNS\n  interfaces: \n  sources: \n  services: dns\n  ports: \n  masquerade: no\n  forward-ports: \n  icmp-blocks: \n  rich rules:\n<\/pre>\n
We could then change our interfaces over to these new zones to test them out:<\/p>\n
\nsudo firewall-cmd --zone=publicweb --change-interface=eth0\nsudo firewall-cmd --zone=privateDNS --change-interface=eth1\n<\/pre>\n
At this point, you have the opportunity to test your configuration. If these values work for you, you will want to add the same rules to the permanent configuration. You can do that by re-applying the rules with the –permanent flag:<\/p>\n
\nsudo firewall-cmd --zone=publicweb --permanent --add-service=ssh\nsudo firewall-cmd --zone=publicweb --permanent --add-service=http\nsudo firewall-cmd --zone=publicweb --permanent --add-service=https\nsudo firewall-cmd --zone=privateDNS --permanent --add-service=dns\n<\/pre>\n
You can then modify your network interfaces to automatically select the correct zones.<\/p>\n
We can associate the eth0 interface with the “publicweb” zone:<\/p>\n
\nsudo nano \/etc\/sysconfig\/network-scripts\/ifcfg-eth0\n[label \/etc\/sysconfig\/network-scripts\/ifcfg-eth0\n. . .\n<\/pre>\n
\nIPV6_AUTOCONF=no\nDNS1=2001:4860:4860::8844\nDNS2=2001:4860:4860::8888\nDNS3=8.8.8.8\nZONE=publicweb\n<\/pre>\n
And we can associate the eth1 interface with “privateDNS”:<\/p>\n
\nsudo nano \/etc\/sysconfig\/network-scripts\/ifcfg-eth1\n\/etc\/sysconfig\/network-scripts\/ifcfg-eth1\n. . .\n\nNETMASK=255.255.0.0\nDEFROUTE='no'\nNM_CONTROLLED='yes'\nZONE=privateDNS\nAfterwards, you can restart your network and firewall services:\n<\/pre>\n
\nsudo systemctl restart network\nsudo systemctl restart firewalld\n<\/pre>\n
Validate that the correct zones were assigned:<\/p>\n
\nfirewall-cmd --get-active-zones\noutput\nprivateDNS\n  interfaces: eth1\npublicweb\n  interfaces: eth0\n<\/pre>\n
And validate that the appropriate services are available for both of the zones:<\/p>\n
\nfirewall-cmd --zone=publicweb --list-services\noutput\nhttp htpps ssh\nfirewall-cmd --zone=privateDNS --list-services\noutput\ndns\n<\/pre>\n
You have successfully set up your own zones. If you want to make one of these zones the default for other interfaces, remember to configure that behavior with the –set-default-zone= parameter:<\/p>\n
\nsudo firewall-cmd --set-default-zone=publicweb\n<\/pre>\n
To configure your firewall to start at boot, type:<\/p>\n
\nsudo systemctl enable firewalld\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Turning on the Firewall # sudo systemctl start firewalld.service We can verify that the service is running and reachable by typing: # firewall-cmd –state output running We can see which zone is currently selected as the default by typing: # firewall-cmd –get-default-zone output public firewall-cmd –get-active-zones output public interfaces: eth0 eth1 We can print out … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[],"class_list":["post-3652","post","type-post","status-publish","format-standard","hentry","category-kb"],"_links":{"self":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/3652","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=3652"}],"version-history":[{"count":0,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/3652\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=3652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=3652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=3652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}