Knowledge Base

How To Set Up a Firewall Using FirewallD on CentOS 7

Firewalld is a firewall management solution available for many Linux distributions which acts as a frontend for the iptables packet filtering system provided by the Linux kernel.

Install and Enable Your Firewall to Start at Boot
firewalld is installed by default on some Linux distributions, including many images of CentOS 7. However, it may be necessary for you to install firewalld yourself:

sudo yum install firewalld

After you install firewalld, you can enable the service and reboot your server. Keep in mind that enabling firewalld will cause the service to start up at boot. It is best practice to create your firewall rules and take the opportunity to test them before configuring this behavior in order to avoid potential issues.

sudo systemctl enable firewalld
sudo reboot

When the server restarts, your firewall should be brought up, your network interfaces should be put into the zones you configured (or fall back to the configured default zone), and any rules associated with the zone(s) will be applied to the associated interfaces.

We can verify that the service is running and reachable by typing:

sudo firewall-cmd --state

Adding a Service to your Zones
for instance, if we are running a web server serving conventional HTTP traffic, we can allow this traffic for interfaces in our “public” zone for this session by typing:

sudo firewall-cmd --zone=public --add-service=http

We can verify the operation was successful by using the --list-all or --list-services operations:

sudo firewall-cmd --zone=public --list-services

Opening a Port for your Zones
One way to add support for your specific application is to open up the ports that it uses in the appropriate zone(s). This is done by specifying the port or port range, and the associated protocol for the ports you need to open.

For instance, if our application runs on port 6900 and uses UDP, we could add this to the “public” zone for this session using the --add-port= parameter. Protocols can be either tcp or udp:

sudo firewall-cmd --zone=public --permanent --add-port=6900/tcp
Please rate this article to help us improve our Knowledge Base.

7 0