Firewalld is a tool that helps manage firewall settings on CentOS 7. It’s dynamic, meaning you can make changes without restarting the service. Firewalld uses “zones” to define trust levels for different network connections. It also supports IPv4, IPv6, ethernet bridges, and IP sets.
Below, we’ll walk you through how to configure and set up Firewalld.
Immediate Changes: You can apply changes instantly without restarting the service.
Easy Integration: Firewalld provides tools like firewall-cmd, firewall-config , and firewall-applet to adapt settings.
Supported OS: Firewalld is the default firewall tool for:
RHEL 7, CentOS 7
Fedora 18 and newer
1. Firewalld is usually pre-installed on CentOS 7. If not, install it:
yum install firewalld -y
2. Check if the iptables service is running. If it is, stop and disable it:
systemctl status iptables
systemctl stop iptables
systemctl mask iptables
Firewalld uses zones to manage trust levels for network connections:
Drop Zone: Blocks all incoming connections except outgoing ones.
Block Zone: Blocks incoming connections but sends rejection messages.
Public Zone: For untrusted networks; allows only specified connections.
External Zone: Acts as a router with masquerading enabled.
DMZ Zone: Allows public access to specific services.
Work Zone: For internal networks with limited access.
Home Zone: Trusts other devices on the network.
Internal Zone: Like the home zone but for internal gateway traffic.
Trusted Zone: Accepts all traffic.
List available zones:
firewall-cmd --get-zones
Check the default zone:
firewall-cmd --get-default-zone
1. Set the default zone to internal (or another zone):
firewall-cmd --set-default-zone=internal
2. Verify the default zone
firewall-cmd --get-default-zone
3. Find out the zone for a specific interface (e.g., enp0s3):
firewall-cmd --get-zone-of-interface=enp0s3
4. List supported ICMP types:
firewall-cmd --get-icmptypes
Firewalld allows custom services. To create one:
1. Get a list of current services:
firewall-cmd --get-services
2. Navigate to the services directory:
cd /usr/lib/firewalld/services/
3. Copy an existing service file and rename it (e.g., for RTMP on port 1935):
cp ssh.xml /etc/firewalld/services/rtmp.xml
4. Edit the file to include the RTMP settings (protocol, port, etc.).
5. Reload Firewalld
firewall-cmd --reload
6. Confirm the new service:
firewall-cmd --get-services
1. Check the current state and active zones:
firewall-cmd --state
firewall-cmd --get-active-zones
2. Add your custom service to a zone:
firewall-cmd --zone=public --add-service=rtmp
To make it permanent:
firewall-cmd --zone=public --add-service=rtmp --permanent
firewall-cmd --reload
3. Open specific IP ranges and ports:
firewall-cmd --permanent --add-source=172.139.0.0/24
firewall-cmd --permanent --add-port=2396/tcp
firewall-cmd --reload
4. List all settings in the current zone:
firewall-cmd --list-all
To learn more about Firewalld, use the manual:
man firewalld