CentOS 7 FirewallD Initial Setup

Posted on Sat 26 July 2014 in misc

I fired up my first CentOS 7 instance and there are a lot of new things that I’ve been avoiding learning. Namely, FirewallD. According to the wiki page:

firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces

tl;dr; it’s kind of an abstraction layer for your firewall stuff. For instance, you may notice after configuring some rules with firewall-cmd that when you run iptables -L, you see a bunch of rules that reflect your changes, without having to write iptables rules.

Anyway, this post is just going to cover a few quick commands to implement a very basic firewall for those new to FirewallD. Follow the bouncing ball.

As mentioned in the quote from the wiki page, FirewallD has a concept of zones.

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
# firewall-cmd --get-active-zone
public
interfaces: eth0

FirewallD also knows about services. As you can see below, FirewallD knows about lots of services, but I only have three of them enabled/open.

# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
# firewall-cmd --zone=public --list-services
dhcpv6-client http ssh

Enabling a service is easy. Make sure to include the --permanent flag to make this persistent across reboots.

firewall-cmd --permanent --zone=public --add-service=http

And of course, make sure this sucker’s going to be running on boot (WELCOME TO SYSTEMD HAVE A NICE DAY).

systemctl enable firewalld

I always recommend a reboot to make sure your server comes up clean without your help.