I fired up my first CentOS 7 instance and there are a lot of new things that I’ve been avoiding learning. Namely, FirewallD. According to the wiki page:
firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces
tl;dr; it’s kind of an abstraction layer for your firewall stuff. For instance, you may notice after configuring some rules with
firewall-cmd that when you run
iptables -L, you see a bunch of rules that reflect your changes, without having to write iptables rules.
Anyway, this post is just going to cover a few quick commands to implement a very basic firewall for those new to FirewallD. Follow the bouncing ball.
As mentioned in the quote from the wiki page, FirewallD has a concept of zones.
# firewall-cmd --get-zones block dmz drop external home internal public trusted work # firewall-cmd --get-active-zone public interfaces: eth0
FirewallD also knows about services. As you can see below, FirewallD knows about lots of services, but I only have three of them enabled/open.
# firewall-cmd --get-services amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https # firewall-cmd --zone=public --list-services dhcpv6-client http ssh
Enabling a service is easy. Make sure to include the
--permanent flag to make this persistent across reboots.
firewall-cmd --permanent --zone=public --add-service=http
And of course, make sure this sucker’s going to be running on boot (WELCOME TO SYSTEMD HAVE A NICE DAY).
systemctl enable firewalld
I always recommend a reboot to make sure your server comes up clean without your help.