Firewall in CentOS 7

Posted: July 8, 2015 in Linux

RHEL 7/CentOS 7  introduced firewalld as a replacement for the previous iptables service

Firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings.The firewall model with iptables was static and every change required a complete firewall restart. This included also to unload the firewall netfilter kernel modules and to load the modules that are needed for the new configuration. The firewalld daemon  applies changes without restarting the whole firewall,so there is no need to reload all firewall kernel modules.


Network zones

A network zone defines the level of trust for network connections based on  a source IP or network interface for incoming network traffic. Connection can only be part of one zone, but a zone can be used for many network connections.The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. There are 9 default zones:

drop-incoming network packets are dropped,outgoing traffic is accepted.
block-incoming connections are rejected with an icmp-host-prohibited message.
public-Allow only selected connections.
external-Allows selected inbound connection requests for computers with masquerading active.
dmz-For publicly accessible systems with limited access to internal network.Accepted selected traffic.
work-Allows traffic from other computers on internal network
home-Allows traffic from other computers on home network
internal-Allows traffic from other computers on internal,trusted network
trusted-Allows all traffic

The public zone is the default zone.Zone files,in XML formats,are located in  /usr/lib/firewalld/zones folder.

User-defined zone configuration is stored in separate XML files in the /etc/firewalld/zones  directory.

Each zone can have one or more interfaces assigned to it.

List the current default zone setting:

firewall-cmd --get-default-zone

list all active zones along with  assigned interfaces:

firewall-cmd --get-active-zones
interfaces: eth0 eth1 eth2

Display details for all active zones:

firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
services: dhcpv6-client ssh
ports: 5901-5902/tcp
masquerade: no
rich rules:

Display a list of all available zones:

firewall-cmd --get-zones

block dmz drop external home internal public trusted work

Display details for all available zones:

firewall-cmd --list-all-zones

Display details for a specific zone:

firewall-cmd --list-all --zone external
services: ssh
masquerade: yes
rich rules:

Assign the eth0 network interface permanently to the internal zone:

firewall-cmd --permanent --zone=internal --change-interface=eth0


To know which zone is associated with the eth0 interface:

firewall-cmd --get-zone-of-interface=eth0




The configuration of the main services are stored in the /usr/lib/firewalld/services directory. New configuration can be stored in the /etc/firewalld/services directory. Also, if files exist at both locations for the same service, the file in the /etc/firewalld/services folder takes precedence. A service file usually contains a port number, protocol, and an IP address

For example,the following command will create a new service called myservice (a file myservice.xml will be created in
/etc/firewalld/services/ folder

firewall-cmd --permanent --new-service myservice

Modify the testservice.xml file and include the following information:

vi /etc/firewalld/services/testservice.xml
<?xml version="1.0" encoding="utf-8"?>
<description>Custom testservice</description>
<port protocol=”tcp” port=”1234”/>

I defined port 1234 for myservice service

Add the myservice to the public zone:

firewall-cmd --permanent --add-service myservice --zone public
firewall-cmd --reload

firewall-cmd –reload command saves firewall changes.

–permanent option get  changes to remain between restarts

List all services for the public zone,you should see mytest service

firewall-cmd --list-services --zone work
dhcpv6-client ipp-client ssh testservice


To get the list of services in the default zone, type:

firewall-cmd --list-services
dhcpv6-client ssh

To allow the http service in the internal zone, type:

firewall-cmd --permanent --zone=internal --add-service=http
firewall-cmd --reload


Adding ports is same as adding services

To allow the 443/tcp port in the internal zone, type:

firewall-cmd --zone=internal --add-port=443/tcp --permament

To remove port,instead  –add-port type –remove-port=443/tcp

To get the list of ports  opened in the public zone, type:

firewall-cmd --zone=public --list-ports --permanent

Port forwardnig

Forward inbound telnet traffic to port 2000 on the same computer:

firewall-cmd --zone external --add-forward-port port=23:proto=tcp:toport=2000 --permanent

Forward inbound ftp traffic to port range 2001 to 2005 on the same system:

firewall-cmd --zone external --permanent --add-forward-port port=21:proto=tcp:toport=2001-2005

Forward inbound ftp traffic to the same port number but to IP

firewall-cmd --zone external --permanent --add-forward-port port=21:proto=tcp:toaddr=

Forward inbound ftp traffic to

firewall-cmd --zone external --permanent --add-forward-port port=21:proto=tcp:toport=2010:toaddr=

Adding zone to network addressing

To add a source to a zone trusted type:

firewall-cmd --permanent --zone=trusted --add-source=
firewall-cmd --reload

Instead –add-source type:

–remove-source to delete a previous assigned source.
–change-source  to move the source to the new specified zone.


Rich Language


This  adds a high level language to firewalld, that allows  creating complex firewall rules without the knowledge of iptables syntax
Allow new IPv4 connections from address for service ftp and rate log 5 per minutes using syslog with a log prefix
“Log ftp traffic”

firewall-cmd --add-rich-rule='rule family="ipv4" source address="" service name="ftp" log prefix="Log ftp traffic" level="info" limit value="1/m" accept'


Allow all connections from

firewall-cmd --add-rich-rule='rule family="ipv4" source address="" accept'

Deny all connections from

firewall-cmd --add-rich-rule='rule family="ipv4" source address="" reject'

Drop all connections from

firewall-cmd --add-rich-rule='rule family="ipv4" source address="" drop'

Display  rich rules:

firewall-cmd --list-rich-rules

Direct rules

If we don’t want to use predefines services but iptables interfaces,then we will use Direct rules.

The direct rules are mostly for services and applications to be able to add custom rules.
The rules are not saved and have to get resubmitted after reload or restart.

This rule will allow machines from network to access this computer on port 8200

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 192.168.1/24 -p tcp --dport 8200 -j ACCEPT

Forward trafic from eth0 to em1 interface:

firewall-cmd --direct --passthrough ipv4 -I FORWARD -i eth0 -o em1 -j ACCEPT
firewall-cmd --direct --passthrough ipv4 -I FORWARD -i em1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT




Masquerading allows computers with private (non-routable IP address) to connect to the internet substituting it’s
IP address with Public IP address of default gateway/firewall

Add masquerading  to the external zone.This will enable NAT

firewall-cmd --zone external --add-masquerade

Query on the external zone to confirm the setting:

firewall-cmd --query-masquerade --zone external


Activate Panic Mode – Drop All Packets

To start dropping all incoming and outgoing packets, type:

firewall-cmd --panic-on success

To allow traffic:

 firewall-cmd --panic-off success

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s