Firewalld - How to Dynamically Manage Firewall in RHEL/CentOS 7

Fedora 17/RHEL/CentOS 7 introduces a new firewall daemon called FirewallD, a dynamically managed firewall that supports zones to define the trust level of network connections or interfaces. Because FirewallD runs as a daemon it also allows rules to be added instantly without the need of a complete firewall (iptables) restart that can cause breaking stateful firewalling and established connections. Changes to the configuration can be made at anytime and are immediately implemented, there is no need to save or apply the changes. Firewalld daemon uses iptables tool to talk to the kernel packet filter.


FirewallD uses network zones to defines the level of trust for network connections, a connection can only be part of one zone, but a zone can be used for many network connections.

There are a number of predefined zones that can be user in general cases:

drop - incoming network packets are dropped, with no reply, only outgoing network connections are possible
block - incoming network connections are rejected with an icmp-host-prohibited message, only network connections initiated within this system are possible.
public - For use in areas where you do not trust the other computers to not harm your computer, only selected incoming connections are accepted.
external - For use on external networks with masquerading enabled especially for routers, you do not trust the other computers to not harm your computer, only selected incoming connections are accepted
dmz - For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network, only selected incoming connections are accepted.
work/home/internal - you mostly trust the other computers on network to not harm your computer, only selected incoming connections are accepted
trusted - all network connections are accepted

Configuration tools

FirewallD can be configured with firewall-config a graphical configuration tool, firewall-cmd a command line tool or the D-BUS interface.

You can access the graphical tool via the firewall-config command or from the system menu.

firewall config

Here you can see a list of the zones we specified earlier and you can select each one of them and make different adjustments from the tabs like this:

Services - trusted services that can be accessed from all hosts.
Ports - trusted ports that will be open in this zone
Masquerading - allows you to setup a host or router that connects your local network to the internet
Port Forwarding - add entries to allow port forward either from one port to another or one host to another.
ICMP Filters - trusted icmp services
Rich rules - use rich language to add complex rules
Interfaces - bind interfaces to the zone
Sources - bind source address or ares to the zone

You can also use the firewall-cmd command line tool to setup the firewall, the most important commands are:

firewall-cmd --state
shows if FirewallD is running

firewall-cmd --reload
reloads the firewall

firewall-cmd --get-zones
lists all the defined zones

firewall-cmd --get-services
lists all the supported services

firewall-cmd --get-active-zones
lists all the active zones

firewall-cmd [--zone=] --add-interface=
adds interface to the zone

firewall-cmd [--zone=] --change-interface=
change interface to zone

firewall-cmd [--zone=] --remove-interface=
removes interface from the zone

firewall-cmd --panic-on
enables panic mode blocking all network connections

firewall-cmd --panic-off
disables panic mode

firewall-cmd [--zone=] --add-service= [--timeout=]
adds a service to a zone

firewall-cmd [--zone=] --remove-service= [--timeout=]
remove service from a zone

firewall-cmd [--zone=] --add-port=[-]/ [--timeout=]
adds a port to a zone

firewall-cmd [--zone=] --remove-port=[-]/ [--timeout=]
removes a port from a zone

firewall-cmd [--zone=] --add-masquerade
adds masquerade to a zone

firewall-cmd [--zone=] --remove-masquerade
removes masquerade from a zone

firewall-cmd [--zone=] --add-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=| :toport=[-]:toaddr=}
adds port forwarding to a zone

firewall-cmd [--zone=] --remove-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=| :toport=[-]:toaddr=}
removes port forward from a zone

You can see an example of the commands below:

firewalld examples

firewalld examples 2

How to Disable FirewallD

If for any reason you would wish to disable FirewallD or use iptables instead you can do so with the following commands:

# systemctl disable firewalld
# systemctl stop firewalld

And if you also wish to install iptables to replace it:

# yum install iptables-services
# touch /etc/sysconfig/iptables
# touch /etc/sysconfig/ip6tables
# systemctl start iptables
# systemctl start ip6tables
# systemctl enable iptables
# systemctl enable ip6tables

disable firewalld


Leave a Comment