Fedora 17/RHEL/CentOS 7 introduces a new firewall daemon called FirewallD, a dynamically managed firewall that supports zones to define the trust level of network connections or interfaces. Because FirewallD runs as a daemon it also allows rules to be added instantly without the need of a complete firewall (iptables) restart that can cause breaking stateful firewalling and established connections. Changes to the configuration can be made at anytime and are immediately implemented, there is no need to save or apply the changes. Firewalld daemon uses iptables tool to talk to the kernel packet filter.
Zones
FirewallD uses network zones to defines the level of trust for network connections, a connection can only be part of one zone, but a zone can be used for many network connections.
There are a number of predefined zones that can be user in general cases:
drop - incoming network packets are dropped, with no reply, only outgoing network connections are possible
block - incoming network connections are rejected with an icmp-host-prohibited message, only network connections initiated within this system are possible.
public - For use in areas where you do not trust the other computers to not harm your computer, only selected incoming connections are accepted.
external - For use on external networks with masquerading enabled especially for routers, you do not trust the other computers to not harm your computer, only selected incoming connections are accepted
dmz - For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network, only selected incoming connections are accepted.
work/home/internal - you mostly trust the other computers on network to not harm your computer, only selected incoming connections are accepted
trusted - all network connections are accepted
Configuration tools
FirewallD can be configured with firewall-config a graphical configuration tool, firewall-cmd a command line tool or the D-BUS interface.
You can access the graphical tool via the firewall-config command or from the system menu.
Here you can see a list of the zones we specified earlier and you can select each one of them and make different adjustments from the tabs like this:
Services - trusted services that can be accessed from all hosts.
Ports - trusted ports that will be open in this zone
Masquerading - allows you to setup a host or router that connects your local network to the internet
Port Forwarding - add entries to allow port forward either from one port to another or one host to another.
ICMP Filters - trusted icmp services
Rich rules - use rich language to add complex rules
Interfaces - bind interfaces to the zone
Sources - bind source address or ares to the zone
You can also use the firewall-cmd command line tool to setup the firewall, the most important commands are:
firewall-cmd --state
shows if FirewallD is running
firewall-cmd --reload
reloads the firewall
firewall-cmd --get-zones
lists all the defined zones
firewall-cmd --get-services
lists all the supported services
firewall-cmd --get-active-zones
lists all the active zones
firewall-cmd [--zone=] --add-interface=
adds interface to the zone
firewall-cmd [--zone=] --change-interface=
change interface to zone
firewall-cmd [--zone=] --remove-interface=
removes interface from the zone
firewall-cmd --panic-on
enables panic mode blocking all network connections
firewall-cmd --panic-off
disables panic mode
firewall-cmd [--zone=] --add-service= [--timeout=]
adds a service to a zone
firewall-cmd [--zone=] --remove-service= [--timeout=]
remove service from a zone
firewall-cmd [--zone=] --add-port=[-]/ [--timeout=]
adds a port to a zone
firewall-cmd [--zone=] --remove-port=[-]/ [--timeout=]
removes a port from a zone
firewall-cmd [--zone=] --add-masquerade
adds masquerade to a zone
firewall-cmd [--zone=] --remove-masquerade
removes masquerade from a zone
firewall-cmd [--zone=] --add-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=| :toport=[-]:toaddr=}
adds port forwarding to a zone
firewall-cmd [--zone=] --remove-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=| :toport=[-]:toaddr=}
removes port forward from a zone
You can see an example of the commands below:
How to Disable FirewallD
If for any reason you would wish to disable FirewallD or use iptables instead you can do so with the following commands:
# systemctl disable firewalld # systemctl stop firewalld
And if you also wish to install iptables to replace it:
# yum install iptables-services # touch /etc/sysconfig/iptables # touch /etc/sysconfig/ip6tables # systemctl start iptables # systemctl start ip6tables # systemctl enable iptables # systemctl enable ip6tables
