Firewalld – RHEL 7 & CentOS 7

There are a couple of excellent articles on Firewall D and I’ll attribute them as follows. Remember to check out the comments sections where available since there are some insightful contributions:


How To Set Up a Firewall Using FirewallD on CentOS 7

A few ways to configure Linux firewalld

RHEL7: How to get started with Firewalld.

What Is FirewallD and How It Works (firewall-cmd)

Firewalld configuration and usage

centos 7 – open firewall port

How to open a port in the firewall on CentOS or RHEL


Below are some of the neat things I gleaned from the above resources:

Firewalld is the default firewall on CentOS minimal install and its managed by the firewall-cmd administrative tool.

Firewalld daemon encapsulates  groups of rules into what are termed as Zones. These rules dictate what traffic should be allowed depending on the level of “Trust” in the network your computer is connected to.

Zones are activated by adding Network Interfaces to them. The default zone after a CentOS mimimal install is the public zone. Here you’ll find a nice description of the different zones. Remember, check the zones that are active then add rules, e.g enabling ports, on them instead of blindly opening ports in all the zones.

To allow traffic between network interfaces remember to enable ip_forwading.

Interfaces will always revert to the default zone if they do not have an alternative zone defined within their configuration. On CentOS, these configurations are defined within the /etc/sysconfig/network-scripts directory with files of the format ifcfg-interface. To define a zone for the interface, open up the file associated with the interface you’d like to modify.

Incase you’d rather switch back to Ip-tables, follow the instructions here.

NOTE: Firewalld relies on NetworkManager. This means that if you plan to stop NetworkManager for any reason (for example when building a KVM host), you will have to stop Firewalld and use Iptables instead!

MasqueradingIf your firewall is your network gateway and you don’t want everybody to know your internal addresses, you can set up two zones, one called internal, the other external, and configure masquerading on the external zone. This way, all packets will get your firewall ip address as source address.

Services: There are a few basic building blocks in the zones — services are the most important. Firewalld uses its own set of services that are configured using XML files in the directories /usr/lib/firewalld/services (for the system default services) and /etc/firewalld/services for services that you, the administrator, create. If the same service is found in both locations then the services defined in /etc/firewalld/services takes precedence.

The firewall-cmd command is one of many methods to configure firewalld. Alternatively, you can edit the zone configuration file directly. This doesn’t give you any feedback on wrong syntax, but it’s a clean and straightforward configuration file that is easy to modify and distribute across multiple servers.