Managing firewalld with firewall-config

firewall-config Graphical User Interface for managing firewalld

firewall-config is the graphical tool that can be used instead of the command line to manage your firewall. Normally, this will be installed along with firewalld if you have installed a desktop environment such as Gnome.
(To configure your firewall from the command line see the section firewall-cmd.)

To check that the tool firewall-config is installed, simply issue the following command:

[root@centos07b ~]# yum install firewalld firewall-config
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base:
 * epel:
 * extras:
 * updates:
Package firewalld-0.3.9-7.el7.noarch already installed and latest version
Package firewall-config-0.3.9-7.el7.noarch already installed and latest version
Nothing to do

From the above we can see that the necessary items are already installed. If they were not installed, you would be prompted to install the relevant packages and any dependencies.

firewall-config - Graphical Administration tool

To start the "firewall-config" tool, you can either, press the "Super key" to enter the Activities Overview, then type firewall and then press Enter. The "firewall-config" tool should now appear. alternatively, you can open a console and run the following command as the "root" user:

# firewall-config

Accessing firewall-config from the desktop

firewall-config Graphical Administration Tool

Notice the word "Connected" in the lower left corner. This indicates that the firewall-config tool is connected to the user space daemon, firewalld. Note that the "ICMP Types", "Direct Configuration", and "Lockdown Whitelist" tabs are only visible after being selected from the drop down menu "View.

Changing Firewall Settings

To make changes immediately to the firewall's current configuration, make sure that the current view is set to "Runtime". If your changes only need to be applied at the next system reboot or re-load of your firewall, then select the "Permanent" option from the drop down list.

Runtime Mode: Changes take immediate effect when you set or clear the check box associated with the service.

Permanent Mode: Your selections will only take effect when you reload the firewall or the system is re-booted.

Reloading Firewall: The firewall can be reloaded/restarted from the icon below the File menu, or by clicking the Options menu and selecting "Reload Firewall".

Working with Zones

Adding an Interface to a Zone

Interfaces can be assigned or added to a selected zone by selecting Options from the main menu bar, then selecting Change Zones of Connections from the drop down menu. A connection list is then displayed. Next select the connection to be reassigned. You should now see the Select Zone for Connection window appear. Now select the new firewall zone from the drop down menu and click OK.

Zone Selection:

firewall-config changing zones for a connection

Setting the Default Zone

To specify the default zone that a new interface will be assigned to. Select Options from the main menu bar, then select Change Default Zone from the drop down menu. The Default Zone window should now appear. Now select the zone from the list that you want to become the default zone and click on OK.

Configuring Services

To enable or disable a service (custom or pre defined), select the network zone whose services you wish to configure, then select the Services tab. You can now select the check box for each type of service you want to trust or clear the check box to block a particular service. The example below shows that the service "ssh" is currently set to trusted.

firewall-config Configuring Services

Editing a Service

To edit a service, first change the mode to Permanent from the drop down selection menu labelled "Configuration:". Additional icons and menu buttons appear at the bottom of the Services window. Now select the service you wish to configure.

firewall-config Editing a Service

Changing Ports and Protocols for a service

The Ports and Protocols tab enables you to add, remove or amend the ports and protocols for a selected service. The modules tab is for configuring Netfilter helper modules. The Destination tab enables you to limit traffic to a particular destination address and Internet Protocol (IPv4 or IPv6).

firewall-config Working with ports and protocols

Opening Ports

Traffic is allowed to pass through a firewall only if a port has been specified as open. To open a port using the firewall-config tool, you first need to select the zone you wish to work with. Next select the ports tab and click on the Add button. The port and protocol window should now appear. It is from here that you can specify a port number or a range of ports that are to be permitted. The protocol can be selected from the drop down list.

firewall-config Specify a port and protocol

Enabling IP Masquerading

The translation of an IPv4 address to a single external address can be achieved by using the IP Masquerading tab. Here you first select the network zone whose addresses are to be translated, then select the Masquerading tab and check the box to enable the translation of the IPv4 address to a single address.

firewall-config IP Masquerading

Port Forwarding

The forwarding of inbound network traffic is configured from the Port Forwarding tab. First IP Masquerading has to be enabled, then select the Port Forwarding tab. Select the protocol for the inbound traffic and the port range of ports from the upper section of the window. To forward locally (to a port on the same system), select the local forwarding check box. Next enter the local port or range of ports for the traffic to be sent to.

To forward traffic to another address, select the "Forward to another port" check box. Next enter the IP destination address and port or port range. The default is to send to the same port if the port field is left empty. Next click OK to apply the changes.

firewall-config Port Forwarding

Configuring an ICMP Filter

To enable or disable an ICMP filter, first select the the network zone whose messages are to be filtered. Next select the ICMP Filter tab and select the check box for each type of ICMP message that is to be filtered. To disable a filter, simply remove the check box entry.

Rich Rules

Rich rules adds a rich (high level) language to firewalld, this allows the creation of complex firewall rules without the knowledge of iptables syntax. For full details relating to the syntax of "rich rules" see the following wiki: Rich Rules