An introduction to using firewalld commands
What is Firewalld?
firewalld (Dynamic Firewall Manager) provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections
or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and permanent configuration options. It also supports an interface for services or applications to add firewall rules directly.
firewall-config - Graphical Administration tool for firewalld
A graphical tool firewall-config is provided for the configuration of firewalld. To access this graphical tool, you must be running in the graphical mode (x windows). When running the firewall-config tool, you will be immediately prompted for the root password.
The "firewall-config" Administration tool has a drop down menu labelled Configuration. This allows you to select between "Runtime" and "Permanent" mode. If you have selected the Permanent mode, then an additional row of icons will be displayed in the left hand corner. These icons will only appear in the permanent configuration mode.
The firewall service provided by firewalld is dynamic rather than static. This means that changes can be made at any time and are implemented immediately. This allows for changes to be applied without any disruption to existing network connections.
firewall-cmd - Command Line Interface for firewalld
firewall-cmd is a command line interface for the administration of firewalld. It can be used to make permanent and non-permanent run-time changes. The runtime configuration in firewalld is separate from the permanent configuration. This means that changes can be made in either the runtime or permanent configuration.
The "firewall-cmd" command can be run by the "root" user or another user with the relevant administration permissions.
The configuration files for firewalld can be found in the following locations:
/usr/lib/firewalld/ and /etc/firewalld/
Differences between firewalld and iptables
The main differences between firewalld and the iptables service are:
The iptables service stores its configuration files in /etc/sysconfig/iptables whereas firewalld stores its configurations in various XML files.
The path /etc/sysconfig/iptables no longer exists on new installations using RHEL 7 as firewalld is installed by default. Systems that have been upgraded from version 6.x will still have this path. As mentioned earlier, firewalld can make dynamic changes without disruption, however, with iptables every rule change requires the flushing out of the old rules and then reading the new rules from the file /etc/sysconfig/iptables
Both of the above still use "iptables tool" to talk to the kernel packet filter.
Below depicts how changes are made between the different models:
system-config-firewall >> iptables service >> iptables command >> kernel netfilter firewall-config >> firewalld >> iptables command >> kernel netfilter firewall-cmd >> iptables (command) >> kernel netfilter
Network Zones and firewalld
Under firewalld zones are used to separate networks into different zones based on a level of trust. The NetworkManager informs firewalld to which zone an interface belongs to.
The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface.
Below is a list of the zones and a brief description:
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
Any incoming network connections are rejected with an "icmp-host-prohibited" message for IPv4 and the message "icmp6-adm-prohibited" on IPv6. Only network connections initiated from within the system are possible.
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz - demilitarized zone
For computers in your demilitarized zone that are publicly accessible with limited access to your internal network. Only selected incoming connections are accepted.
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to the NetworkManager, they are assigned to the "default zone". On installation, the "default zone" in firewalld is set to be the public zone.
A service can be defined as a list of local ports/destinations as well as a list of firewall helper modules that are automatically loaded if a service is enabled. predefined services makes it easier for an administrator to enable and disable access to a given service.
From the above image, you can see the predefined services under the Services tab.
To list predefined services using the command line, issue the following command as the root user:
[root@rhel07a /]# ls /usr/lib/firewalld/services/ amanda-client.xml ipp-client.xml mysql.xml rpc-bind.xml bacula-client.xml ipp.xml nfs.xml samba-client.xml bacula.xml ipsec.xml ntp.xml samba.xml dhcpv6-client.xml kerberos.xml openvpn.xml smtp.xml dhcpv6.xml kpasswd.xml pmcd.xml ssh.xml dhcp.xml ldaps.xml pmproxy.xml telnet.xml dns.xml ldap.xml pmwebapis.xml tftp-client.xml ftp.xml libvirt-tls.xml pmwebapi.xml tftp.xml high-availability.xml libvirt.xml pop3s.xml transmission-client.xml https.xml mdns.xml postgresql.xml vnc-server.xml http.xml mountd.xml proxy-dhcp.xml wbem-https.xml imaps.xml ms-wbt.xml radius.xml
You should never attempt to edit the above files manually.
To list system or user created services, issue the following command as the root user:
Services can be added and removed using the graphical "firewall-config" tool or by manually editing the XML files in /etc/firewalld/services/.
If a Service has not been added or modified by an administrator, then corresponding XML files will be found in the path /etc/firewalld/services/.
Is firewalld already installed?
To check to see if firewalld is already installed on your system (RHEL based distributions), simply issue the following command:
yum install firewalld
[root@centos07b ~]# yum install firewalld firewall-config Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: centos.serverspace.co.uk * epel: mirror.i3d.net * extras: centos.serverspace.co.uk * updates: centos.serverspace.co.uk Package firewalld-0.3.9-7.el7.noarch already installed and latest version Package firewall-config-0.3.9-7.el7.noarch already installed and latest version Nothing to do
If "firewalld" is already installed, you will see output similar to the above. (Repositories will differ depending on which OS you are using). Notice, we also added the "firewall-config" to the command. This allowed us to also check that this configuration tool was installed.
If the above were not installed, you would then be prompted to install the relevant packages and any dependencies.
Checking the status of firewalld
You can use the following command to check the status of firewalld: systemctl status firewalld.service
[root@centos07b ~]# systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Fri 2014-10-10 14:15:44 BST; 8min ago Main PID: 618 (firewalld) CGroup: /system.slice/firewalld.service └─618 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Oct 10 14:15:44 centos07b systemd: Started firewalld - dynamic firewall ...n. Hint: Some lines were ellipsized, use -l to show in full.
You can also check that "firewalld" is "running" by issuing the "firewall-cmd" command as follows: firewall-cmd --state
[root@centos07b ~]# firewall-cmd --state running
Enabling firewalld to automatically start at reboot
If you have manually installed firewalld using the above "yum" command, then you will probably need to configure firewalld to start automatically at system boot. This can be achieved by issuing the following command: systemctl enable firewalld.service
[root@centos07b ~]# systemctl enable firewalld.service ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service' ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'
To confirm that the service is enabled, you can issue the following command: systemctl list-unit-files | grep firewalld
[root@centos07b ~]# systemctl list-unit-files | grep firewalld firewalld.service enabled
Disabling and stopping firewalld
If you need to disable/stop firewalld, this can be achieved by issuing the following commands as the root user:
[root@centos07b ~]# systemctl stop firewalld.service [root@centos07b ~]# systemctl disable firewalld.service rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service' rm '/etc/systemd/system/basic.target.wants/firewalld.service'
Manually starting firewalld
To manually start firewalld, issue the following command as the route user:
[root@centos07b ~]# systemctl start firewalld.service
Remember to enable the service for automatic starting at system reboot: systemctl enable firewalld.service