Common firewall operation examples:
Status: # systemctl status firewalld or firewall-cmd
–state
–state
Start: # systemctl start firewalld
Stop: # systemctl stop firewalld
Enable: # systemctl enable firewalld
Disable: # systemctl disable firewalld
#View current zones
# firewall-cmd –get-active-zones
#Show currently open ports
# firewall-cmd –zone=public –list-ports
#Add ports to the permanent zone
# firewall-cmd –permanent –zone=public
–add-port=61080/tcp –add-port=61446/tcp
–add-port=61080/tcp –add-port=61446/tcp
#Add a service to the permanent zone
# firewall-cmd –permanent –zone=public
–add-service=samba
–add-service=samba
#Reload the configuration; after adding to the permanent zone, you must reload the configuration for it to take effect
# firewall-cmd –reload
#Show currently open ports
# firewall-cmd –zone=public –list-ports
#Show currently open services
# firewall-cmd –zone=public –list-service
# firewalld enable vrrp:
firewall-cmd –permanent –add-rich-rule
“rule family=ipv4 source address=192.168.100.0/24 port
name=”22″ reject”
“rule family=ipv4 source address=192.168.100.0/24 port
name=”22″ reject”
firewall-cmd –zone=public –permanent
–add-rich-rule “rule family=ipv4 source
address=192.168.100.237/32 accept”
–add-rich-rule “rule family=ipv4 source
address=192.168.100.237/32 accept”
firewall-cmd –zone=public –permanent
–add-rich-rule “rule family=ipv4 source
address=192.168.100.238/32 accept”
–add-rich-rule “rule family=ipv4 source
address=192.168.100.238/32 accept”
firewall-cmd –reload
firewall-cmd –zone=public –list-rich-rules
————————————
Brief introduction to using firewalld in CentOS 7
1. Introduction to firewalld
firewalld is a major feature of CentOS 7, with two biggest advantages: it supports dynamic updates, so you don’t need to restart the service; the second is that it introduces the firewall “zone” concept
firewalld has both a graphical interface and a tool-based interface. Since I use it on a server, please refer to the official documentation for the graphical interface; this article introduces the command-line interface
The command-line management tool for firewalld is firewall-cmd
firewalld has two default configuration file locations: /usr/lib/firewalld/
(system configuration, try not to modify it) and /etc/firewalld/
(user configuration location)
(system configuration, try not to modify it) and /etc/firewalld/
(user configuration location)
The zone concept: hardware firewalls generally have three default zones. firewalld introduces this concept, and the system includes the following zones by default (this is my own understanding based on the documentation; please correct me if I’m wrong):
drop: drops all packets by default
block: rejects all external connections, allows internally initiated connections
public: allows specified external connections to enter
external: I’m not very clear on this one; functionally it seems the same as above, allowing specified external connections
dmz: like a hardware firewall, restricted public connections are allowed in
work: work zone, conceptually similar to a workgroup, also allows specified external connections
home: similar to a home group
internal: trusts all connections
2. Install firewalld
Run as root: # yum install firewalld firewall-config
3. Start, stop, and disable firewalld
Check status: # systemctl status firewalld or firewall-cmd
–state
–state
Start: # systemctl start firewalld
Stop: # systemctl stop firewalld
Enable: # systemctl enable firewalld
Disable: # systemctl disable firewalld
4. Configure firewalld
Check version: $ firewall-cmd –version
View help: $ firewall-cmd –help
View settings:
Show status: $ firewall-cmd –state
View zone information: $ firewall-cmd
–get-active-zones
–get-active-zones
View the zone for the specified interface: $ firewall-cmd
–get-zone-of-interface=eth0
–get-zone-of-interface=eth0
Reject all packets: # firewall-cmd –panic-on
Cancel reject mode: # firewall-cmd –panic-off
Check whether reject mode is active: $ firewall-cmd –query-panic
Update firewall rules: # firewall-cmd –reload
# firewall-cmd –complete-reload
The difference between the two is that the first does not require disconnecting existing connections; this is one of firewalld’s features, dynamically adding rules. The second requires disconnecting connections, similar to restarting the service.
Add an interface to a zone; by default, all interfaces are in public
# firewall-cmd –zone=public –add-interface=eth0
To make it take effect permanently, add –permanent and then reload the firewall
Set the default interface zone
# firewall-cmd –set-default-zone=public
Takes effect immediately without requiring a restart
Open a port (this seems to be the most commonly used one)
View all open ports:
# firewall-cmd –zone=dmz –list-ports
Add a port to a zone:
# firewall-cmd –zone=dmz –add-port=8080/tcp
To make it take effect permanently, use the same method as above
Open a service, similar to making ports visible. The service needs to be added in the configuration file; there is a services folder under /etc/firewalld
# firewall-cmd –zone=work –add-service=smtp
Remove a service
# firewall-cmd –zone=work –remove-service=smtp