A firewall is a way of monitoring and filtering network traffic. Both incoming and outgoing.
This article is for rather advanced users, who are familiar with the concept of a firewall.
CentOS 8 has a firewall software called firewalld. We will explore how it works, a way to configure and manage it.
Firewalld is a firewall solution that is built-in in different Linux distros (CentOS, RHEL, Fedora, SUSE, OpenSUSE, and more). It is a dynamically managed firewall that can set limits for different networks and interfaces. It supports IPv4, IPv6, bridge, and ipset.
What is great about it is that it has a D-Bus interface for services, applications, and users. Through its use, the changes can be performed dynamically, without the need for a restart.
You can also use a runtime environment for testing or configuration.
When you are using the runtime it actually takes effect, but it is not saved permanently.
To make the changes permanent use the following command:
It has a simple to use interface where you can define services, ports, protocols, modules, and more.
Firewalld works with predefined zones with different sets of rules. You can use the zones that already exist or add custom zones for your needs.
What are firewalld zones? They are predefined sets of rules that indicate the level of trust for the networks that you are connected to. You can manually set network interfaces and sources to a specific zone.
Here is the list of the default Firewalld zones:
• Drop – the most restrictive. It drops all the incoming connections and leaves just the outgoing ones.
• Block – Vеry similar to Drop, but here you get a message “icmp-host-prohibited” for IPv4 and “icmp6-adm-prohibited” for IPv6.
• Public – Public is untrusted, so all of the computers on the network are blocked unless you allow the connections.
• External – External is when you are using your computer as a gateway or a router. You can limit the incoming connections to only allowed by you.
• Internal – Again, your system is used as a router or gateway, but this time for internal network use. The rest of the systems are mostly trusted and again only allowed incoming connections are trusted.
• Dmz – For devices in the Demilitarized zone. Only selected incoming connections are permitted.
• Work – For work machines. Computers on the network are trusted. Again, just selected incoming traffic is allowed.
• Home – For devices at home. The level of trust is high. The allowed incoming connections are still limited to only selected ones.
• Trusted – all devices and connections are trusted.
To be able to use it, you must be a root user or a user with sudo privileges.
Firewalld should be pre-installed on your CentOS 8, but if is missing, you can install it with this command:
$ sudo dnf install firewalld
Then enable it with this command:
$ sudo systemctl enable firewalld -now
And finally check if it is working:
$ sudo firewall-cmd --state
From the beginning, the Public zone will be in use. To confirm it you can use the following command:
$ sudo firewall-cmd --get-default-zone
To see the complete list of all the zones, use this one:
$ sudo firewall-cmd --get-zones
To change to another zone, get the name of the zone you want from the previous command and use the following:
$ sudo firewall-cmd --set-default-zone=NAME OF THE NEW ZONE HERE
To check all of the active zones and network interfaces that are assigned to them use this command:
$ sudo firewall-cmd --get-active-zones
If you want to change the zone target (its default behavior for incoming traffic) you can use one of the following default, ACCEPT, REJECT, and DROP.
Let’s take a look at an example with ACCEPT:
$ sudo firewall-cmd --zone=public --set-target=ACCEPT
You can easily assign interfaces to specific zones. First, you specify the zone, in this case it will be home, then you use the modifier for changing the interface and specify the interface. Here’s an example with home zone and eth1 interface:
$ sudo firewall-cmd --zone=home --change-interface=eth1
To see all the rules and services for a specific zone (public zone in the example):
$ sudo firewall-cmd --list-all --zone=public
You can also use the following to see the services of the default zone:
$ sudo firewall-cmd --get-services
To add HTTP service use:
$ sudo firewall-cmd --zone=public --add-service=http
Opening port 80/tcp:
$ sudo firewall-cmd --zone=public --add-port=80/tcp
If you want to make it permanent, you need to add “ –permanent” after –cmd.