How to configure and manage the firewall on CentOS 8How to configure and manage the firewall on CentOS 8

A firewall is a way of monitoring and filtering network traffic. Both incoming and outgoing.

This article is for rather advanced users, who are familiar with the concept of a firewall.

CentOS 8 has a firewall software called firewalld. We will explore how it works, a way to configure and manage it.

Firewalld

Firewalld is a firewall solution that is built-in in different Linux distros (CentOS, RHEL, Fedora, SUSE, OpenSUSE, and more). It is a dynamically managed firewall that can set limits for different networks and interfaces. It supports IPv4, IPv6, bridge, and ipset.
What is great about it is that it has a D-Bus interface for services, applications, and users. Through its use, the changes can be performed dynamically, without the need for a restart.

You can also use a runtime environment for testing or configuration.
When you are using the runtime it actually takes effect, but it is not saved permanently.

To make the changes permanent use the following command:

firewall-cmd --runtime-to-permanent

It has a simple to use interface where you can define services, ports, protocols, modules, and more.

Firewalld works with predefined zones with different sets of rules. You can use the zones that already exist or add custom zones for your needs.

Firewalld zones

What are firewalld zones? They are predefined sets of rules that indicate the level of trust for the networks that you are connected to. You can manually set network interfaces and sources to a specific zone.

Here is the list of the default Firewalld zones:
• Drop – the most restrictive. It drops all the incoming connections and leaves just the outgoing ones.
• Block – Vеry similar to Drop, but here you get a message “icmp-host-prohibited” for IPv4 and “icmp6-adm-prohibited” for IPv6.
• Public – Public is untrusted, so all of the computers on the network are blocked unless you allow the connections.
• External – External is when you are using your computer as a gateway or a router. You can limit the incoming connections to only allowed by you.
• Internal – Again, your system is used as a router or gateway, but this time for internal network use. The rest of the systems are mostly trusted and again only allowed incoming connections are trusted.
• Dmz – For devices in the Demilitarized zone. Only selected incoming connections are permitted.
• Work – For work machines. Computers on the network are trusted. Again, just selected incoming traffic is allowed.
• Home – For devices at home. The level of trust is high. The allowed incoming connections are still limited to only selected ones.
• Trusted – all devices and connections are trusted.

How to enable Firewalld?

To be able to use it, you must be a root user or a user with sudo privileges.

Firewalld should be pre-installed on your CentOS 8, but if is missing, you can install it with this command:

$ sudo dnf install firewalld

Then enable it with this command:

$ sudo systemctl enable firewalld -now

And finally check if it is working:

$ sudo firewall-cmd --state

Configure and manage the firewall on CentOS 8

From the beginning, the Public zone will be in use. To confirm it you can use the following command:

$ sudo firewall-cmd --get-default-zone

To see the complete list of all the zones, use this one:

$ sudo firewall-cmd --get-zones

To change to another zone, get the name of the zone you want from the previous command and use the following:

$ sudo firewall-cmd --set-default-zone=NAME OF THE NEW ZONE HERE

To check all of the active zones and network interfaces that are assigned to them use this command:

$ sudo firewall-cmd --get-active-zones

If you want to change the zone target (its default behavior for incoming traffic) you can use one of the following default, ACCEPT, REJECT, and DROP.

Let’s take a look at an example with ACCEPT:

$ sudo firewall-cmd --zone=public --set-target=ACCEPT

You can easily assign interfaces to specific zones. First, you specify the zone, in this case it will be home, then you use the modifier for changing the interface and specify the interface. Here’s an example with home zone and eth1 interface:

$ sudo firewall-cmd --zone=home --change-interface=eth1

To see all the rules and services for a specific zone (public zone in the example):

$ sudo firewall-cmd --list-all --zone=public

You can also use the following to see the services of the default zone:

$ sudo firewall-cmd --get-services

To add HTTP service use:

$ sudo firewall-cmd --zone=public --add-service=http

Opening port 80/tcp:

$ sudo firewall-cmd --zone=public --add-port=80/tcp

If you want to make it permanent, you need to add “ –permanent” after –cmd.