Introduction to FirewallD on CentOS
Better known as the Dynamic Firewall Manager, the FirewallD is a complete firewall solution that is by default, already installed and enabled on CentOS 7 servers. As a firewall solution, FirewallD acts as a frontend controller while at the same time, it controls the network traffic rules through the IP (Internet Protocol) tables. When compared to earlier firewall versions, FirewallD has unique features in the sense that, it makes use of zones and services, other than the chain and rules which characterized the previous versions (Pelz, 2016). Additionally, unlike the previous versions, FirewallD is uniquely featured to manage rulesets dramatically, which allows updates, without having to break existing sessions and connections. Although CentOS 7 servers support both FirewallD and IP tables, experts suggest starting using the FirewallD instead of the iptables since the iptables may be disconnected in the near future.
How to Configure FirewallD in CentOS
Usually, FirewallD is configured using XML files, with the exception of very specific configurations. During configuration, the FirewallD configuration files are located in two unique directories; which include
This directory holds all the default configurations, such as the default zones and common services.
Experts advise that, you should avoid updating these directories since the configuration files are usually overwritten, every time each FirewallD package is updated.
/etc/firewalldThis is the directory that holds the system configuration files. When configured, these files usually overwrite the default configurations.
Below is the process of installing and managing the FirewallD on CentOS
Although FirewallD is by default installed in the CentOS 7, it usually is inactive, and needs to be controlled. The process of controlling it is, however, the same as that of other systemD units.
----# yum install firewalld -y----
After the installation of the FirewallD, check whether the iptables service is running or not. If it is running, you need to stop and mask it. Using the following command
----# systemctl status iptables# systemctl stop iptables# systemctl mask iptables----
Next, start and enable the FirewallD services:
----# systemctl start firewalld# systemctl enable firewalld----
Checking all the zones of FirewallD
----# firewall-cmd --get-zones----
Stop and disable al FirewallD services
----# systemctl stop firewalld# systemctl disable firewalld----
Check FirewallD service status
----# systemctl status firewalld----
Finally, reload FirewallD configuration
----# firewall-cmd --reload---- (Rackspace, 2016).
FirewallD vs. Iptables
With the support of network or firewall zones, which define the trust levels of network interfaces or connections, FirewallD provides a dynamically managed firewall on the CentOS. Iptables, on the other hand, are programs which allow a user to configure the firewall security tables which are provided by the Linux kernel firewall and the chains. This is provided, so as to enable a user to effectively add or remove firewall rules so as to meet their required security requirements. For the execution of the iptables rules, one has to have the root privileges since they are only configured by system analysts, system administrators or the IT manager (Petersen, 2016).
In the Linux Kernel, the Netfilter framework is utilized, so as to provide various networking related operations which are performed using iptables.
In CentOS, both FirewallD and the Iptables serve similar purposes, which is packet filtering. However, the two cannot be used simultaneously on the CentOS. Therefore, it is important that one of them is turned off, while the other is running.
Similar to a majority of Linux distributions, the CentOS7 makes use of the netfilter framework while inside the Linux kernel, so as to have access of the packets which flow through the network stack. By so doing, this process provides the necessary interface, which manipulates and inspects the packets so as to implement a firewall system.
Comparing FirewallD and Iptables
One observable difference between FirewallD and Iptables is that the iptables command is usually used by FirewallD itself, however, the iptables service is not, by default, installed in CentOS 7. While it is possible to choose between working with FirewallD or the iptables, choosing to work with FirewallD over iptables has two main differences. Firstly, unlike the iptables which makes use of chains and rules, FirewallD uses zones and services. And secondly, FirewallD has the capability of managing rulesets dynamically which allows for updates without having to break the existing sections and connections. Additionally, FirewallD is based on XML configuration. While some people may think that it is easier to configure the firewall in a programmatic manner, the iptables can achieve this configuration as well, using a different way, other than XML (Ellingwood, 2015).
Advantages of FirewallD over Iptables
Basically, FirewallD is the new concept as well as the default tool that manages the host based firewall in CentOS 7. In earlier versions of CentOS, the iptables were primarily used to manage the firewall. Although the iptables services still exist, it is not advisable to use them in the management of the firewall. In this regard, firewallD has various advantages over the iptables. For instance, iptables uses three different services for the IPv4 (iptables), IPv6 (ip6tables), and software bridging (ebtables). FirewallD, on the other hand, makes use of a single service for all the three settings.
Another key advantage of FirewallD over the iptables is the fact that FirewallD makes use of the DBus messing system which enables the user to add or to remove either the FirewallD rules or ports, from running firewall. With this feature, it is easy to run the FirewallD without having to restart it every other time when changes are introduced. This feature is however, not available in iptables and therefore, we can conclude that, FirewallD is the most efficient and convenient tool when it comes to firewall management.
The Rules of FirewallD
The rules involved in FirewallD can be designated as either immediate rules or permanent rules. In cases where a rule is added or modified by default, this modifies the behavior of the firewall that is currently running.
The following are the various rules that are involved with FirewallD
Exploring the Defaults
Exploring the Alternative zones
Adjusting the default zones
The Commands Involved in FirewallD
In CentOS, FirewallD has various commands that are used to perform different functions. The following are the different FirewallD commands that are used in the execution of various functions. Thus, when the user executes another boot, the old FirewallD rules are reverted.
Commands used for starting the firewall and enabling a boot
$ sudo systemctl enable firewalld$ sudo systemctl start firewalldThis command is used only if the firewall is already running and enabled. However, one can easily check whether the firewall is already running through the use of a command that employs the state argument.
$ sudo firewall-cmd state
Commands used for finding out about Zones
$ sudo firewall-cmd --get-default-zone
This command is used for finding out which zone is selected as the default
$ sudo firewall-cmd --get-active-zones
The command that is used for finding out the specific rules that are associated with the public zone
$ sudo firewall-cmd --list-all --zone=public
public (default, active)interfaces: eth0 eth1sources:services: dhcpv6-client http https sshports: 1025/tcpmasquerade: noforward-ports:icmp-blocks:rich rules:
Commands used for Setting up Zones
In cases where the firewall is completely restarted, the following command is used to revert the interface to the default zone;
$ sudo firewall-cmd --zone=internal --change-interface=eth1
Commands Used for Defining a Service
When creating different FirewallD rules, one can create their service by placing a file in '/usr/lib/firewalld/services/' by using the command line below
$ sudo cp /usr/lib/firewalld/services/http.xml /usr/lib/firewalld/services/myservice.xml
$ sudo vim /usr/lib/firewalld/services/myserver.xml (Rackspace, 2016)
The Security Concepts for Firewall D
Similar to other firewalls used on CentOS, FirewallD ha three basic security concepts. These concepts include; Zones, services, and ports.
Also known as a network, a FirewallD zone is the security concept that defines the trust levels of the interface used to make a connection. FirewallD provides several predefines zones. For the easier firewall management, FirewallD categorizes every incoming traffic in Zones, based on the interface and the source address. In a real scenario, upon the arrival of a packet in a system, FirewallD first initiates the process by checking the source address of the packet, so as to find out whether the packets address belongs to any specific zone. If the packet that has arrived belongs to a particular zone, it is filtered by that specific zone and hence allowing the user to define and activate multiple zones even in cases where there is only one Network Interface (NIC) available on that system.
FirewallD sets the default zone to public zone, although any other zone can be set as default.
Like Zones, services are basic concepts found on FirewallD. Usually, services make up the secondary key elements in FirewallD concepts. The most appropriate way to manage firewall rules is through the use of services in zone files. In this case, the services are used in creating various pre-defined rules for the related network services in the zone files. Different common services are used in default zone files, and they include; SSH, DHCPv6, IPP-client, Samba-client, Multicast DNS (MDNS).
Similar to the zones, services also have their specific configuration files which are essentially used for defining the specific ports, either TCP or UDP port that is filtered. Moreover, if it is a requirement, the services explain the particular kernel module that must be loaded.
Ports are the FirewallD concepts that are either open or closed. FirewallD, therefore allows the users to manage network ports directly. For instance, even if a particular service is not installed in a system, it is possible to open or even close its associated port in the firewall. For example, port 22, which is associated with the SSH service can be opened or closed even the SSH service is not installed in the system.
Ellingwood, J. (2015, June 18). How To Set Up a Firewall Using FirewallD on CentOS 7 | DigitalOcean. Retrieved from https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7
Pelz, O., & Hobson, J. (2016). CentOS 7 Linux server cookbook: Over 80 recipes to get up and running with CentOS 7 Linux server. Birmingham, UK: Packt Publishing.
Petersen, R. (2016). Firewalls. In Fedora Linux Servers with Systemd: Second Edition (2nd ed.). Surfing Turtle Press.
Rackspace. (2016, October 1). Using Firewalld on CentOS 7 (and Fedora) - Public Cloud Forum - Solutions & Questions - The Rackspace Community. Retrieved from https://community.rackspace.com/products/f/25/t/7928
If you are the original author of this essay and no longer wish to have it published on the SuperbGrade website, please click below to request its removal: