Blog Post
How to Properly Set Up and Manage FirewallD on CentOS 7
Tutorials

How to Properly Set Up and Manage FirewallD on CentOS 7

We live in a day and age when people are becoming increasingly worried about their online privacy and security. And with a good reason for the most part. That is precisely why securing your system with a solid firewall has never been more important. If you’re on CentOS 7, there are a number of good firewall solutions that can help you with this essential task, however, very few are as reliable as FirewallID.

This complete firewall management tool works hand in hand with the iptables provided by the Linux kernel and comes pre-installed with CentOS 7. But while you don’t have to install the utility, you do have to set it up. With that in mind, in this article, we’re going to guide you through the process of setting up and managing a firewall with FirewallD while also trying to make things as easy to understand as possible.

Basic Concepts You Need to Know When Using FirewallD

Before we dive into the nitty-gritty of things let’s first go over some basic FirewallD concepts. Most importantly, there are two concepts you should always keep in mind – zones and services. These are used to control the traffic that is allowed through the firewall and the traffic that isn’t. Managing and configuring FirewallD itself can be done with the use of the firewall – cmd command.

FirewallD Zones

Zones can simply be described as sets of rules used to dictate the flow of traffic based on the level of trust assigned to the networks you are connected to. Users can manually assign zones to each network interface connected to their system. Doing so will help the firewall decide what behavior should be considered safe or suspicious when interacting with these networks.

This type of feature can come in handy when working with any computer but it’s particularly useful in the case of laptops. A lot of laptop owners often carry their systems with them wherever they go in order to access public Wi-Fi networks on the fly. FirewallD can be configured to have more strict behavior when connected to these types of networks and be more lenient when it’s interacting with your home network.

Setting up different zones for various types of networks is pretty straightforward in FirewallD. The tool comes with a number of predefined zones in order to make things easier for users. These zones are ranked according to the trust level. The order, from least trusted to most trusted, is as follows:

  • Drop: This is the absolute lowest level of trust. FirewallD only allows outgoing connections and all incoming ones are automatically dropped without reply.
  • Block: A step above Drop but still similar in the sense that Block also drops all incoming connections. The difference is that this predefined zone does send a reply when dropping connections. Namely, an icmp-host-prohibited message for IPv4 and an icmp6-adm-prohibited message for IPv6.
  • Public: Just as its name indicates, this connection should be used whenever you’re in an untrusted public area. Your computer does not trust other networks but you are still allowed to manually select the incoming connections that you know are trustworthy.
  • External: This zone enables NAT masquerading whenever your firewall acts as your gateway. You can manually select to allow incoming connections to reach your system but your internal network will remain private.
  • Internal: Similar to the External zone in the sense that you can selectively allow incoming connections through FirewallD and should be used when you are using your system as a gateway. However, with Internal enabled, other computers on your network are generally seen as trustworthy by default.
  • DMZ: This zone should be used for systems that need to remain isolated from the rest of the network. Certain incoming connections can be allowed but the isolated systems will only have limited access to your network.
  • Work: This one is just what you would expect, a zone that’s most suitable for work environments. You can allow certain incoming connections and other systems on the network are generally considered trustworthy.
  • Home: This zone can be used for home computers and assumes that most of the other systems on the network are generally considered trustworthy.
  • Trusted: An option that should be used only when you know for certain that all other computers on the network are trustworthy. This zone accepts all incoming connections through the network.

FirewallD Services

Services are predefined sets of rules that can be used within a zone to allow or disallow incoming traffic to a certain service. These sets of rules can be seen by FirewallD as either permanent or immediate. The immediate ones, also known as the runtime, are the rules that are active while the system is running. The running configuration can be modified by adding or removing rules, however, FirewallD always reverts back to the permanent configuration on reboot. When that happens, the permanent configuration becomes the new runtime.

On many Linux distributions, including CentOS 7, whenever you’re making changes to FirewallD using the firewall – cmd command these changes only apply to the runtime. However, you can easily target the permanent configuration as well. To do this, you’ll need to use the –permanent flag alongside the command. Doing so will cause the changes to instead be applied to the rules that are loaded upon booting up the system.

What all of this essentially means is that you can make changes to the runtime without using the flag and simply reboot your system if you mess something up and want to reload to the original configuration. If you do use the flag alongside the command, make sure you’re know what you’re doing because the changes will stick.

How to Install and Enable FirewallD

FirewallD should come installed by default on current versions of CentOS 7. However, if it’s not installed on your computer for some reason, you can type in the following command to install it yourself:

sudo yum install firewalld

FirewallD will not be automatically enabled upon installation so you will need to enable it manually. It’s worth noting that doing so will cause the service to automatically start whenever you boot up your system. You can enable the service by using the following command:

sudo systemctl start firewalld
sudo systemctl enable firewalld

If you want to make sure FirewallD is running, you can check its current status with:

sudo firewall-cmd --state

If everything is behaving as it should, you will see a prompt that says running after typing in the command above. Otherwise, the displayed message will say not running instead.

Working with Zones

If this is the first time you’re enabling the service, FirewallD should automatically set the default zone to public. You can check to see if this is indeed the case by using the command:

sudo firewall-cmd --get-default-zone

For the time being this will be your only active zone but don’t worry because we’ll talk about how you can change that a bit later on. For now, though, you can check if public is your only active zone by typing in:

sudo firewall-cmd --get-active-zones

Typing in this command will display a list of all the interfaces that are currently connected to the public zone. Alternatively, if you would just like to see a list of all the available zones you can use the following command:

sudo firewall-cmd --get-zones

Now that you know how to check to see which zones are currently active, we can take a look at the rules that are associated with these zone. At the moment, we know that only the public zone is active so in order to see its rules we need to type in:

sudo firewall-cmd --zone=public --list-all

Replace public with another zone type if you’re already using a different one. But in our particular example, the output should look something like this:

public (default, active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0 eth1

  sources:

  services: ssh dhcpv6-client

  ports:

  protocols:

  masquerade: no

  forward-ports:

  source-ports:

  icmp-blocks:

  rich rules:

As expected, the prompt tells us that public is currently the only active zone and that it is also the default one. The prompt also displays the network interfaces that are associated with the public zone, as well as the active services – SSH and DHCP. If you want to see a list of rules for each of the zone types you can do so with the following command:

sudo firewall-cmd --list-all-zones

How to Change the Zone of an Interface

In the example above we can see that the eth0 and eth1 interfaces are both assigned to the public zone. We can change this by using the –zone= flag alongside the –change-interface= flag.  Say we want to change the eth0 interface from public to the trusted zone for instance. We can do so by typing in the following command:

sudo firewall-cmd --zone=trusted --change-interface=eth1

If you want to check and make sure the change has occurred, remember that you can use the command:

sudo firewall-cmd --get-active-zones

The output will look something like this now:

trusted

                Interfaces: eth1

public

                Interfaces: eth0

How to Change the Default Zone

We mentioned earlier that FirewallD automatically sets the default zone to public when you’re enabling it for the first time. This zone is ideal for whenever you’re in a public space connected to potentially untrustworthy systems but that might not always be the case. For example, if you’re at work you’ll probably want to use the work zone instead. Changing the default zone can be done by using the — set-default-zone flag alongside the name of the zone you want as your new default. In this case the command will be:

sudo firewall-cmd --set-default-zone=work

Remember that you can check to see which default zone FirewallD is currently using with the command:

sudo firewall-cmd --get-default-zone

How to Add or Remove Services

Predefined zones come with access to certain services such SSH or DHCP, as showed in an earlier example. Generally speaking, the more trustworthy a zone is, the more services it will be able to access. However, you may want to add extra services or even ports to some of the zones you’re using, which is what we’re going to be covering in this section. First off, it helps to know what type of services you can add. To get the full list, type in the following command:

sudo firewall-cmd --get-services

FirewallD will display a lengthy list of services upon typing that command, some of which you may not be familiar with. To learn more about any of the listed services, you can check its associated .xml file. This is found by default in the /usr/lib/firewalld/services directory. The .xml file for each service contains a lot of useful information, including <short> and <description> tags. In the case of HTTP, for example, the <short> tag will say “WWW (HTTP)” while the <description> tag will read the following:

“HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.”

If, let’s say, you want to add this service to the public zone just for the runtime you can use the following command:

sudo firewall-cmd --zone=public --add-service=http

If you are modifying the default zone there is no need to add the –zone flag. In order to check if the service was successfully added to the public zone, you’ll need to type in:

sudo firewall-cmd --zone=public --list-services

If the service was successfully added, FirewallD will display the following message:

ssh dhcpv6-client http

As mentioned, services that are added this way will only remain active for the current session (runtime) but you can make sure they also stay active after reboot by using the –permanent flag along with the — add-service one. In that case, the resulting command should look like this:

sudo firewall-cmd --permanent --zone=public --add-service=http

The –permanent flag can also be used alongside the –list-services flag to check if the service was indeed added.

The process for removing services from your zones is very similar to the one that allows you to add them. However, instead of the –add-service flag you’ll now need to use the –remove-service one. For example, if you want to remove the HTTP service from your public zone’s permanent configuration, you can type in the following command:

sudo firewall-cmd --zone=public --remove-service=http --permanent

How to Create a New FirewallD Service

You already know that the default services can be found in the /usr/lib/firewalld/services directory so now would be a good time to note that FirewallD also has a directory used to store services created by the user. You can find this directory by going to etc/firewalld/services. This is an important thing to remember because you can easily create new services by copying an existing .xml service file into this directory and then modifying it.

Knowing this will come in handy because FirewallD may not support by default all the services you want to use. Apps like Plex Media Server, for example, will not appear on the services list right away and you will need to manually definite them. In this particular instance, we can actually use the HTTP .xml file to do just that by typing in the following:

sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/plexmediaserver.xml

Now that you have an .xml file for the Plex Media Server application you’ll just need to modify a couple of things and it will be good to go. The first thing you’ll want to change are the <short> and <description> tags. We mentioned a bit earlier what these tags say for the HTTP service so now just replace that text with something that’s suitable for the Plex Media Server app.

The other important thing you’ll need to modify is the <port> tag. You can do this by following the example below as a guideline but keep in mind that you may need to assign different ports depending on your network. You can learn more about port forwarding from articles like this, which is a troubleshooting guide for Plex Media Server. You can find similar articles online for pretty much any service you may want to add.

<?xml version="1.0" encoding="utf-8"?>

<service version="1.0">

<short>plexmediaserver</short>

<description>Plex is a streaming media server that brings all your video, music and photo collections together and stream them to your devices at anytime and from anywhere.</description>

<port protocol="udp" port="1900"/>

<port protocol="tcp" port="32400"/>

</service>

After making the necessary modifications you can save the file and then reload FirewallD using the following command:

sudo firewall-cmd –reload

Plex Media Server is now available to be used in any of your zones just like all the other services.

Final Thoughts

FirewallD is a great utility that can help safeguard your system against potential threats. Hopefully, after reading this article you now have a pretty good idea of how to properly set up and manage the service on CentOS 7. Although we focused on CentOS 7 in this article, it’s worth noting that FirewallD is also available on many other Linux distributions.

Just like a lot of other tools out there, getting used to working with FirewallD can take some time and practice, but it will be well worth the effort once you finally get the hang of it. Even if you don’t plan on using its more advanced features, simply knowing how to set up the service and how to change your zones on the fly will be of big help.

Related posts

Leave a Reply

Required fields are marked *

Copyright © 2020 Blackdown.org. All rights reserved.