Introduction
Setting up a firewall on your server can be one of the best defences against cyberattacks. It provides network security by blocking unwanted access to the server. It filters incoming and outgoing network traffic based on a set of user-defined rules.
A firewall provides an essential layer of security to the server. When combined with other measures, it can prevent attackers from accessing your servers in malicious ways. In general, the purpose of a firewall is to reduce or eliminate the occurrence of unwanted network communications while allowing all legitimate communication to flow freely. It mainly improves the security rules management by allowing configuration changes without stopping the current connections.
In this tutorial, we’re going to show you how to setup firewalld (firewall daemon) on CentOS. While there are many other firewall-related packages, we are going to use firewalld, a firewall management solution available for many Linux distributions. This allows you to configure maintainable rules and rule-sets that take into consideration your network environment.
Tutorial
Step 1 – Install firewalld
The firewalld is installed by default on some Linux distributions. However, you may need to install firewalld yourself if it is not installed on your server.
You may verify the status of the firewalld in your server using the command below:
systemctl status firewalld
If it is not installed on your server, you can install the package by using this command:
yum install firewalld
Step 2 – Enable and Reboot firewalld
After installing the firewalld, enable the service and reboot your server.
sudo systemctl enable firewalld
sudo reboot
After the server restarted, the firewall should be brought up, your network interfaces should be put into the zones you configured or fall back to the configured default zone, and any rules associated with the zone/s will be applied to the associated interfaces.
Step 3 – Verify If the firewalld is Running or Not
We can verify that the service is running and reachable by typing this command:
sudo firewall-cmd --state
The output of the command should be “running”. This indicates that our firewall is up and running with the default configuration.
Step 4 – Configure Zones
A firewall zone defines the trust level of the interface used for a connection. They are a group of rules managed by the firewalld daemon using entities.
Below are the predefined zones provided by FirewallD ordered according to the trust level (from least trusted to most trusted) of the zone:
- drop: The lowest level of trust. All incoming connections are dropped without any notification and outgoing connections are only allowed.
- block: Almost same like drop that only outgoing connections are allowed but in block, all incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6n.
- public: This represents untrusted public areas. You do not trust other computers on the network but you can allow selected incoming connections depending on the case.
- external: This is for use on external networks with NAT masquerading enabled when your system acts as a gateway or router. Only selected incoming connections are allowed.
- internal: For use on internal networks when your system acts as a gateway or router. Other systems on the network are generally trusted. Only selected incoming connections are allowed.
- dmz: Used for computers located in your demilitarized zone that will have limited access to the rest of your network. Only certain incoming connections are allowed.
- work: Used for work machines and trust most computers in the network. Only selected incoming connections are allowed.
- home: Used for home which generally implies that other computers on the network are generally trusted. Only selected incoming connections are allowed.
- trusted: This is the most open among the available options since all network connections are accepted. All of the computers in the network are trusted.
To get a list of the available zone types:
sudo firewall-cmd --get-zones
To view which zone is currently selected as the default:
sudo firewall-cmd --get-default-zone
To view the active zone (the zone that is controlling the traffic for our interfaces):
sudo firewall-cmd --get-active-zones
To view the default zone’s configuration, type the following command:
sudo firewall-cmd --list-all
Create Your Own Zones
Firewalld also allows you to define your own zones that are more descriptive of their function.
It is also important to add the new zone to the permanent firewall configuration which allows you to reload to bring the configuration into your running session. Type the command below:
sudo firewall-cmd --permanent --new-zone=office
Verify by typing:
sudo firewall-cmd --permanent --get-zones
Reload the firewall to bring these new zones into the running instance:
sudo firewall-cmd --reload
Step 5 – Allocate Service to a Zone
After successfully creating our zone, we can begin allocating the appropriate services and ports to our zone.
You can get a list of the available services with the --get-services
option by typing the command below:
sudo firewall-cmd --get-services
To Add a New Service to a Zone
You can add a new and empty service using the --new-service
altogether with the --permanent
option:
sudo firewall-cmd --permanent --new-service=<service that you want to add>
To Add a Service to a Zone
For instance, if you are running a web server serving HTTPS traffic, we can allow this traffic for interfaces in our "public
" zone and make it "permanent
" by typing:
firewall-cmd --zone=public --permanent --add-service=https
Other sample services you can add in the firewall:
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=mysql
To verify that the operation was successful, input the following command:
sudo firewall-cmd --zone=public --list-services
Step 6 – Configure Appropriate Ports
To list all ports allowed in firewall:
sudo firewall-cmd --zone=public --list-ports
Opening Ports in Firewall
To open up ports, specify the port or port range, and the associated protocol for the ports you need to open in the zone. See commands below:
sudo firewall-cmd --zone=public --add-port=14000/udp
sudo firewall-cmd --zone=public --add-port=6001/tcp
We can verify that this was successful using the --list-ports
operation by typing:
sudo firewall-cmd --zone=work --list-ports
To make this port addition permanent and present even after reloading, type the command below:
sudo firewall-cmd --zone=public --permanent --add-port=14000/udp
sudo firewall-cmd --zone=public --permanent --add-port=6001/tcp
To verify the added ports, run the command below:
sudo firewall-cmd --zone=work --permanent --list-ports
History
- 14th May, 2019: Initial version