Login Start for free
Login Start for free
Blog / Linux/ A Detailed Guide to Firewalld Configuration and Management on CentOS 7

A Detailed Guide to Firewalld Configuration and Management on CentOS 7

2019-11-04 · Ryan · Post Comment
CentOS 7 Firewalld 防火墙配置与管理详解

From iptables to firewalld in CentOS 7

In CentOS 7 and later versions, the default firewall management tool has changed from the traditional iptables to firewalld. Firewalld provides dynamic firewall rule management, allowing configuration changes at runtime without restarting the service. It introduces the concept of "zones" to simplify network security management. For official documentation, refer to the Red Hat Enterprise Linux 7 Security Guide.

Managing the Firewalld Service

Use the systemctl command to manage the firewalld service.

Starting and Stopping the Service

# Start the firewall service
systemctl start firewalld.service

# Stop the firewall service
systemctl stop firewalld.service

Enabling at Boot

# Enable auto-start at boot
systemctl enable firewalld.service

# Disable auto-start at boot
systemctl disable firewalld.service

Basic Status and Configuration Operations

Checking Status and Rules

# Check firewall running state
firewall-cmd --state

# List all rules for the current zone (default is public)
firewall-cmd --list-all

Reloading Configuration

After modifying rules, reload the configuration to apply changes (existing connections are not interrupted).

firewall-cmd --reload

Port Management

Adding Ports

Use the --add-port parameter to add a port. Adding the --permanent parameter makes the rule persistent (retained after reboot).

# Temporarily add TCP port 9527 (lost after reboot)
firewall-cmd --add-port=9527/tcp

# Permanently add TCP port 9527
firewall-cmd --permanent --add-port=9527/tcp

# Permanently add a TCP port range (9527-10001)
firewall-cmd --permanent --add-port=9527-10001/tcp

Operating on Specific Zones

You can target a specific zone (e.g., public).

# Permanently add TCP port 8010 to the public zone
firewall-cmd --zone=public --permanent --add-port=8010/tcp

# Permanently remove TCP port 8010 from the public zone
firewall-cmd --zone=public --permanent --remove-port=8010/tcp

# Query if TCP port 8010 is open in the public zone
firewall-cmd --zone=public --query-port=8010/tcp

Checking Port Listening Status

Use the ss command to verify if a port is listening at the system level.

ss -tlnp | grep :80

Service Management

Firewalld predefines common services (e.g., http, https). Adding a service is more convenient than manually adding ports.

Opening Ports for a Web Server

The following commands permanently add HTTP (80) and HTTPS (443) services to the public zone and reload the configuration.

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

Important Notes and Best Practices

  • Permanent Rules: Rules with the --permanent parameter are written to configuration files (/etc/firewalld/) but do not take effect immediately. You must execute firewall-cmd --reload or restart the firewalld service.
  • Runtime Rules: Rules without --permanent take effect immediately but are lost after a service restart. For testing, add runtime rules first, verify they work, then add them as permanent rules.
  • Zone Concept: Firewalld manages network interfaces with different trust levels via zones. If --zone is not specified, operations apply to the current default active zone (usually public). Use firewall-cmd --get-default-zone to check the default zone.
  • Configuration Backup: Before making significant changes, back up the configuration: sudo cp -r /etc/firewalld/ /etc/firewalld.backup.

Post a Comment

Your email will not be published. Required fields are marked with *.