What is a firewall?
In real life, we can say a firewall is a barrier that’s put in place to limit the damage a fire can cause.
A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting outward communication and to provide important logging and auditing functions.
Types of firewalls
Types of firewalls include packet-filtering firewalls, stateful inspection firewalls, proxy firewalls and next-generation firewalls (NGFWs).
- Packet-filtering firewall :
When a packet passes through the firewall, its source and destination address, protocol and destination port number are checked. The packet is dropped if it does not comply with the firewall’s ruleset. It examines packets in isolation and does not know the packet’s context.
For example, if a firewall is configured with a rule to block Telnet access, then the firewall will drop packets destined for Transmission Control Protocol (TCP) port number 23, the port where a Telnet server application would be listening.
- Stateful inspection firewall :
Dynamic packet-filtering firewalls maintain a table that keeps track of all open connections. When new packets arrive, the firewall compares information in the packet header to the state table and determines whether it is part of an established connection, if it is, then the packet is allowed through without further analysis. If the packet doesn’t match an existing connection, it is evaluated according to the rule set for new connections.
- Proxy firewall :
Provide application layer filtering and can examine the payload of a packet and distinguish among valid requests, data and malicious code disguised as a valid request or data.
For example, it can allow or deny a specific incoming Telnet command from a particular user, whereas other firewalls can only control general incoming requests from a particular host.
- A Next-Generation Firewall :
Uses a multi-layered approach and combine the capabilities of traditional enterprise firewalls including network address translation (NAT), Uniform Resource Locator (URL) blocking and virtual private networks (VPNs) with quality of service (QoS) functionality and features not traditionally found in firewall products. These products support intent-based networking by including Secure Sockets Layer (SSL) and Secure Shell (SSH) inspection, deep packet inspection(DPI) and reputation-based malware detection, as well as application awareness.
A properly configured firewall is one of the most important aspects of overall system security. Firewalld is a complete firewall solution that manages the system’s iptables rules. Starting with CentOS 7, firewalld replaces iptables as the default firewall management tool.
Basic Firewalld Concepts
Firewalld uses the concepts of zones and services, instead of iptables chain and rules. You can control what traffic is allowed or disallowed to and from the system based on the zones and services you’ll configure. Firewalld can be configured and managed using the firewall-cmd
command line utility.
Installing and enabling Firewalld
Firewalld is installed by default on CentOS 7, but if it is not installed on your system, you can install the package by typing:
# yum install firewalld
Firewalld service is disabled by default. If you just installed or never activated before, the command will print not running otherwise you will see running. You can check the firewall status with:
# firewall-cmd --state
To start the firewalld service and enable it on boot type:
# systemctl start firewalld # systemctl enable firewalld
Firewalld Zones
Zones are predefined sets of rules specifying what traffic should be allowed based on the level of trust on the networks your computer is connected to. You can assign network interfaces and sources to a zone.
Below are the zones provided by firewalld ordered according to the trust level of the zone from untrusted to trusted:
- drop: All incoming connections are dropped without any notification. Only outgoing connections are allowed.
- block: All incoming connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6n. Only outgoing connections are allowed.
- public: For use in untrusted public areas. You do not trust other computers on the network but you can allow selected incoming connections.
- external: For use on external networks with NAT masquerading enabled when your system acts as a gateway or router. Only selected incoming connections are allowed.
- internal: For use on internal networks when your system acts as a gateway or router. Other systems on the network are generally trusted. Only selected incoming connections are allowed.
- dmz: Used for computers located in your demilitarized zone that will have limited access to the rest of your network. Only selected incoming connections are allowed.
- work: Used for work machines. Other computers on the network are generally trusted. Only selected incoming connections are allowed.
- home: Used for home machines. Other computers on the network are generally trusted. Only selected incoming connections are allowed.
- trusted: All network connections are accepted. Trust all of the computers in the network.
View Default Zone
After enabling the firewalld service for the first time, the public zone is set as a default zone. To view the default zone, type in:
# firewall-cmd --get-default-zone public
List Available Zones
To list all the available zones, use:
# firewall-cmd --get-zones block dmz drop external home internal public trusted work
Zones used by Network Interfaces
By default, all network interfaces are assigned the default zone. To check what zones are used by your network interfaces, type:
# firewall-cmd --get-active-zones public interfaces: eth0 eth1
Print Zone Configuration Settings
To print the zone configuration settings:
# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: eth1 eth2 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
We can see that the public zone is active and set as default, used by both eth1 and eth2 interfaces and connections related to the DHCP client and SSH are allowed.
Configurations of all Available Zones
To check the configurations of all available zones type:
# firewall-cmd --list-all-zones
Change the Interface Zone
You can easily change the Interface Zone by using the using --zone
in combination with the --change-interface
. The following command will assign the eth1 interface to the work zone:
# firewall-cmd --zone=work --change-interface=eth1
Verify the changes by typing:
# firewall-cmd --get-active-zones work interfaces: eth1 public interfaces: eth0
Change Default Zone
To change the default zone use --set-default-zone
followed by the name of the zone you want to make default.
# firewall-cmd --set-default-zone=home
Verify the changes with:
# firewall-cmd --get-default-zone home
Firewalld services
Firewalld services are predefined rules that apply within a zone and define the necessary settings to allow incoming traffic for a specific service.
Firewalld uses two separated configuration sets, runtime, and permanent configuration.
The runtime configuration is the actual running configuration and it is not persistent on reboots. When the firewalld service starts it loads the permanent configuration which becomes the runtime configuration.
By default, when making changes to the firewalld configuration using the firewall-cmd utility the changes are applied to the runtime configuration, to make the changes permanent you need to use the –permanent flag.
With firewalld you can allow traffic for specific ports based on the services. To get a list of all default available services type:
# firewall-cmd --get-services
You can find more information about each service by opening the associated .xml file within the /usr/lib/firewalld/services
directory. For example, the HTTP service is defined like this:
# cat /usr/lib/firewalld/services/http.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>WWW (HTTP)</short> <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description> <port protocol="tcp" port="80"/> </service>
Allow Services
To allow incoming HTTP traffic for interfaces in the public zone, only for the current session, type:
# firewall-cmd --zone=public --add-service=http
If you are modifying the default zone you can leave out the --zone
flag.
You can verify the service was added successfully use the --list-services
flag:
# firewall-cmd --zone=public --list-services ssh dhcpv6-client http
Allow Services Permanently
If you want to keep the port 80 open after a reboot you’ll need to type the same command once again but this time with the --permanent
flag:
# firewall-cmd --permanent --zone=public --add-service=http
Use the --list-services
along with the --permanent
flag to verify your changes:
# firewall-cmd --permanent --zone=public --list-services ssh dhcpv6-client http
Removing Services
For removing a service use --remove-service
instead of the --add-service
flag. To remove the http service from the public zone permanent configuration use:
# firewall-cmd --zone=public --remove-service=http --permanent
Open a Port
If you are running an application for which there is no appropriate service available, you have two options – either open up the appropriate ports or define a new firewalld service.
To open port a port, say 2086 in the public zone for the current session which uses TCP, use the --add-port=
flag.
# firewall-cmd --zone=public --add-port=2086/tcp
Protocols can be either TCP or UDP. To keep the port 2086 open after a reboot, add the rule to the permanent settings by running the same command using the --permanent
flag.
List Added Ports
To verify that the port was added successfully use the --list-ports
flag.
# firewall-cmd --zone=public --list-ports 2086/tcp
Remove Added Ports
The syntax for removing a port is similar to adding a port. Just use --remove-port
instead of the --add-port
flag.
# firewall-cmd --zone=public --remove-port=2086/tcp
Creating new Firewalld Service
The default services are stored in the /usr/lib/firewalld/services
directory. The easiest way to create a new service is to copy an existing service file to the /etc/firewalld/services
directory which is the location for user-created services and modify the file settings.
/usr/lib/firewalld
holds default configurations like default zones and common services. Avoid updating them because those files will be overwritten by each firewalld package update. /etc/firewalld
holds system configuration files. These files will overwrite a default configuration.
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/newservice.xml
Open the newly created newservice.xml
file and change the short name and description for the service within the <short>
and <description>
tags. The most important tag you need to change is the port tag which defines the port number and protocol you want to open.
In the following example, we are opening ports 2086 UDP and 2085 TCP.
# vi /etc/firewalld/services/newservice.xml <?xml version="1.0" encoding="utf-8"?> <service version="1.0"> <short>newservice</short> <description>This service is to open the ports 2086 and 2085</description> <port protocol="udp" port="2086"/> <port protocol="tcp" port="2085"/> </service>
Save the file and reload the Firewalld service:
# firewall-cmd --reload
You can now use the newservice
service in your zones same as any other service.
Forwarding Port
For forwarding traffic from one port to another port or address, first, enable masquerading for the desired zone using the --add-masquerade
switch.
# firewall-cmd --zone=external --add-masquerade
To forward traffic from one port to another on the same server, for example, forward the traffic from port 80 to port 8080 on the same server, use:
# firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080
To forward traffic to another server, for example, forward the traffic from port 80 to port 80 on a server with IP 10.10.10.2, use:
# firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toaddr=10.10.10.2
To forward traffic to another server on a different port, for example forwarding the traffic from port 80 to port 8080 on a server with IP 10.10.10.2:
# firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=10.10.10.2
If you want to make the forward permanent just append the --permanent
flag.
In this article, we have gone through how to configure and manage the Firewalld service on a CentOS system and some basic concepts of firewalld.