A firewall is a program that monitors and controls your system’s network interfaces’ incoming and outgoing network traffic and can restrict the transmission to only useful and non-harmful data into and out of a computer system or network. By default, CentOS is made available with an extremely powerful firewall, built right into the kernel, called netfilter. While, in older versions of CentOS, we used the famous iptables application to control it, in version 7, the new standard netfilter management program has changed to a service called firewalld, which is already installed and enabled on every CentOS 7 server by default.
It is a very powerful service to take full control over your server’s firewall security and is much easier to work with than iptables. Its main advantages are that it features a better structured and more logical approach to managing and configuring every aspect of a modern firewall solution. Therefore, it will be the foundation of your server’s security, and for this reason, it is the purpose of this process to get you started on the fundamentals of firewalld quickly.
To Start With: What Do You Need?
To complete this process, you will require a minimal installation of the CentOS 7 operating system with root privileges and a console-based text editor of your choice.
The Process
As the firewalld service is running on every CentOS 7 server by default, we can start directly working with the service by logging in to your server using the root user.
- Type the following commands to query zone-related information:
firewall-cmd --get-zones | tr " " "\n"
firewall-cmd --list-all-zones
firewall-cmd --get-default-zone
firewall-cmd --list-all - We can switch to a different firewall default zone by using the following line:
firewall-cmd --set-default-zone=internal - Add a network interface to a zone temporarily:
firewall-cmd --zone=work --add-interface=enp0s8 - Now, add a service to a zone temporarily:
firewall-cmd --zone=work --add-service=ftp - Test if adding the interface and service has been successful:
firewall-cmd --zone=work --list-all - Now, add the service permanently:
firewall-cmd --permanent --zone=work --add-service=ftp
firewall-cmd --reload
firewall-cmd --zone=work --list-all - Finally, let’s create a new firewall zone by opening the following file:
vi /etc/firewalld/zones/seccon.xml - Now put in the following content:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>security-congress</short> <description>For use at the security congress. </description>
<service name="ssh"/>
</zone> - Save and close, then reload the firewall config so that we can see the new zone:
firewall-cmd --reload - Finally, check that the new zone is available:
firewall-cmd --get-zones
How Does It Work?
In comparison to iptables, the new firewalld system hides away the creation of sophisticated networking rules and has a very easy syntax that is less error-prone. It can dynamically reload netfilter settings at runtime without having to restart the complete service and we can have more than one firewall configuration set per system, which makes it great for working in changing network environments, such as for mobile devices like laptops. In this process, we have given you an introduction to the two fundamental building blocks of firewalld: the zone and the service.
So, what did we learn from this experience?
We started this process using firewall-cmd to get information about available firewall zones on the system. Firewalld introduces the new concept of network or firewall zones, which assigns different levels of trust to your server’s network interfaces and their associated connections. In CentOS 7, there already exist a number of predefined firewalld zones, and all of these (for example, private, home, public, and so on, with the exception of the trusted zone) will block any form of incoming network connection to the server unless they are explicitly allowed using special rules attached to the zone (these rules are called firewalld services, which we will see later). We queried zone information using firewall-cmd with --get-zones or (more detailed) with the --list-all-zones parameter. Each of these zones acts as a complete and full firewall that you can use, depending on your system’s environment and location. For example, as the name implies, the home zone is for use if your computer is located in home areas. If this is selected, you mostly trust all other computers and services on the networks to not harm your computer, whereas the public zone is more for use in public areas such as public access points and so on. Here, you do not trust the other computers and services on the network to not harm you. On CentOS 7, the standard default zone configuration set after installation is the public zone, which we displayed using the command’s --get-default-zone parameter, and in more detail using --list-all.
Note
Simply put, firewalld zones are all about controlling incoming connections to the server. Limiting outgoing connections with firewalld is also possible but is outside the scope of this book.
Also, to get more technical information about all currently available zones, we used the firewall client’s --list-all-zones parameter. In the command’s output, you will notice that a zone can have some associated networking interfaces and a list of services belonging to it, which are special firewall rules applied to incoming network connections. You may also notice that, while listing details of all zones and their associated services by default, all firewalld zones are very restrictive and barely allow anything to connect to the server at all. Also, another very important concept can be seen in the command’s output from the above. Our public zone is marked as default and active. While the active zone is the one that is directly associated with a network interface, the default zone can really get important if you have multiple network adapters available. Here, it acts as a standard minimum firewall protection and fallback strategy, in case you missed to assign some active zone for every interface. For systems with only one network interface setting, the default zone will set the active zone automatically as well. To set a default zone, we used the --set-default-zone parameter and, to mark a zone as active for an interface, we used --add-interface. Please note that, if you don’t specify the --zone parameter, most firewall-cmd commands will use the default zone to apply settings. Firewalld is listening on every network interface in your system and waiting for new network packets to arrive. In summary we can say that if there is a new packet coming into a specific interface, the next thing firewalld has to do is find out which zone is the correct one associated with our network interface (using its active or if not available its default configuration); after finding it, it will apply all the service rules against the network packets belonging to it.
Next, we showed you how to work with firewalld services. Simply put, firewalld services are rules that open and allow a certain connection within our firewall to our server. Using such service file definitions allows the reusability of the containing rules because they can be added or removed to any zone. Also, using the predefined firewalld services already available in your system, as opposed to manually finding out and opening protocols, ports, or port ranges using a complicated iptables syntax for your system services of interest, can make your administrative life much easier. We added the ftp service to the work zone by invoking --add-service. Afterward, we printed out details of the work zone using -list-all. Firewalld is designed to have a separated runtime and permanent configuration. While any change to the runtime configuration has an immediate effect but will be gone, the permanent configuration will survive to reload or restart of the firewalld service. Some commands such as switching the default zone are writing the changes into both configurations which mean they are immediately applied at runtime and are persistent over service restart. Other configuration settings such as adding a service to a zone are only writing to the runtime configuration. If you restart firewalld, reload its configuration, or reboot your computer, these temporary changes will be lost. To make those temporary changes permanent, we can use the --permanent flag with the firewall-cmd program call to write it to the permanent configuration file as well.
Other than with the runtime options, here the changes are not effective immediately, but only after a service restart/reload or system reboot. Therefore, the most common approach to apply permanent settings for such runtime-only commands is to first apply the setting with the --permanent parameter, and afterward reload the firewall’s configuration file to actually activate them.
Finally, we showed you how to create your own zone, which is just a XML file you have to create in the /etc/firewalld/zones/ directory, and where we specified a name, description, and all the services that you want to activate. If you change something in any firewall configuration file, don’t forget to reload the firewall config afterward.
To finish this process, we will revert our permanent changes made to the work zone and reload firewalld to reset all the non-permanent changes we applied in this process:firewall-cmd --permanent --zone=work --remove-service=ftp
firewall-cmd --reload
There's more…
To troubleshoot blocking services, instead of turning off the firewall completely, you should just switch zone to trusted, which will open all the incoming ports to the firewall:firewall-cmd --set-default-zone=trusted
Once you have finished your tests, just switch back to the zone that you were in before, for example:firewall-cmd --set-default-zone=public
