fbpx Forging the CentOS firewall rules by example
24/7/365 Support

Forging the CentOS firewall rules by example

In this process, we want to show you how to create your own firewalld service definitions or how to change existing ones, which any CentOS 7 system administrator should know if the predefined service files don’t fit your system’s need.

To Start With: What Do You Need?

To complete this process, you will require a minimal installation of the CentOS 7 operating system with root privileges and a console-based text editor of your choice. We will be changing the SSH service’s port number in firewalld, so make sure that you have configured the new port as shown in the process Locking down remote access and hardening SSH. Here, in our example, we have changed the port to 2223. Also, we will create a new firewalld service for a small Python-based web server that we will use to demonstrate the integration of new system service’s into firewalld. It’s advantageous to grasp the basics of firewalld by working through the Working with a firewall process before starting here.

The Process

Here in this process, we will show you how to change and how to create new firewalld service definitions. In this process, it is considered that we are in the default public zone.

To change an existing firewalld service (ssh)

  1. First, log in as root and copy the ssh service to the right place to edit it:
    cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services
  2. Next, open the ssh service definition file:
    vi /etc/firewalld/services/ssh.xml
  3. Change the port from 22 to 2223, then save the file and close it:
    <port protocol="tcp" port="2223"/>
  4. Finally, reload the firewall:
    firewall-cmd --reload

To create your own new service
Perform the following steps to create your own new service:

  1. Open a new file:
    vi /etc/firewalld/services/python-webserver.xml
  2. Put in the following service definition:
    <?xml version="1.0" encoding="utf-8"?>
    <service>
       <short>Python Webserver</short>
       <description>For pythons webservers</description>
       <port port="8000" protocol="tcp"/>
    </service>
  3. Save and close the file, and then finally reload the firewall:
    firewall-cmd --reload
  4. Now, add this new service to our default zone:
    firewall-cmd --add-service=python-webserver
  5. Afterwards, run the following command to start a simple Python web server in the foreground on port 8000 (press the key combination Ctrl + C to stop it):
    python -m SimpleHTTPServer 8000
  6. Congratulations! Your new web server sitting at port 8000 can now be reached from other computers in your network:
    http://<ip address of your computer>:8000/

How Does It Work?

Here in this process, we have shown how easy it is to customize or define new firewalld services if the predefined needs to be changed, or for new system services that are not defined at all. Service definition files are simple XML files where you define rules for a given system service or program. There are two distinct directories where our firewalld service files live: /usr/lib/firewalld/services for all predefined services available from the system installation, and /etc/firewalld/services for all custom and user-created services.

So, what did we learn from this experience?

We started this process by making a working copy of the SSH firewalld service file in the right place at /etc/firewalld/services. We could just copy the original file because all files in this directory will overload the default configuration files from /usr/lib/firewalld/services. In the next step, we then modified it by opening it and changing the default port from 22 to 2223. We have to do this every time we change a system’s service standard listening port to make the firewall aware that it should allow network traffic to flow through the changed port. As you can see when opening this file, service files are simple XML text files with some mandatory and some optional tags and attributes. They contain a list of one or more ports and protocols that defines exactly what firewalld should enable if the service is connected to a zone. There can be another important setting in the XML file: helper modules. For example, if you open the SAMBA service file at /usr/lib/firewalld/services/samba.xml, you will see the tag, <module name="nf_conntrack_netbios_ns"/>. These are special kernel netfilter helper modules that can be dynamically loaded into the underlying kernel-based firewall, and which are needed for some system services, such as Samba or FTP, which create dynamic connections on temporary TCP or UDP ports instead of using static ports. After reloading the firewall configuration, we should now be able to test the connection from another computer in our network using the altered port.

In the second part of this process, we created a brand-new service file for a new system service, which is a simple Python web server listening on port 8000 displaying a simple directory content listing. Therefore, we created a simple XML service file for the Python web server including the right port 8000, restarted the firewall, and afterwards added this new service to our default public zone so that we can actually open connections through this service. You should now be able to browse to our web server’s start page using another computer in the same network. However, as we did not use the --permanent flag, if you restart the firewalld daemon, the python-webserver service will be gone from the public zone (or you can also use the parameter, --remove-service=python-webserver).

In summary, we can say that the recommended firewall choice in CentOS 7 is firewalld, as all important system services have already been set up to use it via predefined service rules. You should remember that Linux firewalls are a very complex topic that can easily fill up a whole book, and you can do a lot more with the firewall-cmd that cannot be covered here in this book.

There's more…

Often, you just want to quickly open a specific port to test out things before writing your own custom-made service definition. In order to do this, you can use the following command line, which will open port 2888 using the tcp protocol temporarily on the default zone:
firewall-cmd --add-port=2888/tcp

Once you have finished your tests, just reload the firewall configuration to remove and close the specific port again.

 

Help Category:

What Our Clients Say