The Firewall in CentOS 7

Set in the operating system Firewall to prevent unauthorized traffic between computer networks. Manually or automatically created rules to the firewall, and are responsible for access control. OS developed on Linux kernel, CentOS 7 has a built-in firewall and managed firewall. By default, the Daemon is involved, and how to set it up, we’d like to talk about today.

Custom Firewall in CentOS 7

As mentioned above, a standard firewall in CentOS 7 FirewallD is assigned a utility. Therefore, the configuration of the firewall will be reviewed on the example of this tool. To set filtering rules using the same iptables, but this is a slightly different way. With the mentioned configuration utility we recommend to read by clicking on the following link and we will start the analysis of FirewallD.

Basic concepts firewall

There are several areas of sets of rules to control traffic based on the credibility of the networks. All of them are set their own policies, the totality of which forms the configuration of the firewall. Each zone is assigned to one or more network interfaces, which also allows you to adjust the filtration. The interface is directly dependent of the applied rules. For example, if you connect to a public Wi-Fi network screen will increase the level of control and your home network will provide additional access for participants of the chain. In the considered firewall there are zones:

  • trusted — the maximum trust level for all devices on the network;
  • home — group local network. There is trust to the environment, but incoming links are only available to certain machines;
  • work work area. Present confidence in the most devices, and also activate additional services;
  • dmz zone for stand-alone computers. Such a device is disconnected from the rest of the network and allow only certain incoming traffic;
  • internal area internal networks. Trust applies to all cars, open the additional services;
  • external — back to the previous area. On external networks active camouflage NAT, closing the internal network, but not blocking the possibility of access;
  • public — area public networks with distrust to all devices and the individual receiving incoming traffic;
  • block all incoming requests are discarded with the departure of the error icmp-host-prohibited or icmp6-adm-prohibited;
  • drop the minimum level of trust. Incoming connections are reset without any notification.

Themselves policy there are temporary and permanent. When new or edit action options of the firewall changes without the need to reboot. If the same were applied to the provisional rules, the Daemon after restart they are reset. Permanent rule for that are it will be saved on a permanent basis in the application of the argument —permanent.

The inclusion of FirewallD firewall

First you need to start the Daemon or verify that it is in the active state. Only a functioning daemon (program running in the background) will apply the firewall rules. Activation is done in just a few clicks:

  • Run the classic “Terminal” by any convenient method, for example, via the menu “Applications”.
  • Enter the command sudo systemctl start firewalld.service and press Enter.
  • Management utility is done as root, so you have to authenticate by providing your password.
  • To verify the operation of the service, specify firewall-cmd --state.
  • In the opened graphics window to re-authenticate.
  • New line is displayed. The value of “running” suggests that the firewall is running.
  • If you will one day need to temporarily or permanently disable a firewall, I advise you to use the instructions presented in our other article on the following link.

    Read more: Disable Firewall in CentOS 7

    View the default rules and the available zones

    Even operating in normal mode, the firewall has its own specific rules and available areas. Before you start creating policies suggest to familiarize with the current configuration. This is done using simple commands:

  • To determine the functioning of the default zone, use the command firewall-cmd --get-default-zone.
  • After its activation you will see new line to display the required option. For example, in the screenshot below the active area is “public”.
  • However, the active can be multiple zones, plus they are bound to an individual interface. Find out this information through firewall-cmd --get-active-zones.
  • The command firewall-cmd --list-all will display the rules defined for the default zone. Please note on the screenshot below. You can see that the core of the “public” has the rule “default” — operation by default, the interface “enp0s3” and added two service.
  • If there is the need to know all the available zones of the firewall, type firewall-cmd --get-zones.
  • Parameters specific zones are defined using firewall-cmd --zone=name --list-all, where name is the zone name.
  • After determining the necessary parameters, you can move on to their change and addition. Let’s analyze in detail some of the most popular configurations.

    To configure zones, interfaces

    As you know from the information above, each interface defines its own default zone. He will be in it as long as the settings will not be changed by the user or programmatically. You can manually migrate the interface to a zone in one session, and he carried activation command sudo firewall-cmd --zone=home --change-interface=eth0. The result is “success” indicates that the migration was successful. Recall that these settings are reset immediately after a reboot of the firewall.

    With this changed parameters should be taken into account that the services can be reset. Some of them do not support functioning in certain areas, for example, SSH, though, and is available in “home”, but in custom or special service refuses to work. Make sure that the interface was successfully bound to the new branch by typing firewall-cmd --get-active-zones.

    If you want to reset the previous settings, just do a restart the firewall: sudo systemctl restart firewalld.service.

    Sometimes it is not always convenient to change the interface area in just one session. In this case, you will need to edit the configuration file so all the settings have been carried out on a permanent basis. For this purpose we suggest to use the text editor nano, which is installed from the official repositories sudo yum install nano. We produce the following:

  • Open the configuration file using the editor by typing sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0, where eth0 is the name of the interface.
  • Confirm the authenticity of the account for further action.
  • Find the parameter “ZONE” and change its value as desired, for example, public or home.
  • Hold down the keys Ctrl + Oto save the changes.
  • Do not change the file name and just press Enter.
  • Exit the text editor using Ctrl + X.
  • Now the interface area will be what you specified, until you next edit the configuration file. For the updated settings to take effect run sudo systemctl restart network.service and sudo systemctl restart firewalld.service.

    Setting the default zone

    We have previously demonstrated the team, which made it difficult to know the default zone. It can also be changed by setting the parameter to your choice. To do this, in the console it is enough to add sudo firewall-cmd --set-default-zone=name, where name is the name of the required zone.

    The success of the command would indicate the inscription “success” in a separate line. After that, all current interfaces attached to this zone, if other is not specified in the configuration files.

    Creating rules for programs and utilities

    In the beginning of this article we told about the action of each zone. Definition of services, tools and programmes in the branches will apply to each of the individual parameters under each user’s queries. For a start I advise you to see a complete list of the currently available services: firewall-cmd --get-services.

    The result is displayed directly in the console. Each server separated by a space, and in the list you will be able to easily find what you are looking for. If the service is missing, it should be installed. The rules about installations, read the official documentation of the software.

    The above command shows only the names of the services. Detailed information on each of them is obtained through individual file located at the path /usr/lib/firewalld/services. These documents are formatted as XML, a path, for example, to SSH looks like this: /usr/lib/firewalld/services/ssh.xmland the document has the following content:

    Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.

    Activated service support in a specific area manually. In “the Terminal” should set the command sudo firewall-cmd --zone=public --add-service=http, where –zone=public area to activate, –add-service=http — name of the service. Note that this change is only valid within a single session.

    A permanent addition is carried out using sudo firewall-cmd --zone=public --permanent --add-service=http, and the result is “success” indicates successful completion of the operation.

    A complete list of the standing rules for a specific zone is possible, by displaying the list on a separate line in the console: sudo firewall-cmd --zone=public --permanent --list-services.

    The solution to the problem of lack of access to the service

    The standard in the firewall rules for some of the most popular and safe services as allowed, but some standard or third-party app to block it. In this case, the user will manually need to change the settings to solve the problem with access. This can be done by two different methods.

    Forwarding port

    It is known that all network services use a certain port. It is easily detected by the firewall, and it can run blocking. To avoid such action on the part of the firewall, you must open the required port with the command sudo firewall-cmd --zone=public --add-port=0000/tcp, where –zone=public area for the port –add-port=0000/tcp — the Protocol number and the port. Option firewall-cmd --list-ports displays the list of open ports.

    If you need to open the ports included in the range, use the string sudo firewall-cmd --zone=public --add-port=0000-9999/udp, where –add-port=0000-9999/udp — port range and Protocol.

    The above command will only allow you to test the application of such parameters. If it is successful, you should add these same ports to permanent settings, and this is done by typing sudo firewall-cmd --zone=public --permanent --add-port=0000/tcp or sudo firewall-cmd --zone=public --permanent --add-port=0000-9999/udp. A list of open ports visible permanent: sudo firewall-cmd --zone=public --permanent --list-ports.

    The service definition

    As you can see, adding ports does not cause any difficulties, but the procedure is more complicated in the case where the applications used by a large number. Keep track of all used ports becomes difficult, therefore, more appropriate option would be the service definition:

  • Copy the configuration file with sudo cp /usr/lib/firewalld/services/service.xml /etc/firewalld/services/example.xmlwhere service.xml — the file name of the service, and example.xml — name copies.
  • Click the copy to modify using any text editor, for example sudo nano /etc/firewalld/services/example.xml.
  • For example, we created a copy of the HTTP service. In the document you mostly see various metadata, for example, the short name and description. Affect the operation of the server change the port number and Protocol. Above the line “</service>” you should add <port protocol="tcp" port="0000"/>to open the port. tcp — the Protocol used, and 0000 is the port number.
  • Save all changes (Ctrl + O) close file (Ctrl + X) and then restart the firewall to apply the settings via sudo firewall-cmd --reload. After that the service will be available in the list, which can be viewed using the firewall-cmd --get-services.
  • You just have to choose the most appropriate method of solving problems with access to the service and then following the instructions. As you can see, all actions are performed quite easily, and no difficulty should arise.

    Creating custom zones

    You already know that initially in the Daemon created a large number of various zones with the defined rules. However, there are situations when a system administrator needs to create a custom area, such as, for example, “publicweb” for the installed web server or “privateDNS” for the DNS server. In these two examples we will consider adding your branches:

  • Create two new permanent area commands sudo firewall-cmd --permanent --new-zone=publicweb and sudo firewall-cmd --permanent --new-zone=privateDNS.
  • They will be available after you restart the tool sudo firewall-cmd --reload. To display the permanent zones, type sudo firewall-cmd --permanent --get-zones.
  • Assign them the desired services, for example, “SSH”, “HTTP” and “HTTPS”. This is done by the command sudo firewall-cmd --zone=publicweb --add-service=ssh, sudo firewall-cmd --zone=publicweb --add-service=http and sudo firewall-cmd --zone=publicweb --add-service=https, where –zone=publicweb — name of zone to add. View activity services can writing firewall-cmd --zone=publicweb --list-all.
  • In this article, you learned how to create a custom zone and add services. About installing them by default, and the assignment of interfaces we have already said above, you only need to specify the correct names. Don’t forget to restart the firewall after making any changes.

    As you can see, the firewall is FirewallD — large enough tool to produce a flexible firewall configuration. It remains only to verify that the utility is run with the system and the rules are immediately begin its work. Do this with the command sudo systemctl enable firewalld.


    (Visited 40 times, 1 visits today)