Linux Tutorials - Herong's Tutorial Examples - v5.45, by Herong Yang
"firewalld" and "firewall-cmd" on CentOS
This section provides a tutorial example on how to use 'firewalld' daemon and 'firewall-cmd' CLI to manage network firewall on CentOS 8 systems.
"firewalld" is a service daemon that works together with the "firewall-cmd" CLI (Command Line Interface) to form a front-end tool for the "nftables/iptables" tool to control the Internet traffic. Here is what I did to ensure that "firewalld" and "firewall-cmd" are working on my CentOS 8 computer.
1. Make sure that I have the latest version of "firewalld" installed with the "dnf info" command:
herong$ sudo dnf info firewalld Installed Packages Name : firewalld Version : 0.7.0 Release : 5.el8 Architecture : noarch Size : 1.9 M Source : firewalld-0.7.0-5.el8.src.rpm Repository : @System From repo : anaconda Summary : A firewall daemon with D-Bus interface providing a dynamic firewall URL : http://www.firewalld.org License : GPLv2+ Description : firewalld is a firewall service daemon that provides a dynamic customizable : firewall with a D-Bus interface.
2. Make sure that "firewalld" service is running with the "systectl status" command:
herong$ sudo systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) Docs: man:firewalld(1) Main PID: 1360 (firewalld) Tasks: 3 (limit: 26213) Memory: 34.4M CGroup: /system.slice/firewalld.service
3. Check to see which security zone is active on each network interface with the "firewall-cmd" command. I see "public" zone of security rules applied on the Ethernet interface.
herong$ sudo firewall-cmd --get-active-zones public interfaces: eno1
4. Check to see what security rules are defined in the "public" zone. I see two TCP ports, 80 and 3306, are open for incoming traffic. Other ports used by "cockpit", "dhcpv6-client", and "ssh" services are also open.
herong$ sudo firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: eno1 sources: services: cockpit dhcpv6-client ssh ports: 80/tcp 3306/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
5. Add a new rule to open TCP port 8080 for Tomcat server. The first command allows all IP addresses from the Internet to access port 8080. The second command saves the change permanently.
herong$ sudo firewall-cmd --zone=public --add-port=8080/tcp herong$ sudo firewall-cmd --runtime-to-permanent
6. Add a new rule to open all ports for a given IP address.
herong$ sudo firewall-cmd --zone=public --add-source=192.168.1.11 herong$ sudo firewall-cmd --runtime-to-permanent
7. Turn on traffic forward and a forward rule:
herong$ sudo firewall-cmd --zone=external --add-masquerade herong$ sudo firewall-cmd --zone=public --add-forward-port=port=8888:\ proto=tcp:toport=80:toaddr=192.168.1.201 herong$ sudo firewall-cmd --runtime-to-permanent
8. Add a pre-defined service, which contains IP ports used by the service. For example, opening "http" service is the same as opening port 80.
herong$ sudo firewall-cmd --zone=public --add-service=http herong$ sudo firewall-cmd --zone=public --list-services cockpit dhcpv6-client http ssh herong$ sudo firewall-cmd --runtime-to-permanent
9. Add new rich rules, which are basically "iptable" rules.
# reject incoming traffic from the guest computer firewall-cmd --add-rich-rule="rule family='ipv4' \ source address='192.168.1.100' reject" # allow my computer to access the MySQL database at port 3306 firewall-cmd --add-rich-rule='rule family="ipv4" \ source address="192.168.1.11" \ port protocol="tcp" port="3306" accept' # allow local computers to access the "http" service at port 80 firewall-cmd --add-rich-rule='rule family="ipv4" \ source address="192.168.1.0/24" \ service name="http" accept' # verify changes firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: eno1 sources: services: cockpit dhcpv6-client http ssh ports: 80/tcp 3306/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.1.0/24" \ service name="http" accept # save changes firewall-cmd --runtime-to-permanent
Table of Contents
Cockpit - Web Portal for Administrator
SELinux - Security-Enhanced Linux
Setup Ethernet Connection on CentOS
Network Firewall Tools on CentOS
►"firewalld" and "firewall-cmd" on CentOS
Manage Multiple Firewall Zones
"nftables" and "nft" on CentOS
"nmap" - Network Mapper on CentOS
Monitor Network Services on CentOS
"ifconfig" - Trace Routes to Remote Host
"traceroute" - Trace Routes to Remote Host
"netstat" - Display Network Statistics
SSH Protocol and ssh/scp Commands
Software Package Manager on CentOS - DNF and YUM
vsftpd - Very Secure FTP Daemon