In computer terms, a firewall will stop any network activity on one network from being passed on to another network. In most systems the Linux kernel is compiled with IP forwarding set to yes. What this means is that if the computer has more than one network connected to it then network information will be passed directly from one network to the other as if it was physically connected.
Forgetting to secure and configure a dedicated server firewall is a common mistake and a huge security flaw. Going into the firewall’s configuration allows you to remove unnecessary software that’s connected to the internet. This makes your server and its ports vulnerable to intrusion.
In this article I will show how to install and configure firewall on CentOS 7 and RHEL.
Configure Firewall in Linux
There are three main ways for system administrators to interact with firewalld.
- By directly editing congfiguration files in /etc/firewalld
- By using the graphical firewall-config tool
- By using firewalld-cmd from the command line (will be discussed in this article)
In this article I will discuss how to configure firewall in CentOS 7 and RHEL 7 machine by using firewall-cmd command. Please take note that the firewalld daemon is installed from the firewalld package. It is part of a base install, but not part of a minimal installation.
Firewalld package is installed by default in RHEL 7.1 and CentOS 7.1. If you noticed it is not installed, you can install it using the following YUM command.
# yum install firewalld -y
Enable and Disable Firewall at Boot
Follow the below command to enable or disable the firewall at boot.
To Disable at boot:
# systemctl disable firewalld rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service' rm '/etc/systemd/system/basic.target.wants/firewalld.service'
To Enable at boot :
# systemctl enable firewalld
Verify Firewall is Enable and Running on Your System
Run the below command to verify firewall is enable and running on your system.
# systemctl status firewalld.service firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled) Active: active (running) since Wed 2015-09-09 21:26:25 MYT; 1 weeks 0 days ago Main PID: 2348 (firewalld) CGroup: /system.slice/firewalld.service ??2348 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Sep 09 21:26:25 centos71.ehowstuff.local systemd: Started firewalld - dynamic firewall daemon.
Check Current Default Zone
# firewall-cmd --get-default-zone public
List all Available Zones
# firewall-cmd --get-zones block dmz drop external home internal public trusted work
Open up incoming http,https and mysql traffic for public zone
# firewall-cmd --permanent --zone=public --add-service=http # firewall-cmd --permanent --zone=public --add-service=https # firewall-cmd --permanent --zone=public --add-service=mysql
Activate the Changes
# firewall-cmd --reload
Check Running Firewall Configuration
Query active zone:
# firewall-cmd --get-active-zones
Display All Running Firewall Configuration
# firewall-cmd --zone=public --list-all public (default, active) interfaces: ens32 sources: services: dhcpv6-client http https mysql ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: