Managing Firewall Ports with firewalld

, , , , , , , , , , ,

Managing Firewall Ports with firewalld

Firewalls are essential for network security, controlling incoming and outgoing network traffic. Modern Linux distributions, including CentOS 7 and later, utilize firewalld as the default firewall management tool. This tutorial explains how to effectively manage firewall ports using firewalld, ensuring your services are accessible while maintaining a secure system.

Understanding Zones

firewalld uses the concept of zones to define different network environments and their associated trust levels. Common zones include public, private, home, and dmz. Each zone has its own set of rules, specifying which connections are allowed or blocked. By default, network interfaces are assigned to a zone, usually public for external networks.

Before configuring ports, it’s essential to identify the active zone(s) for your network interface. You can list active zones using:

firewall-cmd --get-active-zones

This command will output the zone(s) currently in use. You can also list all configurations to see the current state:

firewall-cmd --list-all

If necessary, you can change the default zone:

firewall-cmd --set-default-zone=<zone_name>

Replace <zone_name> with the desired zone, such as public, private, or home.

Opening Firewall Ports

To allow traffic on a specific port, you need to add a rule to the appropriate zone. Let’s say you want to open ports 2888 and 3888 for TCP traffic in the public zone. Use the following command:

firewall-cmd --zone=public --add-port=2888/tcp --permanent
firewall-cmd --zone=public --add-port=3888/tcp --permanent

The --zone=public option specifies the zone to apply the rule to. --add-port=2888/tcp adds a rule to allow TCP traffic on port 2888. The --permanent option ensures the rule persists across reboots. Without --permanent, the change is temporary and will be lost when the system restarts.

Using Services Instead of Ports

Instead of specifying ports directly, you can use predefined services whenever possible. firewalld includes definitions for common services like HTTP, HTTPS, SSH, and NTP. This simplifies configuration and enhances readability.

To add the HTTP service to the public zone permanently:

firewall-cmd --zone=public --add-service=http --permanent

This automatically opens the standard port(s) associated with the HTTP service (port 80).

Applying and Verifying Changes

After adding or modifying firewall rules, you must reload firewalld for the changes to take effect:

firewall-cmd --reload

This command reloads the firewall configuration without interrupting existing connections.

To verify that a port is open, you can use the --query-port option:

firewall-cmd --zone=public --query-port=2888/tcp

This command will return yes if the port is open in the specified zone, and no otherwise. You can also query services similarly:

firewall-cmd --zone=public --query-service=http

To list all open ports and services for a zone:

firewall-cmd --zone=public --list-ports
firewall-cmd --zone=public --list-services

Or, to see a complete configuration of a zone:

firewall-cmd --zone=public --list-all

Removing Rules

If you need to remove a firewall rule, use the --remove-port or --remove-service option. For example, to remove the rule allowing traffic on port 2888 in the public zone:

firewall-cmd --zone=public --remove-port=2888/tcp --permanent

Remember to reload firewalld after removing the rule:

firewall-cmd --reload

By mastering these firewalld commands, you can effectively manage your firewall configuration, ensuring both security and accessibility for your network services.

Leave a Reply

Your email address will not be published. Required fields are marked *