How to manage firewall rules in CentOS 7
Managing firewall rules in CentOS 7
With the recent release of CentOS 7 came many changes to the way the system is
configured compared to its predecessors. In CentOS 7 you will need to become familiar
with firewalld.
From FIREWALLD(1) man page:
“firewalld provides a dynamically managed firewall with support for network/firewall
zones to define the trust level of network connections or interfaces. It has support
for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime
and permanent configuration options. It also supports an interface for services or
applications to add firewall rules directly.”
In this article we will be discussing adding and removing basic firewall rules to allow
incoming traffic to access services that you are running on your server.
The default zone in CentOS 7 is “public”. You can change the default zone in
/etc/firewalld/firewalld.conf but for now we will leave it as public.
To open port 80 (http) in your firewall:
[root@srv ]# firewall-cmd –permanent –zone=public –add-port=80/tcp
And now reload the firewall to apply changes:
[root@srv ]# firewall-cmd –reload
This command can be used to verify that the port is open, it will return a simple yes or no:
[root@srv ]# firewall-cmd –zone=public –query-port=80/tcp
Alternatively you can create the rule using a service name:
[root@srv ]# firewall-cmd –permanent –zone=public –add-service=http
And now reload the firewall to apply changes:
[root@srv ]# firewall-cmd –reload
Verify the service port has been opened:
[root@srv ]# firewall-cmd –zone=public –query-service=http
These steps will create a permanent entry in your firewall configuration to allow incoming
TCP connections to TCP port 80 from the internet.
You can use “firewall-cmd –list-all” to get a view of your current firewall configuration.
Example:
[root@srv ]# firewall-cmd –list-all
public (default, active)
interfaces: eth0 eth1
sources:
services: ssh
ports: 80/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
To remove the port or service you added.
[root@srv ]# firewall-cmd –zone=public –remove-port=80/tcp
OR
[root@srv ]# firewall-cmd –zone=public –remove-service=http
And then issue a reload to apply the changes.
[root@srv ]# firewall-cmd –reload
Disclaimer: When working on a remote server and modifying the firewall rules be very
careful not to lock yourself out of your server by removing port 22 (SSHD)
from your firewall configuration. If you are unsure you can remove the
–permanent flag from the above commands and if you lock yourself out a
simple reboot of the server will clear any firewall rules you added.
How to manage firewall rules in CentOS 7
With the recent release of CentOS 7 came many changes to the way CentOS is
configured compared to its predecessors. In CentOS 7 you will need to become familiar
with firewalld.
In this article we will be discussing adding and removing basic firewall rules to allow
incoming traffic to access services that you are running on your server.
The default zone in CentOS 7 is “public”. You can change the default zone in
/etc/firewalld/firewalld.conf but for now we will leave it as public for the purposes of this article.
Opening Ports
To open port 80 (http) in your firewall, you can utilize the following command:
[root@srv ]# firewall-cmd –permanent –zone=public –add-port=80/tcp
Reload the firewall to apply changes:
[root@srv ]# firewall-cmd –reload
Verifying Rules
The following command can be used to verify that the port is open, it will return a simple yes or no:
The following command can be used to verify that the port is open, it will return a simple yes or no:
[root@srv ]# firewall-cmd –zone=public –query-port=80/tcp
Creating Rules by Using Service Names
Alternatively you can create the rule using a service name:
Alternatively you can create the rule using a service name:
[root@srv ]# firewall-cmd –permanent –zone=public –add-service=http
And now reload the firewall to apply changes:
[root@srv ]# firewall-cmd –reload
Verify the service port has been opened:
[root@srv ]# firewall-cmd –zone=public –query-service=http
Real World Example
These steps will create a permanent entry in your firewall configuration to allow incoming
TCP connections to TCP port 80 from the internet.
You can use “firewall-cmd –list-all” to get a view of your current firewall configuration.
Example:
[root@srv ]# firewall-cmd –list-all
public (default, active)interfaces: eth0 eth1sources:services: sshports: 80/tcpmasquerade: noforward-ports:icmp-blocks:rich rules:
To remove the port or service you added.
[root@srv ]# firewall-cmd –zone=public –remove-port=80/tcp
OR
[root@srv ]# firewall-cmd –zone=public –remove-service=http
And then issue a reload to apply the changes.
[root@srv ]# firewall-cmd –reload
firewalld allows an easy and convenient way to manage CentOS 7 firewall rules. With a little practice, it can become a critical tools for keeping your infrastructure safe and secure.