Centos 7 firewall open port. Default zone setting

Today I will introduce you to my vision of the initial configuration of a universal server on a popular OS. I will talk about how to do the basic configuration of the centos server immediately after installation to use it in any capacity you choose. Given practical advice increase the security and usability of the server. The article will be relevant for the last two releases of Centos - 7 and 8.

1. List the initial centos settings that I do on a freshly installed server.
2. Show examples of configurations that I use in a typical setup.
3. Give advice on setting up centos based on your experience with the system.
4. Provide a list of typical programs and utilities that help administer the server.

This article is part of a single series of articles about the server.

Introduction

After the release of the new release of Centos 8, it became difficult to describe in a single article initial setup both servers, but I did not want to share the article, since there are many incoming links to it from different places. It is more convenient to maintain common material for both releases, which I will do. At the same time, the differences between the two versions will be clearly visible, which for a couple of years after the release of centos 8 both will be relevant and you will have to use both versions, depending on the situation.

Centos 7 uses package manager yum, and in Centos 8 - dnf. At the same time, they left a symbolic link from yum to dnf, so you can write both the first name and the second one. For consistency, I will use yum everywhere, but I warn you, just so you understand why I do it this way. In fact, CentOS 8 uses dnf, this is a different, more modern package manager that allows you to work with different versions the same software. For this, separate repositories are used, which appeared for centos 8.

Initial setup of CentOS

Personally, I start any system setup, be it centos or another, after installation by completely updating the system. If the installation image was fresh, or the installation was carried out over the network, then most likely there will be no updates. Most often they are, since installation images are not always regularly updated.

We update the system

# yum update

For ease of administration, I always install Midnight Commander, or just mc:

# yum install mc

And immediately for it I turn on the syntax highlighting of all files that are not explicitly indicated in the file /usr/share/mc/syntax/Syntax syntax for sh and bash scripts. This generic syntax is well suited for configuration files that are most commonly used on the server. Overwriting the file unknown.syntax. This is the pattern that will be applied to the .conf and .cf files, since no syntax is explicitly attached to them.

# cp /usr/share/mc/syntax/sh.syntax /usr/share/mc/syntax/unknown.syntax

Next, we will need network utilities. Depending on the set of initial packages that you choose when installing the system, you will have one or another set of network utilities. Here is a list of those that I personally got used to - ifconfig, netstat, nslookup and some others. If you need them, just like I do, then I suggest installing them separately, if they are not already installed. If you don't really need them and don't use them, you can skip installing them. Let's check what we have in the system at the moment

#ifconfig

If you see the answer:

Bash: ifconfig:command not found

It means the utility is not installed. Instead of ifconfig in CentOS is now a utility ip. This applies not only to centos. This is the picture in almost all popular modern Linux distributions. I've been used to ifconfig for a long time, although I haven't used it much lately. I always liked that in various Linux distributions everything is about the same. Using ifconfig, you can configure the network not only in linux, but also in freebsd. It's comfortable. And when each distribution kit has its own tool, this is not convenient. Although now this is no longer very relevant, since I no longer work with Freebsd, and the ip utility is in all linux distributions. However, if you need ifconfig you can install the package net-tools which includes:

# yum install net-tools

In order for the nslookup commands to work for us or, for example, host, you need to install the package bind-utils. If this is not done, then the command:

# nslookup

There will be an output:

Bash: nslookup: command not found

So install bind-utils:

# yum install bind-utils

Disable SELinux

Disable SELinux. Its use and setup is a separate conversation. Now I won't do it. So let's turn it off:

# mcedit /etc/sysconfig/selinux

change the value

SELINUX=disabled

You can reboot for the changes to take effect:

# reboot

And if you want to apply disabling SELinux without rebooting, then run the command:

# setenforce 0

I get a lot of criticism about disabling SELinux all the time. I know how it works, I know how to set it up. It's really not very difficult and not difficult to master. This is my conscious choice, although sometimes I tweak it. My format of working with the system is such that I most often don’t need SELinux, so I don’t waste time on it and disable it in the basic centos setup. System security is a complex work, especially in modern world web development, where microservices and containers rule the show. SELinux is a niche tool that is not always and everywhere needed. Therefore, it has no place in this article. Whoever needs it will separately enable SELinux and configure it.

Specify network parameters

We continue the basic setup of centos after installation. Now let's do it if for some reason we didn't do it during installation, or if you need to change them. AT general case, the network in Centos is configured with network manager and its console utility nmtui. It comes with the basic system setup. There is a simple and intuitive graphical interface, so there is nothing to tell. I'm more used to configuring the network through the network-scripts config files. In centos 7th version, they are out of the box, in the 8th version they were removed. To use them to configure the network, you need to separately install the package network-scripts.

# yum install network-scripts

Now you can complete the network setup. To do this, open the file /etc/sysconfig/network-scripts/ifcfg-eth0

# mcedit /etc/sysconfig/network-scripts/ifcfg-eth0

If you receive network settings via dhcp, then the minimum set of settings in the configuration file will be as follows.

TYPE="Ethernet" BOOTPROTO="dhcp" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" NAME="eth0" DEVICE="eth0" ONBOOT="yes"

To set up a static ip address, the settings will be as follows.

TYPE="Ethernet" BOOTPROTO="none" DEFROUTE="yes" IPV4_FAILURE_FATAL="no" NAME="eth0" DEVICE="eth0" ONBOOT="yes" IPADDR=192.168.167.117 DNS1=192.168.167.113 PREFIX=28 GATEWAY= 192.168.167.113

In the IPADDR field, enter your address, in the PREFIX network mask, in the GATEWAY gateway, the DNS address of the dns server. Save the file and restart the network to apply the settings:

# systemctl restart network

Setting up a firewall

Adding repositories

When setting up centos, you often need software that is not in the standard turnip. For installation additional packages necessary . The most popular is EPEL. There used to be rpmforge, but it's been closed for several years now. Everyone forgot about him. We connect the EPEL repository. Everything is simple with him, he is added from the standard turnip:

# yum install epel-release

Also for CentOS 7, the REMI repository is extremely useful, which allows you to install more recent versions of php, unlike those in the standard repository. Let me remind you that this is version php 5.4, which is no longer good and has been removed from support.

# rpm -Uhv http://rpms.remirepo.net/enterprise/remi-release-7.rpm

For Centos 8 remi is not relevant yet, but I think it's temporary. In principle, these two repositories in centos are usually enough for me in the general case. Others are connected already for specific needs to install various software.

Configuring history storage in bash_history

Moving on with the setup centos systems on server. It will be useful to make some changes to the standard mechanism for saving command history. He often helps out when you need to remember one of the previously entered commands. The default settings have some limitations that are inconvenient. Here is their list:

1. By default, only the last 1000 commands are saved. If there are more of them, then the older ones will be deleted and replaced by new ones.
2. There are no dates given for the execution of the commands, only a list of them in the order in which they were executed.
3. The file with the list of commands is updated after the end of the session. During parallel sessions, some commands may be lost.
4. Absolutely all commands are saved, although there is no point in storing some.

The list of last executed commands is stored in the user's home directory in a file .bash_history(dot at the beginning). It can be opened with any editor and viewed. For a more convenient display of the list, you can enter the command in the console:

# history

and see a numbered list. You can quickly find a specific command by filtering only the lines you need, like this:

# history | grep yum

So we will see all the options for running the yum command, which are stored in the history. Fix the above deficiencies default settings command history storage in CentOS. To do this, you need to edit the file .bashrc, which is located in the same directory as the history file. Add the following lines to it:

Export HISTSIZE=10000 export HISTTIMEFORMAT="%h %d %H:%M:%S " PROMPT_COMMAND="history -a" export HISTIGNORE="ls:ll:history:w:htop"

The first option increases the file size to 10,000 lines. You can make more, although this size is usually enough. The second parameter specifies that the date and time of the command execution should be saved. The third line forces immediately after the execution of the command to save it to the history. In the last line, we create a list of exceptions for those commands that do not need to be recorded in the history. I gave an example of the simplest list. You can add to it at your discretion.

To apply the changes, you need to log out and reconnect or run the command:

# source ~/.bashrc

On setting up the storage of command history, that's it. In the .bashrc file, you can configure a lot of interesting things. At one time I was fond of and experimented, but then I abandoned everything, because it makes no sense. When working with customer servers, I most often see the default bash, so it's better to get used to it and work in it. And separate settings and embellishments are the lot of personal computers and servers. Not workers. So I don't have to configure anything else according to the standard in the centos server in this regard.

Automatic system update

To maintain the security of the server at the proper level, it is necessary at least to update it in a timely manner - like the kernel itself with system utilities as well as other packages. You can do it manually, but for more efficient work it is better to configure automatic execution. It is not necessary to install updates automatically, but at least check for their appearance. I usually follow this strategy.

Yum cron

To automatically check for updates in Centos 7, the utility will help us yum cron. It is installed traditionally via yum from the standard repository.

# yum install yum cron

After installing yum-cron, an automatic task is created to execute the utility in /etc/cron.daily and /etc/cron.hourly. By default, the utility downloads the updates it finds, but does not apply them. Instead, the administrator on the local mailbox root is sent a notification about updates. Next you are in manual mode come in and decide whether to install updates or not at a convenient time for you. This mode of operation seems to me the most convenient, so I do not change these settings.

You can configure yum-cron through the configuration files located at /etc/yum/yum-cron.conf and yum-cron-hourly.conf. They are well commented, so in detailed explanations dont need. I pay attention to the section , where you can specify options for sending messages. The default is to send mail through the local host. You can change the settings here and send messages through a third-party mail server. But instead, I personally prefer to configure globally for the entire server the forwarding of local root mail to an external mailbox through authorization on another smtp server.

Dnf-automatic

As I said earlier, Centos 8 uses a different package manager - dnf. Configuring package updates there is done through the utility dnf-automatic. Let's install it and set it up.

# yum install dnf-automatic

Scheduled launch management is no longer handled by cron, but by systemd with its built-in scheduler. You can view the automatic start timers with the command:

# systemctl list-timers *dnf-*

If there is no task there, then you can add the timer manually:

# systemctl enable --now dnf-automatic.timer

The default timer is set to start dnf-automatic one hour after server boot and repeat daily. The timer config lives here - /etc/systemd/system/multi-user.target.wants/dnf-automatic.timer.

The config for dnf-automatic lives in /etc/dnf/automatic.conf. By default, it only downloads updates, but does not apply them. The config is well commented, so you can customize it the way you want. Separate explanations are not required. Customize system package updates to your liking. As I said, I only download them automatically. I always keep the installation under control with manual control.

Disable message flooding in /var/log/messages

Continuing the centos configuration, we will fix one small inconvenience. In the default installation of the system version 7, all your system log /var/log/messages after some time the server will be clogged with the following records.

Oct 16 14:01:01 xs-files systemd: Created slice user-0.slice. Oct 16 14:01:01 xs-files systemd: Starting user-0.slice. Oct 16 14:01:01 xs-files systemd: Started Session 14440 of user root. Oct 16 14:01:01 xs-files systemd: Starting Session 14440 of user root. Oct 16 14:01:01 xs-files systemd: Removed slice user-0.slice. Oct 16 14:01:01 xs-files systemd: Stopping user-0.slice. Oct 16 15:01:01 xs-files systemd: Created slice user-0.slice. Oct 16 15:01:01 xs-files systemd: Starting user-0.slice. Oct 16 15:01:01 xs-files systemd: Started Session 14441 of user root. Oct 16 15:01:01 xs-files systemd: Starting Session 14441 of user root. Oct 16 15:01:01 xs-files systemd: Started Session 14442 of user root. Oct 16 15:01:01 xs-files systemd: Starting Session 14442 of user root. Oct 16 15:01:01 xs-files systemd: Removed slice user-0.slice. Oct 16 15:01:01 xs-files systemd: Stopping user-0.slice. Oct 16 16:01:01 xs-files systemd: Created slice user-0.slice. Oct 16 16:01:01 xs-files systemd: Starting user-0.slice. Oct 16 16:01:01 xs-files systemd: Started Session 14443 of user root. Oct 16 16:01:01 xs-files systemd: Starting Session 14443 of user root. Oct 16 16:01:01 xs-files systemd: Removed slice user-0.slice.

In Centos 8, I did not notice them, so there is nothing to do there. No practical use messages do not carry, so we turn them off. To do this, we will create a separate rule for rsyslog, where we list all the message templates that we will cut out. Let's place this rule in separate file /etc/rsyslog.d/ignore-systemd-session-slice.conf.

# cd /etc/rsyslog.d && mcedit ignore-systemd-session-slice.conf if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-" or $msg contains "Starting User Slice of" or $msg contains "Removed session" or $msg contains "Removed slice User Slice of" or $msg contains "Stopping User Slice of" ) then stop

Save the file and restart rsyslog to apply the settings.

# systemctl restart rsyslog

You need to understand that in this case we disable flooding in the log file only on local server. If you store logs on , then this rule will need to be configured on it.

Installing iftop, atop, htop, lsof on CentOS

And finally, at the end of the setup, let's add a few useful utilities, which may be useful during the operation of the server.

iftop shows in real time the loading of the network interface, can be started with various keys, I will not dwell on this in detail, there is information on this topic on the Internet. We put:

# yum install iftop

And two interesting task managers, I use htop most of the time, but sometimes atop comes in handy. We put both, see for yourself, figure out what you like best, it suits:

# yum install htop # yum install atop

To display information about which files are used by certain processes, I advise you to install the utility lsof. It will most likely come in handy sooner or later when you diagnose the operation of the server.

# yum install wget bzip2 traceroute gdisk

That's all for me. Basic CentOS setup finished, you can start installing and configuring the main functionality.

Setting up system mail

To complete the configuration of the CentOS server, let's make sure that mail addressed to the local root is sent through an external mail server to the selected mailbox. If this is not done, then it will be locally added to a file /var/spool/mail/root. And there may be an important useful information. Let's configure it to be sent to the system administrator's mailbox.

I talked about this in detail in a separate article -. Here, briefly, only the commands and quick setup. Install the required packages:

# yum install mailx cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain postfix

We draw something like this config for postfix.

Cat /etc/postfix/main.cf ## DEFAULT CONFIG BEGIN ###################### queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory=/usr/libexec/postfix data_directory=/var/lib/postfix mail_owner=postfix inet_interfaces=localhost inet_protocols=all unknown_local_recipient_reject_code=550 alias_maps=hash:/etc/aliases alias_database=hash:/etc/aliases debug_peer_level=2 debugger_command=PATH =/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/ newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.10.1/samples readme_directory = /usr/share/ doc/postfix-2.10.1/README_FILES ## DEFAULT CONFIG END ###################### # Server name output by command hostname myhostname = centos-test. xs.local # Here n about the logic, only the domain should be left, but in this case it is better to leave the full name of the server so that the full name of the server appears in the sender # field, it is more convenient to parse service messages mydomain = centos-test.xs.local mydestination = $myhostname myorigin = $mydomain # Address of the server through which we will send mail relayhost = mailsrv.mymail.ru:25 smtp_use_tls = yes smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_security_level = may

We create a file with information about the username and password for authorization.

# mcedit /etc/postfix/sasl_passwd mailsrv.mymail.ru:25 [email protected]:password

We create a db file.

# postmap /etc/postfix/sasl_passwd

Now you can restart postfix and check if it works.

# systemctl restart postfix

To the standard alias for root in /etc/aliases, add the external address where the mail addressed to root will be duplicated. To do this, edit the specified file, changing the last line.

#root: marc

root: root, [email protected]

Update the certificate database:

#newaliases

Let's send a letter through the console to the local root:

# df -h | mail -s "Disk usage" root

The letter should go to an external mailbox. If you use a mailbox from Yandex, you will most likely get an error in the mail server log and the letter will not be sent.

Relay=smtp.yandex.ru:25, delay=0.25, delays=0/0/0.24/0.01, dsn=5.7.1, status=bounced (host smtp.yandex.ru said: 553 5.7.1 Sender address rejected: not owned by auth user.(in reply to MAIL FROM command))

This error means that you do not have the same mailbox as the mail sender that you use for authorization. How to fix this, I tell in a separate article -. With other mail systems where there is no such check, everything should be fine and so.

This completes the local mail setup. Now all letters addressed to the local root, for example, reports from cron, will be duplicated to an external mailbox, and sent through a full-fledged mail server. So letters will be delivered normally without getting into spam (although not necessarily, there are also heuristic filters).

Conclusion

We've gone through some initial steps to set up a CentOS server, which I usually do when preparing a server right after installation. I do not pretend to be an absolute truth, perhaps I am missing something or doing something not quite right. I will be glad to reasonable and meaningful comments and remarks with suggestions.

..

Understanding the deployment, configuration, and maintenance of Linux-based networks.

The ability to quickly resolve emerging problems and ensure stable and uninterrupted operation of the system.

Test yourself on the entrance test and see the program for more details.

Installed in operating system A firewall is used to prevent unauthorized traffic from passing between computer networks. Manually or automatically, special firewall rules are created, which are responsible for access control. The OS developed on the Linux kernel, CentOS 7, has a built-in firewall, and it is controlled using a firewall. By default, FirewallD is enabled, and we would like to talk about its configuration today.

As mentioned above, the FirewallD utility is assigned as the standard firewall in CentOS 7. That is why the firewall setting will be considered using this tool as an example. You can also set filtering rules using the same iptables, but this is done in a slightly different way. We recommend that you familiarize yourself with the configuration of the mentioned utility by clicking on the following link, and we will begin the analysis of FirewallD.

Basic Firewall Concepts

There are several zones - sets of rules for managing traffic based on trust in networks. All of them are assigned their own policies, the combination of which forms the firewall configuration. Each zone is assigned one or more network interfaces, which also allows you to adjust the filtering. The applied rules directly depend on the interface used. For example, when connected to public Wi-Fi, the firewall will increase the level of control, and in home network will open additional access for chain members. In the considered firewall there are such zones:

• trusted - the maximum level of trust for all network devices;
• home - group local network. There is trust in the environment, but incoming connections are only available to certain machines;
• work - work area. There is trust in most devices, and additional services are activated;
• dmz is a zone for isolated computers. Such devices are disconnected from the rest of the network and allow only certain incoming traffic;
• internal — zone of internal networks. Trust is applied to all machines, additional services are opened;
• external - the reverse of the previous zone. On external networks, NAT masquerading is active, closing the internal network, but not blocking the possibility of gaining access;
• public - a zone of public networks with distrust of all devices and individual reception of incoming traffic;
• block - all incoming requests are dropped with an error sent icmp-host-prohibited or icmp6-adm-prohibited;
• drop is the minimum trust level. Incoming connections are dropped without any notification.

The policies themselves are temporary and permanent. When parameters appear or are edited, the action of the firewall immediately changes without the need to reboot. If temporary rules were applied, they will be reset after FirewallD restart. That's what the permanent rule is called - it will be saved for permanent basis when applying the -permanent argument.

Enable FirewallD

First you need to start FirewallD or make sure that it is in an active state. Only a running daemon (program running in the background) will enforce the rules for the firewall. Activation is done in just a few clicks:

1. Run Classic "Terminal" by any convenient method, for example, through the menu "Applications".



2. Enter the command sudo systemctl start firewalld.service and press the key Enter.



3. The utility is managed on behalf of the superuser, so you will have to authenticate by entering a password.



4. To verify that the service is running, specify firewall-cmd --state .



5. Re-authenticate in the graphics window that opens.



6. A new line will be displayed. Meaning running indicates that the firewall is working.

If one day you need to temporarily or permanently disable the firewall, we recommend using the instructions provided in our other article at the following link.

View Default Rules and Available Zones

Even a firewall operating normally has its own specific rules and available zones. Before you start editing policies, we recommend that you familiarize yourself with the current configuration. This is done with simple commands:

1. The firewall-cmd --get-default-zone command will help you determine the zone that functions by default.



2. After activating it, you will see a new line where the required parameter will be displayed. For example, in the screenshot below, the zone is considered active public.



3. However, several zones can be active at once, besides, they are tied to a separate interface. Find out this information via firewall-cmd --get-active-zones .



4. The firewall-cmd --list-all command will display the rules set for the default zone. Pay attention to the screenshot below. You see that the active zone public rule assigned default- default operation, interface "enp0s3" and added two services.



5. If you need to know all available firewall zones, type firewall-cmd --get-zones .



6. The parameters of a particular zone are determined via firewall-cmd --zone=name --list-all , where name— the name of the zone.

After determining the necessary parameters, you can proceed to change and add them. Let's take a closer look at some of the most popular configurations.

Configuring Interface Zones

As you know from the information above, each interface has its own default zone. It will remain in it until the settings are changed by the user or programmatically. It is possible to manually transfer the interface to the zone for one session, and it is carried out by activating the command sudo firewall-cmd --zone=home --change-interface=eth0 . Result success indicates that the transfer was successful. Recall that such settings are reset immediately after rebooting the firewall.

With such a change in parameters, it should be borne in mind that the operation of services may be reset. Some of them do not support functioning in certain zones, for example, SSH, although it is available in home, but the service will refuse to work in custom or special ones. You can verify that the interface was successfully bound to the new branch by typing firewall-cmd --get-active-zones .

If you want to reset the settings you made earlier, just restart the firewall: sudo systemctl restart firewalld.service .

Sometimes it is not always convenient to change the interface zone for just one session. In this case, you will need to edit the configuration file so that all settings are entered permanently. We recommend using a text editor for this. nano, which is installed from the official repository by sudo yum install nano . Next, it remains to perform the following actions:

1. Open the configuration file through an editor by typing sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0 , where eth0— the name of the required interface.



2. Authenticate account to take further action.



3. Find the parameter ZONE and change its value to whatever you want, such as public or home .



4. Hold down the keys Ctrl+O to save changes.



5. Don't change the filename, just click on Enter.



6. Log out text editor through Ctrl + X.

Now the interface zone will be as you specified it until the next edit. configuration file. Run sudo systemctl restart network.service and sudo systemctl restart firewalld.service for the updated settings to take effect.

Setting the default zone

Above, we have already demonstrated a command that allows you to find out the default zone. It can also be changed by setting a parameter of your choice. To do this, just write sudo firewall-cmd --set-default-zone=name in the console, where name— the name of the required zone.

The success of the command will be indicated by the inscription success on a separate line. After that, all current interfaces will be bound to the specified zone, unless otherwise specified in the configuration files.

Creating rules for programs and utilities

At the very beginning of the article, we talked about the effect of each zone. Defining services, utilities and programs in such branches will allow applying individual parameters for each of them according to the requests of each user. To get started, we advise you to familiarize yourself with the full list of available on this moment services: firewall-cmd --get-services .

The result will be displayed directly in the console. Each server is separated by a space, and you can easily find the tool you are interested in in the list. If desired service missing, it must be installed additionally. Read about the installation rules in the official software documentation.

The above command only displays the names of the services. Detailed information on each of them is obtained through an individual file located along the path /usr/lib/firewalld/services . Such documents are in XML format, the path to, for example, SSH looks like this: /usr/lib/firewalld/services/ssh.xml , and the document has the following content:

SSH
Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.

Service support in a certain zone is activated manually. AT "Terminal" you should specify the command sudo firewall-cmd --zone=public --add-service=http , where --zone=public- zone for activation, and --add-service=http— the name of the service. Please note that such a change will only be valid within one session.

Permanent addition is done via sudo firewall-cmd --zone=public --permanent --add-service=http , and the result is success indicates the successful completion of the operation.

View full list permanent rules for a particular zone can be done by displaying the list on a separate console line: sudo firewall-cmd --zone=public --permanent --list-services .

Solving the problem with the lack of access to the service

By default, firewall rules list the most popular and secure services as allowed, but some standard or third party applications he blocks. In this case, the user will need to manually change the settings to resolve the access issue. This can be done in two different ways.

Port forwarding

As you know, all network services use a specific port. It is easily detected by the firewall, and blocking can be performed on it. To avoid such actions from the firewall, you need to open the necessary port with the command sudo firewall-cmd --zone=public --add-port=0000/tcp , where --zone=public- area for the port, --add-port=0000/tcp— port number and protocol. The firewall-cmd --list-ports option will display a list of open ports.

If you need to open ports within the range, use the line sudo firewall-cmd --zone=public --add-port=0000-9999/udp , where --add-port=0000-9999/udp- range of ports and their protocol.

The above commands will only allow you to test the use of such parameters. If it was successful, you should add these same ports to the permanent settings, and this is done by entering sudo firewall-cmd --zone=public --permanent --add-port=0000/tcp or sudo firewall-cmd --zone=public --permanent --add-port=0000-9999/udp . The list of open permanent ports is viewed like this: sudo firewall-cmd --zone=public --permanent --list-ports .

Service definition

As you can see, adding ports does not cause any difficulties, but the procedure becomes more complicated when applications are used a large number of. It becomes difficult to keep track of all the ports in use, so a service definition would be a better option:

You just have to choose the most appropriate method for solving the problem with accessing the service and follow the instructions provided. As you can see, all actions are performed quite easily, and no difficulties should arise.

Creating Custom Zones

You already know that initially FirewallD created a large number of different zones with certain rules. However, there are situations when system administrator you need to create a custom zone, like, for example, "public web" for an installed web server, or "privateDNS"- for the DNS server. On these two examples, we will analyze the addition of branches:

In this article, you learned how to create custom zones and add services to them. We have already talked about setting them by default and assigning interfaces above, you just have to specify the correct names. Don't forget to restart the firewall after making any permanent changes.

As you can see, the FirewallD firewall is a fairly voluminous tool that allows you to make the most flexible firewall configuration. It remains only to make sure that the utility is launched along with the system and that the specified rules immediately begin their work. Do this with sudo systemctl enable firewalld .

Centos 7, unlike CentOS 6, comes with a new firewall - firewalld. It can be disabled and replaced with the good old iptables, but if there are no direct prerequisites for this, then it is better to get used to something new, and not rest on the old. This does not mean that Windows 10 better than windows 7 and Windows XP is better than Windows 7 ;) Good example on this subject - selinux. If at first almost everyone (including me) turned it off and even scolded it a little, now almost no one advises it, only if there is confidence that it is necessary. On the contrary, many are already used (or are getting used to) using semanage. We will not immediately disable firewalld, but we will try how it tastes.

Firewalld is not a fundamentally different firewall. This is another add-on for netfilter, so if you have experience with iptables, then after a little torment you will easily start using the new tool.

Starting and stopping firewalld

Check if firewalld is running:

# systemctl status firewalld

There will be more information here. In short, yes (works) or no, you can do this:

# firewall-cmd --state
running

Ok, it works.

Stop firewalld:

# systemctl stop firewalld

Auto start disabled:

# systemctl disable firewalld

Firewalld start:

# systemctl start firewalld

Enable autostart:

# systemctl enable firewalld

firewalld zones

In firewalld, the concept of a zone is widely used. List of all allowed zones by default:

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

Assignment of zones (conditionally, of course):

• drop - all incoming packets are dropped without a response. Only outgoing connections are allowed.
• block - incoming connections are rejected (rejected) with an icmp-host-prohibited (or icmp6-adm-prohibited) response. Only system-initiated connections are allowed.
• public- default zone. From the name it is clear that this zone is aimed at working in public networks. We do not trust this network and only allow certain incoming connections.
• external - zone for the external interface of the router (so-called masquerading). Only incoming connections that we have defined are allowed.
• dmz - DMZ zone, only certain incoming connections are allowed.
• work - work network zone. We still don't trust anyone, but not as much as we used to :) Only certain incoming connections are allowed.
• home - home zone. We trust the environment, but only certain incoming connections are allowed
• internal - internal zone. We trust the environment, but only certain incoming connections are allowed
• trusted - everything is allowed.

List of all active zones:

# firewall-cmd --get-active-zones
public
interfaces: enp1s0

Yep, the public zone, to which the enp1so network interface is attached. Next, add a new port to the public zone, on which sshd will hang.

Knowing the name of the network interface (for example, enp1s0), you can find out which zone it belongs to:

# firewall-cmd --get-zone-of-interface=enp1s0
public

And you can find out which interfaces belong to a particular zone:

# firewall-cmd --zone=public --list-interfaces
enp1s0

Example: allow ssh on a non-standard port

Let's allow access to the server via ssh on port 2234/tcp, and not on 22/tcp, as by default. Along the way, let's touch on selinux a little.

First, let's see what is generally allowed permanently on our server:

# firewall-cmd --permanent --list-all
public (default)
interfaces:
sources:
services: ssh dhcpv6-client
masquerade: no
forward-ports:
icmp blocks:
rich rules:

I'm not using ipv6 yet, so I'll remove it right away. firewalld rule:

# firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client

Allow on a permanent basis (so that after a reboot it is not lost) the connection to port 2234 / tcp (we will hang sshd on it):

# firewall-cmd --permanent --zone=public --add-port=2234/tcp

Let's reload the rules:

# firewall-cmd --reload

Let's check:

# firewall-cmd --zone=public --list-ports
2234/tcp

Ok, the port is open. Editing the sshd config:

# nano /etc/ssh/sshd_config
...
port 2234
...

# systemctl restart sshd.service

But SELinux, which you hopefully didn't disable, will not let you connect to ssh on a non-standard port (port 2234/tcp for sshd is non-standard). You can skip this step and check how SELinux protection works, or you can set everything up at once:

# yum provides semanage
# yum install policycoreutils-python
# semanage port -a -t ssh_port_t -p tcp 2234

Now everything is ok. We check the connection via ssh on the new port. If everything is OK, close access to port 22:

# firewall-cmd --permanent --zone=public --remove-service=ssh
# firewall-cmd --reload

Let's see what happened:

# firewall-cmd --list-all
public (default, active)
interfaces:
sources:
services:
ports: 2234/tcp
masquerade: no
forward-ports:
icmp blocks:
rich rules:

That's all.

Various useful commands:

Enable blocking mode for all outgoing and incoming packets:

# firewall-cmd --panic-on

Turn off the blocking mode for all outgoing and incoming packets:

# firewall-cmd --panic-off

Find out if blocking all outgoing and incoming packets is enabled:

# firewall-cmd --query-panic

Reload firewalld rules without losing current connections:

# firewall-cmd --reload

Reload firewalld rules and reset current connections (recommended only in case of problems):

# firewall-cmd --complete-reload

Add a network interface to the zone:

# firewall-cmd --zone=public --add-interface=em1

Add a network interface to the zone (will be saved after firewall reboot):

# firewall-cmd --zone=public --permanent --add-interface=em1

You can specify in the ifcfg-enp1s0 config which zone this interface belongs to. To do this, add ZONE=work to the /etc/sysconfig/network-scripts/ifcfg-enp1s0. If the ZONE parameter is not specified, the default zone will be assigned (the DefaultZone parameter in the /etc/firewalld/firewalld.conf file.

Allow port range:

# firewall-cmd --zone=public --add-port=5059-5061/udp

Masquerade (masquerade, aka nat, aka...):

Check status:

# firewall-cmd --zone=external --query-masquerade

Turn on:

# firewall-cmd --zone=external --add-masquerade

It should be noted here that you can enable masquerade for the public zone, for example.

Forward incoming to port 22 to another host:

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.168.1.23

Redirect incoming to port 22 to another host with a change in the destination port (from 22 to 192.168.1.23:2055):

# firewall-cmd --zone=external /
--add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.23

I’ll finish with this, because. there can be an infinite number of examples. I will only add that I personally did not make my final opinion about the firewalld innovation, because. it takes a long time to get used to the syntax, and if there are different OS Linux in your zoo, then in the first place there may be problems with the habit. But by mastering firewalld, you will broaden your horizons - more often than not, it's worth the effort.

Advantages of firewalld

The main benefit is that you abstract away the iptables chains a bit. To enable port forwarding, you don't have to think about PREROUTING or POSTROUTING in addition to FORWARD. You are given "iptables API from manufacturer", something like that. If you have enabled nat, then it does not matter where exactly (under what sequence number of the current rules) the rule is placed. You simply specify - enable nat on eth0. And no nonsense;) It can be convenient if you need to organize web interface firewall management.

It is possible to check the status (for example, is nat enabled or not!). And also use it in your scripts, in the logic of your application, for example. I don't know how to create a status request (on/off) in iptables. You can, of course, something like iptables -L -t nat | grep "...", but you must admit, this is a bit different than doing "firewall-cmd --zone=external --query-masquerade". There are, for example, hundreds of CentOS VMs that may have slightly different wan interface names or something like that. And so you have a universal cmdlet that will give the expected result on different machines.

Disadvantages of firewalld

The main drawback, in my opinion, is that when you get used to it, you will start to get used to the "pure" iptables, which is in Debian, and in Ubuntu, and in CentOS and, in general, everywhere. Even, by the way, in Mikrotik the syntax and chains are similar in type to iptables. This is an amateur, of course. And a professional does not care what to work with, if there are specific conditions, he will work with what is. But... I am a retrograde and desperately resist (in the absence of obvious advantages) novelties that each major player implements for himself. RedHat would benefit if more and more new professionals were experts in firewalld.

And if you switched to firewalld, then the pure iptables syntax will only hinder you - there will be a mess or the firewall will simply break if you start changing / supplementing the rules not using the standard firewalld syntax.

I don't want firewalld! Give me back my old iptables!

If, nevertheless, you want to return the past and replace firewalld with iptables, then this is not at all difficult to do:

No place for beginners here.

# systemctl disable firewalld
# systemctl stop firewalld

Install the good old iptables:

# yum install iptables-services

Starting the firewall:

# systemctl start iptables
# systemctl start ip6tables

Autostart on power up:

# systemctl enable iptables
# systemctl enable ip6tables

To save iptables rules after reboot:

# /sbin/iptables-save > /etc/sysconfig/iptables
# /sbin/ip6tables-save > /etc/sysconfig/ip6tables

Or the old fashioned way:

# service iptables save

The current rules are in the files:
/etc/sysconfig/iptables
/etc/sysconfig/ip6tables

Restarting iptables (for example, after making any changes):

# systemctl restart iptables.service

But iptables commands are complex, and many users find it hard to remember all the options and when to use them. Therefore, distribution developers create their own iptables add-ons that help simplify firewall management. On CentOS, the iptables management add-on is called Firewalld.

Firewalld has several important differences compared to iptables. Here, network access control is performed at the level of zones and services, rather than chains and rules. And also the rules are updated dynamically without interrupting running sessions. This article will discuss configuring Firewall CentOS 7 using Firewalld as an example.

As I said above, Firewalld does not work with chains of rules, but with zones. Each network interface can be assigned a specific zone. A zone is a set of rules, restrictions, and permissions that apply to that network interface. Only one zone can be selected per interface. The developers have created several preset zones:

• drop- block all incoming packets, allow only outgoing ones
• block- in contrast to the previous version, a message will be sent to the sender of the package about blocking his package;
• public- only ssh and dhclient incoming connections are supported;
• external- supports NAT to hide the internal network;
• internal- ssh, samba, mdns and dhcp services are allowed;
• dmz- used for isolated servers that do not have access to the network. Only SSH connection is allowed;
• work- ssh and dhcp services are allowed;
• home- similar to internal;
• trusted- everything is allowed.

Thus, to enable or disable a service, you just need to add or remove it from the current zone or change the interface zone to the one where it is allowed. You can draw an analogy with the default action policy for packages in iptables. The trusted zone has an ACCEPT policy and allows all connections, the block zone has a DENY policy that denies all connections, and all other zones can be considered heirs of the block zone, plus they already have predefined rules for allowing network connections for some services.

Firewalld also has two types of configuration:

• runtime- valid only until reboot, all changes that are not explicitly stated otherwise are applied to this configuration;
• permanent- permanent settings that will work after a reboot.

Now you know everything you need, so let's move on to the firewalld-cmd utility.

firewall-cmd syntax and options

You can manage Firewalld settings both using the firewall-cmd console utility, and in GUI. CentOS is most often used on servers, so you will have to work in the terminal. Let's look at the syntax of the utility:

firewall cmd options

The following syntax is used to manage zones:

firewall-cmd --config --zone=option zone

As a configuration, you need to specify the --permanent option to save changes after a reboot, or specify nothing, then the changes will be valid only until a reboot. For the zone, use the name of the desired zone. Let's look at the utility options:

• --state- display the state of the firewall;
• --reload- reload the rules from the permanent configuration;
• --complete-reload- hard reloading of rules with breaking all connections;
• --runtime-to-permanent- move the runtime configuration settings to the permanent configuration;
• --permanent- use permanent configuration;
• --get-default-zone- display the zone used by default;
• --set-default-zone- set default zone;
• --get-active-zones- display active zones;
• --get-zones- display all available zones;
• --get-services- display predefined services;
• --list-all-zones- display the configuration of all zones;
• --new-zone- create a new zone;
• --delete-zone- delete zone;
• --list-all- remove everything that has been added from the selected zone;
• --list-services- display all services added to the zone;
• --add-service- add a service to a zone;
• --remove-service- remove the service from the zone;
• --list-ports- display ports added to the zone;
• --add-port- add a port to the zone;
• --remove-port- remove the port from the zone;
• --query-port- show if the port is added to the zone;
• --list-protocols- display protocols added to the zone;
• --add protocol- add a protocol to the zone;
• --remove-protocol- remove the protocol from the zone;
• --list-source-ports- display source ports added to the zone;
• --add-source-port- add a source port to the zone;
• --remove-source-port- remove the source port from the zone;
• --list-icmp-blocks- display a list of icmp blocks;
• --add-icmp-block- add blocking icmp;
• --add-icmp-block- remove blocking icmp;
• --add-forward-port- add a port to redirect to NAT;
• --remove-forward-port- remove the port to redirect to NAT;
• --add-masquerade- enable NAT;
• --remove-masquerade- remove NAT.

These are not all utility options, but for this article they will be enough for us.

Configuring Firewall in CentOS 7

1. Firewall Status

The first step is to check the status of the firewall. To do this, run:

sudo systemctl status firewalld

If the Firewalld service is disabled, then you need to enable it:

sudo systemctl start firewalld
sudo systemctl enable firewalld

Now you need to see if Firewalld is running using the firewall-cmd command:

sudo firewall-cmd --state

If the program is running and all is well, you will receive a "running" message.

2. Zone management

As you already understood, zones are the main tool for managing network connections. To view the default zone, run:

sudo firewall-cmd --get-default-zone

In my case, this is the public zone. You can change the current zone with the --set-default-zone option:

sudo firewall-cmd --set-default-zone=public

To see which zones are used for all network interfaces, run:

sudo firewall-cmd --get-active-zones

The list will display the zones and interfaces for which they are assigned. With this command, you can view the configuration for certain zone. For example, for the public zone:

3. Setting up services

You can view all predefined services with the command:

sudo firewall-cmd --get-services

The command will list all available services, you can add any of them to the zone to enable it. For example, let's allow a connection to http:

sudo firewall-cmd --zone=public --add-service=http --permanent

And to remove this service, run:

sudo firewall-cmd --zone=public --remove-service=http --permanent

In both cases, we used the --permanent option so that the configuration persists across reboots. After the changes, you need to update the rules:

sudo firewall-cmd --reload

Then, if you look at the zone configuration, the added service will appear there:

sudo firewall-cmd --zone=public --list-all

4. How to open a port in Firewalld

If there is no service for the program you need, you can open its port manually. To do this, simply add the desired port to the zone. For example port 8083:

sudo firewall-cmd --zone=public --add-port=8083/tcp --permanent

To remove this port from the zone, run:

sudo firewall-cmd --zone=public --remove-port=8083/tcp --permanent

Similar to services, in order to open a port in the centos 7 firewall, you need to restart the firewall.

sudo firewall-cmd --reload

5. Firewalld Port Forwarding

Port forwarding in Firewalld is much easier to configure than in iptables. If you need, for example, to redirect traffic from port 2223 to port 22, just add a redirect to the zone:

sudo firewall-cmd --zone=public --add-forward-port=port=2223:proto=tcp:toport=22

Here the redirection is performed only on the current machine. If you want to set up a NAT network and forward a port to another machine, then you must first enable masquerade support:

sudo firewall-cmd --zone=public --add-masquerade

Then you can add the port:

sudo firewall-cmd --zone=public --add-forward-port=port=2223:proto=tcp:toport=22:toaddr=192.168.56.4

6. Extended rules

If the functionality of the zones is not enough for you, you can use advanced rules. The general syntax for extended rules is:

rule family = "family" source value destination value log audit action

Here is the meaning of the main parameters:

• As protocol families you can specify ipv4 or ipv6 or do not specify anything, then the rule will apply to both protocols;
• source and destination are the sender and receiver of the packet. As these parameters, an IP address (address), service (service name), port (port), protocol (protocol) and so on can be used;
• log- allows you to log the passage of packets, for example in syslog. In this setting, you can specify the log line prefix and the logging verbosity level;
• audit- this is alternative way logging when messages will be sent to the auditd service.
• Action is the action to be performed on the matched package. Available: accept, drop, reject, mark.

Let's look at a few examples. We need to block access to the server for a user with IP 135.152.53.5:

sudo firewall-cmd --zone=public --add-rich-rule "rule family="ipv4" source address=135.152.53.5 reject"

Or we need to deny only access to port 22 for the same user:

sudo firewall-cmd --zone=public --add-rich-rule "rule family="ipv4" source address=135.152.53.5 port port=22 protocol=tcp reject"

You can view all extended rules with the command:

sudo firewall-cmd --list-rich-rules

conclusions

In this article, we have analyzed how firewall setup on CentOS 7 and what tasks you can perform with it. The program is much easier to use than iptables, but in my opinion Ubuntu's firewall add-on is even easier to use.

We will show you step by step setup Firewalld on CentOS 7

What is firewalld? This is a complete firewall that is available by default on CentOS 7. We will show you how to set it up on the server and also talk about the firewall-cmd tool.

1. What are the basic concepts of a firewall?

Zones

Firewalld is able to manage groups of rules through zones. It is a set of instructions for managing traffic based on trust in networks. A zone can be assigned to a network interface to control firewall behavior. This may be necessary, because laptops can often connect to different networks. Computers can use zones to change their set of rules depending on their environment. For example, if you connect to Wi-Fi in a cafe, you can apply stricter guidelines. And at home, the rules can be more loyal.

In Firewalld, the following zones are distinguished:

Drop has the lowest degree of network trust. In this case, only outgoing connections are supported, and incoming traffic is dropped without a response;

Block differs from drop in that when an incoming request is dropped, an icmp-host-prohibited or icmp6-adm-prohibited message is issued;

The public zone is a public network that handles incoming requests individually. However, she cannot be trusted;

External is an external network zone that supports NAT masquerading to keep the internal network private. However, it can be accessed;

The flip side of external is internal. Computers in this zone can be trusted, so additional services will be available;

The dmz zone is required for isolated computers that do not have access to the rest of the network. In this case, it will be possible to configure selected incoming connections;

The work network zone is work. In it, you can trust the environment, but not all incoming connections are supported, but only those defined by the user;

In the trusted zone, you can trust all computers on the network.

Saving rules

In Firewalld, they are temporary and permanent. It happens that the set changes or a rule appears that affects the behavior of the firewall. Changes will be lost after a reboot, so they need to be saved. The firewall-cmd commands use the -permanent flag to save the rules. After that, they will be able to use on an ongoing basis.

2. How do I enable Firewalld?

You should start by running the daemon program in the background. The systemd unit file is called firewalld.service. to enable the daemon program, you need to command line dial:

sudo systemctl start firewalld.service

We need to make sure the service has started. For this you will need:

firewall-cmd --state running

The firewall has started and is running according to the default instructions. Keep in mind that the service is enabled, but will not automatically start along with the server. To do this, you need to configure autorun. In addition, make a set of rules so that you can't block yourself on your own server.

3. Default firewall rules

How to view them?

To view the default zone, type:

Firewall-cmd --get-default-zone public

We see that Firewalld did not receive instructions for other zones. Public is used by default and is the only active zone, because no interface was bound to the others. If you want to see a list of all available domain zones, then specify in the console:

Firewall-cmd --get-active-zones public interfaces: eth0 eth1

We see two network interfaces bound to the public zone. They work according to the rules specified for this zone. You can see the default rules by:

Firewall-cmd --list-all public (default, active) interfaces: eth0 eth1 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:

To summarize:

The default and only active zone is public;

Two interfaces are bound to this zone: eth0 and eth1;

Public supports remote administration SSH, as well as assigning DHSP IP addresses.

Other firewall zones

Let's see what other zones the firewall has. To see a list of all available, type in the console:

You can also get options for each particular zone by adding the -zone= flag:

Firewall-cmd --zone=home --list-all home interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:

If you want to list the definitions of all available zones, use the --list-all-zones option. Let's pass the output to the pager so that the output is more convenient to view:

Firewall-cmd --list-all-zones | less

4. How to set up interface zones?

All network interfaces are initially bound to the default zone.

Changing the interface zone for only one session

For this purpose, we need two options: --change-interface= and --zone=. To transfer to the home eth0 zone, type:

sudo firewall-cmd --zone=home --change-interface=eth0 success

Please note that this may affect the functioning of certain services. For example, SSH is supported in the home zone, i.e. connections will not be dropped. However, this can happen in other zones, resulting in blocking access to your own server. We need to make sure that the interface is bound to the new zone. Type in the command line:

When the firewall is reloaded, the interface will bind to the default zone again.

sudo systemctl restart firewalld.service firewall-cmd --get-active-zones public interfaces: eth0 eth1

Permanent interface zone change

After restarting the firewall, the interface will re-bind to the default zone if no other zone is specified in the interface settings. Configurations on CentOS are in ifcfg-interface files in the /etc/sysconfig/network-scripts directory. To define an interface zone, open its configuration file:

sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0

Let's add the ZONE= variable to the end of the file. Let's set another zone as a value:

DNS1=2001:4860:4860::8844 DNS2=2001:4860:4860::8888 DNS3=8.8.8.8 ZONE=home

Now let's save the changes, after which the file can be closed. To update the settings, you will need to restart the network service, as well as the firewall:

sudo systemctl restart network.service sudo systemctl restart firewalld.service

After that, the eth0 interface will be bound to the home zone.

firewall-cmd --get-active-zones home interfaces: eth0 public interfaces: eth1

Setting Default Zones

You can also set a different default zone. The --set-default-zone= option will help us with this, binding all network interfaces to another zone.

sudo firewall-cmd --set-default-zone=home home interfaces: eth0 eth1

5. How to make application rules?

Adding to a service area

The easiest way to do this is to the port used by the firewall. To see all available services, type at the command line:

Firewall-cmd --get-services RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms- wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

Remember that the .xml files in the /usr/lib/firewalld/services directory store all information about each service. Information about SSH can be found in /usr/lib/firewalld/services/ssh.xml. They look like this:

To enable support for services in zones, you need the -add-service= flag, but the -zone option is useful for setting the target zone. Remember that such changes will only be valid for one session. If you want to save changes for later use, use the -permanent flag. Let's see how it works. Let's start the web server so that it can serve HTTP traffic. Let's enable support for one session in the public zone. Type in the console:

sudo firewall-cmd --zone=public --add-service=http

Do not use the -zone= option if you are adding the service to the default zone. Let's check if everything worked out:

Firewall-cmd --zone=public --list-services dhcpv6-client http ssh

Now you need to test the operation of the firewall and the service itself. If you see that everything is in order, you can safely change the permanent set of rules. To add a new service support rule, you need to specify in the console:

sudo firewall-cmd --zone=public --permanent --add-service=http

If you need to see the entire list of rules that are in effect on an ongoing basis, then:

sudo firewall-cmd --zone=public --permanent --list-services dhcpv6-client http ssh

As a result, the public zone will have support for port 80 and HTTP. If your server is capable of serving SSL/TLS traffic, you can add an HTTPS service:

sudo firewall-cmd --zone=public --add-service=https sudo firewall-cmd --zone=public --permanent --add-service=https

6. What if the service is unavailable?

By default, the Firewalld firewall includes many popular services. But it happens that programs need other services that are not in the firewall. This problem can be solved in a couple of ways.

Method #1: Service Definition

Adding a port to a zone is easy enough. However, if there are a lot of applications, it will be difficult to understand which port is using what. In such a situation, defining services instead of ports is a good solution. In essence, a service is a group of ports that have been given a name and description. With their help, it will be easier to manage the settings. But a service is somewhat more complex than a port.

Let's start by copying the already existing script from the /usr/lib/firewalld/services folder, from which the firewall takes non-standard settings in /etc/firewalld/services. Copy the SSH service definition to use as the example conditional service definition. Don't forget that the script name must match the name of the service and also have the .xml file extension. Type in the console:

sudo cp /usr/lib/firewalld/services/service.xml /etc/firewalld/services/example.xml

Now you need to edit the compiled file:

sudo nano /etc/firewalld/services/example.xml

Inside is the SSH definition:

SSH Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.

Now let's save the changes and close the file. This will require restarting the firewall with:

sudo firewall-cmd --reload

Ours will appear in the list of available services:

Firewall-cmd --get-services RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns example ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms -wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

Method number 2: Creating a port

Let's open the application port in the required firewall zone, and specify it, as well as the protocol. Let's imagine a situation where you need to add a program to the public zone that uses the TCP protocol and port 5000. To activate for one application support session, you need the -add-port= option. In addition, you must specify the tcp or udp protocol:

sudo firewall-cmd --zone=public --add-port=5000/tcp

Let's make sure everything worked out:

Firewall-cmd --list-ports 5000/tcp

In addition, it is possible to specify a range of ports using a dash. For example, if the program uses ports 4990-4999, then adding them to the public zone will be possible by:

sudo firewall-cmd --zone=public --add-port=4990-4999/udp

If everything works fine, add instructions to the firewall settings:

sudo firewall-cmd --zone=public --permanent --add-port=5000/tcp sudo firewall-cmd --zone=public --permanent --add-port=4990-4999/udp sudo firewall-cmd -- zone=public --permanent --list-ports success success 4990-4999/udp 5000/tcp

7. How to create a zone?

The firewall is able to provide different predefined zones, which are usually enough to work, but sometimes you need to make your own custom zone. For example, DNS server you need a privateDNS zone, and for a web server - publicweb. After creating the zones, you need to add it to the firewall settings. Let's create the publicweb and privateDNS zones by typing in the console:

sudo firewall-cmd --permanent --new-zone=publicweb sudo firewall-cmd --permanent --new-zone=privateDNS

Let's check if everything worked out:

sudo firewall-cmd --permanent --get-zones block dmz drop external home internal privateDNS public publicweb trusted work

Firewall-cmd --get-zones block dmz drop external home internal public trusted work

However, new areas in current session will not be available:

Firewall-cmd --get-zones block dmz drop external home internal public trusted work

Restart the firewall to gain access to the new zones:

sudo firewall-cmd --reload firewall-cmd --get-zones block dmz drop external home internal privateDNS public publicweb trusted work

Now it will be possible for new zones to define ports and services. Let's say there is a need to add SSH, HTTP and HTTPS to the publicweb zone:

sudo firewall-cmd --zone=publicweb --add-service=ssh sudo firewall-cmd --zone=publicweb --add-service=http sudo firewall-cmd --zone=publicweb --add-service=https firewall- cmd --zone=publicweb --list-all publicweb interfaces: sources: services: http https ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:

In addition, it will be possible to add DNS to the privateDNS zone by:

sudo firewall-cmd --zone=privateDNS --add-service=dns firewall-cmd --zone=privateDNS --list-all privateDNS interfaces: sources: services: dns ports: masquerade: no forward-ports: icmp-blocks: rich rules:

After that, you can safely bind network interfaces to new zones:

sudo firewall-cmd --zone=publicweb --change-interface=eth0 sudo firewall-cmd --zone=privateDNS --change-interface=eth1

Check if the settings work. If everything is in order, add them to the permanent rules:

sudo firewall-cmd --zone=publicweb --permanent --add-service=ssh sudo firewall-cmd --zone=publicweb --permanent --add-service=http sudo firewall-cmd --zone=publicweb --permanent --add-service=https sudo firewall-cmd --zone=privateDNS --permanent --add-service=dns

Now let's move on to configuring network interfaces. This is necessary in order to carry out automatic connection to the desired zone. Let's say that you need to bind to publicweb eth0, then:

Sudo nano /etc/sysconfig/network-scripts/ifcfg-eth0 . . . IPV6_AUTOCONF=no DNS1=2001:4860:4860::8844 DNS2=2001:4860:4860::8888 DNS3=8.8.8.8 ZONE=publicweb

We will also bind eht1 to privateDNS using:

Sudo nano /etc/sysconfig/network-scripts/ifcfg-eth1 . . . NETMASK=255.255.0.0 DEFROUTE="no" NM_CONTROLLED="yes" ZONE=privateDNS

You will need to restart the firewall and network services for the changes to take effect:

sudo systemctl restart network sudo systemctl restart firewalld

You need to check the zones to make sure that the services are registered:

Firewall-cmd --get-active-zones privateDNS interfaces: eth1 publicweb interfaces: eth0

Now we need to check if they work:

firewall-cmd --zone=publicweb --list-services http htpps ssh firewall-cmd --zone=privateDNS --list-services dns

As we can see, the user zones are completely ready to go. Any of them can be set as default. For example:

sudo firewall-cmd --set-default-zone=publicweb

8. How to make the firewall automatically start?

After checking the operation of the rules and all the settings, set up autorun using:

sudo systemctl enable firewalld

This will make it possible to enable the firewall immediately after starting the server.

As a conclusion, it is worth noting that the Firewalld firewall is a fairly flexible tool in terms of settings. And you can change the policy of its work using zones.