HostOnNet Blog


Managing Firewall Rules on Cent OS 7

Firewalld is a complete firewall solution available by default on CentOS 7 servers. In this article we will be discussing adding and removing basic firewall rules to allow incoming traffic with the firewall-cmd administrative tool.

You can check the firewall status by running

firewall-cmd --state

The output should say either running or not running.

Sample Output

[root@server ~]# firewall-cmd --state
running
[root@server ~]#

To view the status of the FirewallD daemon:

systemctl status firewalld

Sample Output

[root@server ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2016-07-04 00:35:44 SAST; 2 weeks 4 days ago
 Main PID: 809 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─809 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Jul 22 06:11:58 server.name.com systemd[1]: Started firewalld - dynamic firewall daemon.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
[root@server ~]#

If it is not running, start the daemon by running

systemctl start firewalld

To stop the daemon

systemctl stop firewalld

To enable/disable FirewallD on boot

systemctl enable firewalld
systemctl disable firewalld

Now the firewalld daemon started and running, Lets add some rules.

The default zone in CentOS 7 is “public”. You can change the default zone in /etc/firewalld/firewalld.conf but for now we will leave it as public.

To add or remove an arbitrary Port/Protocol

firewall-cmd --zone=public --add-port=12345/tcp --permanent
firewall-cmd --zone=public --remove-port=12345/tcp --permanent

Alternatively you can add or remove the rule using a service name:

firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --remove-service=http --permanent

Reload the firewall to apply changes:

firewall-cmd --reload

Verifying Rules

The following command can be used to verify that the port is open, it will return a simple yes or no:

firewall-cmd --zone=public --query-port=12345/tcp
firewall-cmd --zone=public --query-service=http

Posted in CentOS