•  Home
  •  Dashboard
  •  Company
    • About Us
    • Blog
    • Careers
    • Contact Us
    • Data Centers
    • Looking Glass
    • Network
    • Reseller
  •  Hosting Services
    • Infrastructure
      • iColocation
    • Compute
      • cMetal
      • cVirtual
    • Storage
      • sObject
      • sBlock
    • Networking
      • nIP Transit
      • nWavelength
    • Protection
      • pBackup
      • pDDoS
  •  Solutions
    • Ecommerce
    • Finance
    • Gaming
    • Hosting
    • Management
    • Security
    • System Integrator
  •  Support
    • Community
    • Knowledge Base
    • Open A Ticket
    • Status
  •  USA & Canada: 800-933-1517
  •  International: 626-549-2801
  •  Email: sales@psychz.net
  • Services
    • new-colocation-header-img
      Infrastructure
      • iColocation
    • new-compute-header-img
      Compute
      • cMetal
      • cVirtual
    • new-storage-header-img
      Storage
      • sObject
      • sBlock
    • new-networking-header-img
      Networking
      • nIP Transit
      • nWavelength
    • new-protection-header-img
      Protection
      • pBackup
      • pDDoS
  • Solutions
    • Ecommerce
    • Security
    • Gaming
    • Hosting
    • Management
    • Finance
    • System Integrator
  • Dashboard

Firewalld commands for CentOS 7 and CentOS 8

  • Home
  • Client
  • Knowledgebase
  • Linux
  • Firewalld commands for CentOS 7 and CentOS 8

Table Of Content

    Related Articles

    • How to generate SSH Keys on Linux?
    • Linux File Permissions Cheat Sheet
    • The ELK Stack: Elasticsearch, Logstash, Kibana.
    • How to install Node.js on AlmaLinux 8
    • Managing systemd services and units using systemctl commands
    • How to check RAM for error using Ubuntu Live CD?
    • How to remotely connect to a Linux machine using a smartphone?
    • Unable to Access The Server Via SSH
    • How to clone and migrate a Linux hard drive to another server?
    • SCP Command Syntax Examples in Linux
    • Whitelisting Edge Server IPs
    • traceroute in Linux
    • Ubuntu remove mysql
    • ssh host key verification failed error
    • logrotate
    • How to rsync two directories
    • setup hourly crontab

    Firewalld commands for CentOS 7 and CentOS 8

    Publisher: Psychz Networks June 22,2021

    With the Red Hat Enterprise Linux 7.0 (RHEL) introduction in 2011, iptables superseded as firewalld was born. At its core, firewalld is a zone-based firewall. Zone-based firewalls are network security systems that monitor traffic and take actions based on defined rules applied against incoming/outgoing packets.
    Firewalld provides firewall features by acting as a front-end for the Linux kernel's Netfilter framework via the nftables user space utility. It provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges, and IP sets. FirewallD is a wrapper for iptables to allow easier management of iptables rules–it is not an iptables replacement. While iptables commands are still available to FirewallD, it's recommended to use only FirewallD commands with FirewallD.

    • Managing FirewallD
    • Firewall Zones
    • Using Services
    • Port Forwarding
    • Constructing a Ruleset with FirewallD
    • Advanced Configuration
    • Conclusion


    Managing FirewallD

    FirewallD is included by default with CentOS 7 or 8 but it's inactive. Controlling it is the same as with other systemd units.


    Start and Enable Firewalld

    To start the service and enable FirewallD on system boot, use the following two commands.

    # systemctl start firewalld

    # systemctl enable firewalld


    Stop and Disable Firewalld

    In most of the troubleshooting scenarios, you will have to stop or disable the firewalld to perform the test. You can use the following commands to do the needful.

    # systemctl stop firewalld

    # systemctl disable firewalld


    Checking the status of Firewalld

    # firewall-cmd --state

    The output should say either running or not running.

    View the status of the FirewallD daemon

    # systemctl status firewalld

    Output

    ● firewalld.service - firewalld - dynamic firewall daemon
    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
    Active: active (running) since Mon 2021-06-21 23:02:44 PDT; 3h 8min ago
    Docs: man:firewalld(1)
    Main PID: 15984 (firewalld)
    Tasks: 2 (limit: 49784)
    Memory: 24.5M
    CGroup: /system.slice/firewalld.service
    └─15984 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

    Jun 21 23:02:43 centos-8 systemd[1]: Starting firewalld - dynamic firewall daemon...
    Jun 21 23:02:44 centos-8 systemd[1]: Started firewalld - dynamic firewall daemon.

    To reload a FirewallD configuration:

    # firewall-cmd --reload

    Firewall Zones

    Zones are a predefined set of rules for various scenarios. Different zones allow different network services and incoming traffic types while denying everything else. Zones can also be applied to other network interfaces. For example, with separate interfaces for both an internal and the Internet, you can allow DHCP on an internal zone but only HTTP and SSH on an external zone.

    To view the default zone:

    # firewall-cmd --get-default-zone

    The output should be 'public.'

    Changing the default Zone of firewalld

    # firewall-cmd --set-default-zone=internal


    View the Zones in use

    To see the zones used by your network interface(s):

    # firewall-cmd --get-active-zones

    Example output:

    public
    interfaces: eth0


    Get configurations for all zones

    # firewall-cmd --list-all-zones

    Output

    It shows the output of 5 different zones, including Block, DMZ, Drop, External, Home, Internal, Public, Trusted, Work in the following format.

    target: %%REJECT%%
    icmp-block-inversion: no
    interfaces:
    sources:
    services:
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    Using Services

    FirewallD can allow traffic based on predefined rules for specific network services. You can create your own custom service rules and add them to any zone. The configuration files for the default supported services are located at /usr/lib/firewalld/services, and user-created service files would be in /etc/firewalld/services.


    View default available services

    # firewall-cmd --get-services

    Output

    RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server


    Enable a service

    Let us now see how to enable a service. We will try to enable the HTTP service.

    # firewall-cmd --zone=public --add-service=http --permanent

    The output of the above command is "Success."


    Disable the HTTP service

    # firewall-cmd --zone=public --remove-service=http --permanent

    The output of the above command is "Success."

    Allowing or Denying an Arbitrary Port/Protocol

    With an example, let us see how to allow or disable TCP traffic on port 12345.

    # firewall-cmd --zone=public --add-port=12345/tcp --permanent

    # firewall-cmd --zone=public --remove-port=12345/tcp --permanent

    The output of both the commands is 'Success.'


    Port Forwarding


    Forward traffic to port on same Server

    We will now create a rule to forwards traffic from port 80 to port 12345 on the same server.

    # firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345


    Forward traffic to port on different Server

    If you want to forward a port to a different server, you need to activate masquerade in the desired zone.

    # firewall-cmd --zone=public --add-masquerade

    This example forwards traffic from local port 80 to port 8080 on a remote server located at the IP address: 192.10.10.0.

    # firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.10.10.0

    Remove rules

    To remove the rules, replace '--add' with '--remove.'

    # firewall-cmd --zone=public --remove-masquerade

    Constructing a Ruleset with FirewallD

    If you are using a web server, you can use FirewallD to assign rules to your server.

    Let us assign the DMZ as the default zone to eth0 as it allows only SSH and ICMP.

    # firewall-cmd --set-default-zone=dmz

    # firewall-cmd --zone=dmz --add-interface=eth0

    Permenant rule for HTTP and HTTPS

    Add permanent service rules for HTTP and HTTPS to the dmz zone:

    # firewall-cmd --zone=dmz --add-service=http --permanent

    # firewall-cmd --zone=dmz --add-service=https --permanent

    Reload FirewallD so the rules take effect immediately:

    # firewall-cmd --reload

    If you now run

    #firewall-cmd --zone=dmz --list-all

    this should be the output:

    dmz
    target: default
    icmp-block-inversion: no
    interfaces:
    sources:
    services: http https ssh
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

    Advanced Configuration

    We are now going to use Rich Rules and Direct Interface that will allow you to add fully custom firewall rules to any zone for any port, protocol, address, and action.

    Rich Rules

    Following are some of the common examples


    Allow traffic from a particular host

    Allowing all IPv4 traffic from host 198.10.10.0

    # firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=198.10.10.0 accept'

    Allow traffic(TCP) from a host to specific port

    Allow IPv4 traffic from host 198.10.10.0 to port 22.

    # firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="198.10.10.0" port port=22 protocol=tcp accept'

    Discard traffic(TCP) from a host

    Deny IPv4 traffic over TCP from host 198.10.10.0 to port 22.

    # firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="198.10.10.0" port port=22 protocol=tcp reject'


    Allow traffic(TCP) from a host and forward to different port within system

    Allow IPv4 traffic over TCP from host 198.10.10.0 to port 80 and forward it locally to port 6789.

    # firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=198.10.10.0 forward-port port=80 protocol=tcp to-port=6532'

    Foward traffic (TCP) from one port to another on a different host

    Forward all IPv4 traffic on port 80 to port 8080 on host 198.20.10.0 (masquerade should be active on the zone).

    # firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=198.51.100.0'


    List all Rich Rules

    To list your current Rich Rules in the public zone:

    # firewall-cmd --zone=public --list-rich-rules

    Conclusion

    It would help if you now had a pretty good understanding of administering the firewalld service on your CentOS system for day-to-day use. The firewalld service allows you to configure maintainable rules for your network environment. It will enable you to transition between different firewall policies through zones seamlessly and enable administrators to abstract the port management into more friendly service definitions. Acquiring a working knowledge of this system will allow you to take advantage of this tool's flexibility and power.

    Views: (20635) Votes: (0)

    Related Articles

    • How to generate SSH Keys on Linux?
    • Linux File Permissions Cheat Sheet
    • The ELK Stack: Elasticsearch, Logstash, Kibana.
    • How to install Node.js on AlmaLinux 8
    • Managing systemd services and units using systemctl commands
    • How to check RAM for error using Ubuntu Live CD?
    • How to remotely connect to a Linux machine using a smartphone?
    • Unable to Access The Server Via SSH
    • How to clone and migrate a Linux hard drive to another server?
    • SCP Command Syntax Examples in Linux
    • Whitelisting Edge Server IPs
    • traceroute in Linux
    • Ubuntu remove mysql
    • ssh host key verification failed error
    • logrotate
    • How to rsync two directories
    • setup hourly crontab
    Copyright © 2026 Psychz Networks,
    A Profuse Solutions Inc Company
    Hosting Services
    • Catalog
    Infrastructure
    • iColocation
    Compute
    • cMetal
    • cVirtual
    Storage
    • sObject
    • sBlock
    Networking
    • nIP Transit
    • nWavelength
    Protection
    • pBackup
    • pDDoS
    Company
    • About Us
    • Blog
    • Careers
    • Contact Us
    • Data Centers
    • Looking Glass
    • Network
    • Reseller
    Policies
    • Acceptable Usage Policy
    • Privacy Policy
    • Service Level Agreement
    • Terms and Conditions
    Support
    • Community
    • Knowledge Base
    • Open A Ticket
    • Status
    Get In Touch
    • Psychz Networks,
      A Profuse Solutions Company
      611 Wilshire Blvd #300
      Los Angeles,California 90017
      USA
    • US/Canada: 800-933-1517
    • International: 626-549-2801