With the Red Hat Enterprise Linux 7.0 (RHEL) introduction in 2011, iptables superseded as firewalld was born. At its core, firewalld is a zone-based firewall. Zone-based firewalls are network security systems that monitor traffic and take actions based on defined rules applied against incoming/outgoing packets.
Firewalld provides firewall features by acting as a front-end for the Linux kernel's Netfilter framework via the nftables user space utility. It provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges, and IP sets. FirewallD is a wrapper for iptables to allow easier management of iptables rules–it is not an iptables replacement. While iptables commands are still available to FirewallD, it's recommended to use only FirewallD commands with FirewallD.
 

• Managing FirewallD
• Firewall Zones
• Using  Services
• Port Forwarding
• Constructing a Ruleset with FirewallD
• Advanced Configuration
• Conclusion

 
Managing FirewallD

FirewallD is included by default with CentOS 7 or 8 but it's inactive. Controlling it is the same as with other systemd units.


Start and Enable Firewalld

To start the service and enable FirewallD on system boot, use the following two commands.

Stop and Disable Firewalld

In most of the troubleshooting scenarios, you will have to stop or disable the firewalld to perform the test. You can use the following commands to do the needful.

Checking the status of Firewalld

The output should say either running or not running.
 

View the status of the FirewallD daemon

Output

To reload a FirewallD configuration:

Firewall Zones

Zones are a predefined set of rules for various scenarios. Different zones allow different network services and incoming traffic types while denying everything else. Zones can also be applied to other network interfaces. For example, with separate interfaces for both an internal and the Internet, you can allow DHCP on an internal zone but only HTTP and SSH on an external zone.

To view the default zone:

The output should be 'public.'
 

Changing the default Zone of firewalld

View the Zones in use

To see the zones used by your network interface(s):

Example output:

Get configurations for all zones

Output

It shows the output of 5 different zones, including Block, DMZ, Drop, External, Home, Internal, Public, Trusted, Work in the following format.

Using  Services

FirewallD can allow traffic based on predefined rules for specific network services. You can create your own custom service rules and add them to any zone. The configuration files for the default supported services are located at /usr/lib/firewalld/services, and user-created service files would be in /etc/firewalld/services.
 

View default available services

Output

Enable a service

Let us now see how to enable a service. We will try to enable the HTTP service.

The output of the above command is "Success."

Disable the HTTP service

The output of the above command is "Success."

Allowing or Denying an Arbitrary Port/Protocol

With an example, let us see how to allow or disable TCP traffic on port 12345.

The output of both the commands is 'Success.'

Port Forwarding

Forward traffic to port on same Server

We will now create a rule to forwards traffic from port 80 to port 12345 on the same server.

Forward traffic to port on different Server

If you want to forward a port to a different server, you need to activate masquerade in the desired zone.

This example forwards traffic from local port 80 to port 8080 on a remote server located at the IP address: 192.10.10.0.

Remove rules

To remove the rules, replace '--add' with '--remove.'

Constructing a Ruleset with FirewallD

If you are using a web server, you can use FirewallD to assign rules to your server.

Let us assign the DMZ as the default zone to eth0 as it allows only SSH and ICMP.

Permenant rule for HTTP and HTTPS

Add permanent service rules for HTTP and HTTPS to the dmz zone:

Reload FirewallD so the rules take effect immediately:

If you now run

this should be the output:

Advanced Configuration

We are now going to use Rich Rules and Direct Interface that will allow you to add fully custom firewall rules to any zone for any port, protocol, address, and action.

Rich Rules

Following are some of the common examples

Allow traffic from a particular host

Allowing all IPv4 traffic from host 198.10.10.0

Allow traffic(TCP) from a host to specific port

Allow IPv4 traffic from host 198.10.10.0 to port 22.

Discard traffic(TCP) from a host

Deny IPv4 traffic over TCP from host 198.10.10.0 to port 22.

Allow traffic(TCP) from a host and forward to different port within system

Allow IPv4 traffic over TCP from host 198.10.10.0 to port 80 and forward it locally to port 6789.

Foward traffic (TCP) from one port to another on a different host

Forward all IPv4 traffic on port 80 to port 8080 on host 198.20.10.0 (masquerade should be active on the zone).

List all Rich Rules

To list your current Rich Rules in the public zone:

Conclusion

It would help if you now had a pretty good understanding of administering the firewalld service on your CentOS system for day-to-day use. The firewalld service allows you to configure maintainable rules for your network environment. It will enable you to transition between different firewall policies through zones seamlessly and enable administrators to abstract the port management into more friendly service definitions. Acquiring a working knowledge of this system will allow you to take advantage of this tool's flexibility and power.