"firewalld" and "firewall-cmd" on CentOS

Provides a tutorial example on how to use 'firewalld' daemon and 'firewall-cmd' CLI to manage network firewall on CentOS 8 systems.

"firewalld" is a service daemon that works together with the "firewall-cmd" CLI (Command Line Interface) to form a front-end tool for the "nftables/iptables" tool to control the Internet traffic. Here is what I did to ensure that "firewalld" and "firewall-cmd" are working on my CentOS 8 computer.

1. Make sure that I have the latest version of "firewalld" installed with the "dnf info" command:

herong$ sudo dnf info firewalld

Installed Packages
Name         : firewalld
Version      : 0.7.0
Release      : 5.el8
Architecture : noarch
Size         : 1.9 M
Source       : firewalld-0.7.0-5.el8.src.rpm
Repository   : @System
From repo    : anaconda
Summary      : A firewall daemon with D-Bus interface providing a dynamic firewall
URL          : http://www.firewalld.org
License      : GPLv2+
Description  : firewalld is a firewall service daemon that provides a dynamic customizable
             : firewall with a D-Bus interface.

2. Make sure that "firewalld" service is running with the "systectl status" command:

herong$ sudo systemctl status firewalld

 firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled;
            vendor preset: enabled)
   Active: active (running)
     Docs: man:firewalld(1)
 Main PID: 1360 (firewalld)
    Tasks: 3 (limit: 26213)
   Memory: 34.4M
   CGroup: /system.slice/firewalld.service

3. Check to see which security zone is active on each network interface with the "firewall-cmd" command. I see "public" zone of security rules applied on the Ethernet interface.

herong$ sudo firewall-cmd --get-active-zones

public
  interfaces: eno1

4. Check to see what security rules are defined in the "public" zone. I see two TCP ports, 80 and 3306, are open for incoming traffic. Other ports used by "cockpit", "dhcpv6-client", and "ssh" services are also open.

herong$ sudo firewall-cmd --zone=public --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno1
  sources:
  services: cockpit dhcpv6-client ssh
  ports: 80/tcp 3306/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

5. Add a new rule to open TCP port 8080 for Tomcat server. The first command allows all IP addresses from the Internet to access port 8080. The second command saves the change permanently.

herong$ sudo firewall-cmd --zone=public --add-port=8080/tcp
herong$ sudo firewall-cmd --runtime-to-permanent

6. Add a new rule to open all ports for a given IP address.

herong$ sudo firewall-cmd --zone=public --add-source=192.168.1.11
herong$ sudo firewall-cmd --runtime-to-permanent

7. Turn on traffic forward and a forward rule:

herong$ sudo firewall-cmd --zone=external --add-masquerade
herong$ sudo firewall-cmd --zone=public --add-forward-port=port=8888:\
   proto=tcp:toport=80:toaddr=192.168.1.201
herong$ sudo firewall-cmd --runtime-to-permanent

8. Add a pre-defined service, which contains IP ports used by the service. For example, opening "http" service is the same as opening port 80.

herong$ sudo firewall-cmd --zone=public --add-service=http

herong$ sudo firewall-cmd --zone=public --list-services
cockpit dhcpv6-client http ssh

herong$ sudo firewall-cmd --runtime-to-permanent

9. Add new rich rules, which are basically "iptable" rules.

# reject incoming traffic from the guest computer
firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.168.1.100' reject"

# allow my computer to access the MySQL database at port 3306
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.11" \
   port protocol="tcp" port="3306" accept'

# allow local computers to access the "http" service at port 80
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" \
  service name="http" accept'

# verify changes
firewall-cmd --zone=public --list-all
  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eno1
    sources:
    services: cockpit dhcpv6-client http ssh
    ports: 80/tcp 3306/tcp
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:
    rule family="ipv4" source address="192.168.1.0/24" service name="http" accept

# save changes
firewall-cmd --runtime-to-permanent

Table of Contents

 About This Book

 Introduction to Linux Systems

 Cockpit - Web Portal for Administrator

 Process Management

 Files and Directories

 Users and Groups

 File Systems

 Block Devices and Partitions

 LVM (Logical Volume Manager)

 Installing CentOS

 SELinux - Security-Enhanced Linux

Network Connection on CentOS

 Setup Ethernet Connection on CentOS

 Network Firewall Tools on CentOS

"firewalld" and "firewall-cmd" on CentOS

 Manage Multiple Firewall Zones

 "nftables" and "nft" on CentOS

 "iptables" Command on CentOS

 "nmap" - Network Mapper on CentOS

 Monitor Network Services on CentOS

 Software Package Manager on CentOS - DNF and YUM

 Running Apache Web Server (httpd) on Linux Systems

 Running PHP Scripts on Linux Systems

 Running MySQL Database Server on Linux Systems

 Running Python Scripts on Linux Systems

 vsftpd - Very Secure FTP Daemon

 Postfix - Mail Transport Agent (MTA)

 Dovecot - IMAP and POP3 Server

 Email Client Tools - Mail User Agents (MUA)

 LDAP (Lightweight Directory Access Protocol)

 GCC - C/C++ Compiler

 Conda - Environment and Package Manager

 Tools and Utilities

 Administrative Tasks

 References

 Full Version in PDF/EPUB