CentOS uses Firewalld to manage the firewall rules.
This article is here as a reference to main commands that can be used to check Firewalld status or maintain rules.
1. Check Firewall setup
- Verify Firewall running state and settings:
- Firewall status: (should reply running)
$ sudo firewall-cmd --state
output
running - Firewall default and active zone:
$ firewall-cmd --get-default-zone
output
public$ firewall-cmd --get-active-zones
output
public
interfaces: eth0
Explanation:
Above setup is typical of the minimal installation we have done. It is advised to change the zone settings to better adapt to your environment.
Typical Firewall zones are
- public: Represents public, untrusted networks. You don't trust other computers but may allow selected incoming connections on a case-by-case basis.
- dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
- work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
2. Change Firewall setup
To change zone for the network interface do the following:
- Change default zone
$ sudo firewall-cmd --set-default-zone=work
output
success - Transition network interface to new zone
$ sudo firewall-cmd --zone=work --change-interface=eth0
output
The interface is under control of NetworkManager, setting zone to 'work'.
success - Verify change is done properly
$ firewall-cmd --get-active-zones
output
work
interfaces: eth0
3. Verify Firewall active configuration
$ sudo firewall-cmd --zone=work --list-all
output work (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports: 8631/tcp 9631/tcp 7910/tcp 9444/tcp 9443/tcp 7290/tcp 8443/tcp 8080/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
4. Adding/removing rules manually
$ sudo firewall-cmd --zone=work --add-port=9999/tcp --permanent
$ sudo firewall-cmd --zone=work --remove-port=9999/tcp --permanent
5. Port forwading
This might be useful when running EveryonePrint for HCP on a CentOS Gateway and liking to change default ports 7290 and 9443 to 80 and 443
sudo firewall-cmd --zone="work" --add-forward-port=port=80:proto=tcp:toport=7290 --permanent
sudo firewall-cmd --zone="work" --add-forward-port=port=443:proto=tcp:toport=9443 --permanent
6. Activate new rules
After any change in Firewall settings, to activate the new rules permanently, use this command:
$ sudo firewall-cmd --reload
Comments
0 comments
Please sign in to leave a comment.