Back to Main page

Articles in this section

See more

CentOS: Firewall settings

Follow

CentOS uses Firewalld to manage the firewall rules.

This article is here as a reference to main commands that can be used to check Firewalld status or maintain rules.

1. Check Firewall setup

    1. Verify Firewall running state and settings:
    2. Firewall status: (should reply running) 
      $ sudo firewall-cmd --state
      output
      running
    3. Firewall default and active zone: 
      $ firewall-cmd --get-default-zone
      output
      public
      $ firewall-cmd --get-active-zones
      output
      public
      interfaces: eth0

Explanation:

Above setup is typical of the minimal installation we have done. It is advised to change the zone settings to better adapt to your environment.

Typical Firewall zones are

      • public: Represents public, untrusted networks. You don't trust other computers but may allow selected incoming connections on a case-by-case basis.
      • dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
      • work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.

2. Change Firewall setup

To change zone for the network interface do the following:

  1. Change default zone 
    $ sudo firewall-cmd --set-default-zone=work
    output
    success
  2. Transition network interface to new zone 
    $ sudo firewall-cmd --zone=work --change-interface=eth0
    output
    The interface is under control of NetworkManager, setting zone to 'work'.
    success
  3. Verify change is done properly 
    $ firewall-cmd --get-active-zones
    output
    work
     interfaces: eth0

3. Verify Firewall active configuration

$ sudo firewall-cmd --zone=work --list-all
output
work (active)
 target: default
 icmp-block-inversion: no
 interfaces: eth0
 sources: 
 services: ssh dhcpv6-client
 ports: 8631/tcp 9631/tcp 7910/tcp 9444/tcp 9443/tcp 7290/tcp 8443/tcp 8080/tcp
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules:

4. Adding/removing rules manually

$ sudo firewall-cmd --zone=work --add-port=9999/tcp --permanent
$ sudo firewall-cmd --zone=work --remove-port=9999/tcp --permanent

5. Port forwading

This might be useful when running EveryonePrint for HCP on a CentOS Gateway and liking to change default ports 7290 and 9443 to 80  and 443

sudo firewall-cmd --zone="work" --add-forward-port=port=80:proto=tcp:toport=7290 --permanent
sudo firewall-cmd --zone="work" --add-forward-port=port=443:proto=tcp:toport=9443 --permanent

6. Activate new rules

After any change in Firewall settings, to activate the new rules permanently, use this command: 

$ sudo firewall-cmd --reload

Comments

0 comments

Please sign in to leave a comment.