XZ

Xiao Z's blog

Learn, build, share

Installing Firewalld on CentOS 7 and Essential Commands

firewalldcentos 7 firewallfirewall-cmd commandslinux firewall managementfirewall configuration
Published·Modified·

Firewalld is a firewall management tool for Linux operating systems. It provides firewall functionality by acting as a frontend to the Linux kernel's netfilter framework, similar to iptables.

Installing Firewalld

By default, CentOS 7 may already have the firewalld service installed. If it is not installed, you can use the yum command to install it:

# Install firewalld
yum -y install firewalld

Preparation Before Running Firewalld

Firewalld allows SSH service (port 22) by default. However, if you have changed the SSH port, you must allow it first; otherwise, enabling firewalld will block your connection to the server.

For example, if you changed the SSH port to 2018, you can try editing the firewalld configuration file directly using vi /etc/firewalld/zones/public.xml and adding a rule:

<port protocol="tcp" port="2018"/>

Directly modifying the configuration file is not recommended as it is prone to errors. Recently, it was discovered that the firewall-offline-cmd command can be executed when firewalld is offline:

firewall-offline-cmd --zone=public --add-port=2018/tcp

Then, run the command systemctl start firewalld to start firewalld, ensuring you won't be locked out.

Common Commands

After installation, firewalld is not running by default. It is necessary to familiarize yourself with the basic commands:

# Check running status
firewall-cmd --state
# Start firewall
systemctl start firewalld
# Enable startup on boot
systemctl enable firewalld
# Disable startup on boot
systemctl disable firewalld
# Stop firewall
systemctl stop firewalld

If you encounter the error "Failed to start firewalld.service: Unit firewalld.service is masked." during startup, run the following command to resolve it:

systemctl unmask firewalld.service

Common Examples

Allow a specific TCP port, such as port 80:

firewall-cmd --zone=public --add-port=80/tcp --permanent

Allow a range of ports (8000-9000):

firewall-cmd --zone=public --add-port=8000-9000/tcp --permanent

View allowed ports:

firewall-cmd --zone=public --list-ports

Remove an allowed port (6022):

firewall-cmd --zone=public --remove-port=6022/tcp --permanent

Block a specific IP (123.57.22.204) from connecting:

firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=123.57.22.204 reject"

Allow only a specific IP to access a specific port:

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="101.32.40.130" port protocol="tcp" port="3306" accept"

Note: All the examples above require running firewall-cmd --reload to reload the firewall and apply the changes.

Summary

Personally, I find firewalld easier to use than iptables. There must be a reason why CentOS 7 uses firewalld by default. It is definitely worth saving this article. The above only covers the basic usage of firewalld, which should be sufficient for most situations. For detailed parameter meanings, you can search online.