Skip to content

firewalld

What Is It?

firewalld is the default host-level firewall management tool on CentOS/RHEL. It provides a dynamic interface to manage iptables/nftables rules using zones and services, without requiring service restarts.

Installation

dnf install firewalld (pre-installed)

Key Files and Directories

Path Purpose
/etc/firewalld/ Custom configuration
/usr/lib/firewalld/ Default zones and services

Configuration

firewalld uses a zone-based model. Each network interface is assigned to a zone, and zones define which traffic is allowed. Rules can be added as services (predefined port/protocol sets) or as raw port/protocol pairs.

There are two layers of firewall in this course:

  1. Cloud-level (ETAIS security groups) — configured in the web interface
  2. Host-level (firewalld) — configured on the VM itself

Both must allow traffic for a service to be reachable.

Minimal Working Configuration

firewalld is pre-installed and running. The default zone is typically public. Common operations:

# Allow a predefined service permanently
firewall-cmd --add-service=http --permanent
firewall-cmd --add-service=https --permanent
firewall-cmd --add-service=dns --permanent

# Allow a specific port permanently
firewall-cmd --add-port=8080/tcp --permanent
firewall-cmd --add-port=8301/udp --permanent

# Apply changes
firewall-cmd --reload

The --permanent flag writes the rule to persistent configuration. Without it, rules are lost on reload or reboot. Always --reload after adding permanent rules.

Important Directives

Zone
A named set of rules applied to network interfaces. Common zones: public (default, restrictive), trusted (allow all), drop (deny all).
Service
A predefined combination of ports and protocols (e.g. http = TCP 80, dns = TCP/UDP 53). Defined in /usr/lib/firewalld/services/.
Port
A raw port/protocol pair (e.g. 8080/tcp). Used when no predefined service exists.
Rich rules
Complex rules allowing fine-grained control (e.g., "Allow SSH only from 192.168.1.0/24").
Runtime vs Permanent
Runtime rules are active immediately but lost on restart. Permanent rules require --reload to take effect but persist across reboots.

Rich Rules Example

Rich rules provide more power than simple port opening.

# Allow SSH only from a specific subnet
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'

# Drop all traffic from a specific bad IP
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.1.1.1" drop'

# Rate limit HTTP connections (anti-DoS)
firewall-cmd --permanent --add-rich-rule='rule service name="http" accept limit value="10/m"'

Common Commands

# Check firewalld status
systemctl status firewalld
firewall-cmd --state

# List all rules in the default zone
firewall-cmd --list-all

# List all available services
firewall-cmd --get-services

# Add/remove a service
firewall-cmd --add-service=smtp --permanent
firewall-cmd --remove-service=smtp --permanent

# Add/remove a port
firewall-cmd --add-port=587/tcp --permanent
firewall-cmd --remove-port=587/tcp --permanent

# Panic mode (Block ALL traffic immediately - CAUTION: kills SSH!)
firewall-cmd --panic-on
firewall-cmd --panic-off

# Reload after permanent changes
firewall-cmd --reload

# Check if a specific service/port is allowed
firewall-cmd --query-service=http
firewall-cmd --query-port=8080/tcp

# Show the default zone
firewall-cmd --get-default-zone

# List active zones and their interfaces
firewall-cmd --get-active-zones

Logging and Debugging

  • firewalld logs: journalctl -u firewalld
  • Denied packets: Enable logging with rich rules or --set-log-denied=all
  • Test connectivity: Use nmap from an external machine to verify which ports are open: 
    nmap -sS <vm-ip> -p 22,53,80,443
    States: open (reachable), closed (port responding but no service), filtered (silently dropped by firewall).

Troubleshooting checklist:

  1. firewall-cmd --list-all — is the port/service listed?
  2. Did you use --permanent and --reload?
  3. Is the cloud security group also configured for this port?
  4. ss -tulpn | grep <port> — is the service actually listening?
  5. nmap <ip> -p <port> — test from outside

Security Considerations

  • Default deny: The public zone denies all incoming traffic except explicitly allowed services. Keep it this way.
  • Minimal open ports: Only open ports for services you are actively running. Remove rules for services you decommission.
  • Two-layer model: Remember that both firewalld and ETAIS security groups must allow traffic. A common mistake is configuring one but not the other.
  • Do not disable firewalld: Some guides suggest disabling firewalls for troubleshooting. Always re-enable afterwards. Running without a firewall in a shared network is dangerous.
  • Rich rules for IP restrictions: For sensitive services, restrict access to specific source IPs using rich rules rather than opening to all.

Further Reading

  • Concepts: Firewalls
  • SOPs: Firewall Management