FirewallD, or Dynamic Firewall Manager, is the replacement for the IPTables firewall in Red Hat Enterprise Linux. The main improvement over IPTables is the capacity to make changes without the need to restart the whole firewall service.
FirewallD was first introduced in Fedora 18 and has been the default firewall mechanism for Fedora since then. Finally this year Red Hat decided to include it in RHEL 7, and of course it also made its way to the different RHEL clones like CentOS 7 and Scientific Linux 7.
Checking FirewallD service status
To get the basic status of the service simply use
If you need to get a more detailed state of the service you can always use
To enable or disable FirewallD again use
Managing firewall zones
FirewallD introduces the zones concept, a zone is no more than a way to define the level of trust for a set of connections. A connection definition can only be part of one zone at the same time but zones can be grouped. There is a set of predefined zones:
- Public - For use in public areas. Only selected incoming connections are accepted.
- Drop - Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
- Block - Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
- External - For use on external networks with masquerading enabled especially for routers. Only selected incoming connections are accepted.
- DMZ - For computers DMZ network, with limited access to the internal network. Only selected incoming connections are accepted.
- Work - For use in work areas. Only selected incoming connections are accepted.
- Home - For use in home areas. Only selected incoming connections are accepted.
- Trusted - All network connections are accepted.
- Internal - For use on internal networks. Only selected incoming connections are accepted.
By default all interfaces are assigned to the public zone. Each zone is defined in its own XML file stored in
/usr/lib/firewalld/zones. For example the public zone XML file looks like this.
Retrieve a simple list of the existing zones.
Get a detailed list of the same zones.
Get the default zone.
Get the active zones.
Get the details of a specific zone.
Change the default zone.
Interfaces and sources
Zones can be bound to a network interface and to a specific network addressing or source.
Assign an interface to a different zone, the first command assigns it temporarily and the second makes it permanently.
Retrieve the zone an interface is assigned to.
Bound the zone
work to a source.
List the sources assigned to a zone, in this case
FirewallD can assign services permanently to a zone, for example to assign
http service to the
dmz zone. A service can be also assigned to multiple zones.
List the services assigned to a given zone.
Besides of Zones, interfaces and Services management FirewallD like other firewalls can perform several network related operations like masquerading, set direct rules and manage ports.
Masquerading and port forwarding
Add masquerading to a zone.
Query if masquerading is enabled in a zone.
You can also set port redirection. For example to forward traffic originally intended for port
80/tcp to port
A destination address can also bee added to the above command.
Set direct rules
Create a firewall rule for
Allow a port temporary in a zone.
Hopefully you found the post useful to start working with FirewallD. Comments are welcome.