Working with firewalld in RHEL 7/ Cent OS 7

            First we make sure the firewall service is running before going to do any work related to ports.

Use the command to check the firewall service status:

[root@server ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
 Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
 Active: active (running) since Sun 2017-10-29 08:46:09 IST; 4min 23s ago
 Docs: man:firewalld(1)
 Main PID: 523 (firewalld)
 CGroup: /system.slice/firewalld.service
 └─523 /usr/bin/python -Es /usr/sbin/firewalld --nofork --...

Oct 29 08:46:07 server systemd[1]: Starting firewalld - dynamic fir....
Oct 29 08:46:09 server systemd[1]: Started firewalld - dynamic fire....
Hint: Some lines were ellipsized, use -l to show in full.

Now we came to know that currently firewall is running and will check what are all the zone’s available and in public zone what are all the ports enabled/Listening, using below commands.

Command to check the available zone’s:


[root@server ~]# firewall-cmd --get-zones
work drop internal external trusted home dmz public block

Command to check the listening ports in public zone:

 

 [root@server ~]# firewall-cmd --zone=public --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: enp0s8
 sources:
 services: dhcpv6-client mountd nfs rpc-bind ssh
 ports:
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks:
 rich rules:
From the output we came to know that there are none ports enabled. So, will see how to enable a port.
For example i’m going to show you how to enable 8080(TCP Traffic) port.
[root@server ~]# firewall-cmd --zone=public --add-port=8080/tcp --permanent
success
 
–permanent:                 This is used to make the change permanent after rebooting the system.
–zone=public:               We are enabling the port in public zone.
–add-port=8080/tcp:    port number which we are going to enable.
We must reload the firewall configuration to make the changes effect in current session. However it will take the effect by next booting.
[root@server ~]# firewall-cmd --reload
success
Again will check for the enabled ports status in public zone after this changes.
[root@server ~]# firewall-cmd --zone=public --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: enp0s8
 sources:
 services: dhcpv6-client mountd nfs rpc-bind ssh
 ports: 8080/tcp
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks:
 rich rules:
It shows that 8080 port has been enabled.
I am going to show you how to remove the enabled port in firewall and as i said will reload the firewall configuration to make effect in this session. Then check for the status.
[root@server ~]# firewall-cmd --zone=public --remove-port=8080/tcp --permanent
success
[root@server ~]# firewall-cmd --reload
success
[root@server ~]# firewall-cmd --zone=public --list-all
public (active)
 target: default
 icmp-block-inversion: no
 interfaces: enp0s8
 sources:
 services: dhcpv6-client mountd nfs rpc-bind ssh
 ports:
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks:
 rich rules:
 
We can get the list of zones where we have assigned interfaces and sources.
[root@server ~]# firewall-cmd --get-active-zone
external
 interfaces: enp0s3
public
 interfaces: enp0s8
To get the which zone is associate with a interface. Here i’m taking enp0s3 interface for test.
[root@server ~]# firewall-cmd --get-zone-of-interface=enp0s3
external

Command to get the permanent configuration of a zone. Here i’m taking public zone to test.

[root@server ~]# firewall-cmd --permanent --zone=public --list-all
public
 target: default
 icmp-block-inversion: no
 interfaces:
 sources:
 services: dhcpv6-client mountd nfs rpc-bind ssh
 ports:
 protocols:
 masquerade: no
 forward-ports:
 sourceports:
 icmp-blocks:
 rich rules:

Command to get the default zone:
[root@server ~]# firewall-cmd --get-default-zone
public

Command to set the default zone:
[root@server ~]# firewall-cmd --set-default-zone=home
success
 

Leave a Reply

Your email address will not be published. Required fields are marked *