How To Set Up a Firewall Using FirewallD on CentOS 7.x

This is how to blog to work with Firewall in Centos 7 using Firewall CMD command.


Introduction :
Firewalld is a complete firewall solution available by default on CentOS 7 servers. In this guide, we will cover how to set up a firewall for your server and show you the basics of managing the firewall with thefirewall-cmd administrative tool (if you'd rather use iptables with CentOS, follow this guide).

Turning on the Firewall :
Before we can begin to create our firewall rules, we need to actually turn the daemon on. The systemdunit file is called firewalld.service. We can start the daemon for this session by typing:
[root@localhost ~]# systemctl start firewalld
Check firewalld daemon status :
[root@localhost ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2016-09-02 12:14:45 IST; 5min ago
Main PID: 651 (firewalld)
CGroup: /system.slice/firewalld.service
└─651 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Sep 02 12:14:40 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 02 12:14:45 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.

Check firewalld status :

[root@localhost ~]# firewall-cmd --state
running


Check current Default Zone :
We can see which zone is currently selected as the default by typing:

[root@localhost ~]# firewall-cmd --get-default-zone
public


Check current Active Zone :
[root@localhost ~]# firewall-cmd --get-active-zone
public
interfaces:
eth0


Check current open Port :
[root@localhost ~]# firewall-cmd --list-port
8069/tcp 80/tcp 5000-5500/tcp 20/tcp 21/tcp 9000/tcp 22/tcp

how to list permanent  open Port :
[root@localhost ~]# firewall-cmd --zone=public --permanent --list-port
8069/tcp 80/tcp 5000-5500/tcp 20/tcp 21/tcp 9000/tcp 22/tcp
[root@localhost ~]#



How to list all information including open or block port :
[root@localhost ~]# firewall-cmd --list-all
public (default, active)
interfaces:
eth0
sources:
services: dhcpv6-client ssh
ports: 8069/tcp 80/tcp 5000-5500/tcp 20/tcp 21/tcp 9000/tcp 22/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@localhost ~]#


How to list all available zone:
[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work


How to list all information of public zone:

[root@localhost ~]# firewall-cmd --list-all --zone=public
public (default, active)
interfaces:
eth0
sources:
services: dhcpv6-client ssh
ports: 8069/tcp 80/tcp 5000-5500/tcp 20/tcp 21/tcp 9000/tcp 22/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:



How to list all services :
[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https
[root@localhost ~]#



How to list all permanently open services :
[root@localhost ~]# firewall-cmd --zone=public --permanent --list-services
dhcpv6-client ssh


How to add (open) a port permanently  :
[root@localhost ~]# firewall-cmd --zone=public --permanent --add-port=80/tcp
success

How to reload firewall to apply changed after adding port or service :
[root@localhost ~]# firewall-cmd --reload
success

How to add (open) a service permanently  :

[root@localhost ~]# firewall-cmd --zone=public --permanent --add-service=mysql
success


How to add (open) TCP port range permanently  :
[root@localhost ~]# firewall-cmd --zone=public --permanent --add-port=4000-4400/tcp
success
How to add (open) UDP port range permanently  :

[root@localhost ~]# firewall-cmd --zone=public --permanent --add-port=4000-4400/udp
success



That's All...
!!!Cheers!!!