CentOSRHEL Based

How To Install FirewallD on CentOS Stream 10

r00t

Install FirewallD on CentOS Stream 10

In the realm of Linux server administration, security stands as a critical cornerstone. A robust firewall is indispensable for shielding your system from unauthorized access and potential threats. FirewallD emerges as a dynamic and versatile solution, offering advanced features over traditional iptables. In this comprehensive guide, we will delve into how to install FirewallD on CentOS Stream 10, configure it effectively, and leverage its capabilities to enhance your server’s security posture.

CentOS Stream 10, as a continuously delivered distribution, requires a solid firewall strategy. This article elucidates why FirewallD is the preferred choice, providing step-by-step instructions and practical examples. You will learn how to harness FirewallD’s zone-based approach to manage network traffic efficiently. Let’s get started!

FirewallD simplifies firewall management through its dynamic nature. You can modify settings without restarting the service, ensuring uninterrupted operation. This is a significant advantage over older systems like iptables. By the end of this article, you’ll be equipped to deploy and manage FirewallD effectively.

Understanding FirewallD

Before diving into the installation process, let’s understand what FirewallD is and how it differs from iptables. This foundational knowledge will help you appreciate the benefits of using FirewallD.

What is FirewallD?

FirewallD is a comprehensive firewall management tool available on many Linux distributions, including CentOS Stream 10. It acts as a front-end for the Linux kernel’s netfilter subsystem, providing a user-friendly interface to manage firewall rules. It uses the concept of “zones” to define different trust levels for network connections. Setting up a basic firewall can greatly increase your system’s protection.

FirewallD vs. iptables

Traditionally, iptables was the go-to firewall management tool. However, FirewallD offers several advantages:

  • Dynamic Rule Updates: FirewallD allows changes to the firewall configuration without needing to restart the entire service. This ensures minimal disruption.
  • Zone-Based Management: Zones simplify the management of different network environments (e.g., public, private, trusted).
  • Service Abstraction: FirewallD uses predefined services, making it easier to allow common types of traffic (e.g., HTTP, SSH).

Iptables, while powerful, requires a deeper understanding of network concepts and can be cumbersome for everyday use. FirewallD abstracts many of these complexities. Thus, its ease of use makes it an ideal solution for modern Linux systems.

Core Concepts

Understanding the core concepts of FirewallD is crucial for effective configuration:

  • Runtime vs. Permanent Configuration: FirewallD distinguishes between runtime (immediate) and permanent configurations. Runtime changes are temporary and lost on reboot, while permanent changes are saved and applied on boot.
  • Zones: Zones represent different levels of trust. Examples include public, home, work, trusted, drop, and block.
  • Services: Predefined rulesets that allow specific types of traffic, such as HTTP, HTTPS, and SSH.
  • Ports: Specific network ports that can be opened or closed to allow or block traffic.

These concepts allow you to create a finely-tuned security policy for your CentOS Stream 10 server. Learning how to manage these correctly is vital for keeping your system safe.

How FirewallD works with D-Bus interface

FirewallD utilizes the D-Bus interprocess communication system to manage firewall rules. D-Bus allows applications to communicate with each other. In the case of FirewallD, it enables system administrators and applications to interact with the firewall daemon to make real-time configuration changes.

This architecture provides a flexible and efficient way to manage firewall settings. Changes are applied dynamically without restarting the entire firewall service. D-Bus ensures that all components work together seamlessly.

Prerequisites for Installation

Before installing FirewallD on CentOS Stream 10, ensure that your system meets the necessary requirements and that you have the correct permissions.

System requirements

CentOS Stream 10 should be installed and running smoothly. Ensure you have a stable network connection to download the necessary packages.

Minimal hardware requirements include:

  • 1 GB RAM
  • 20 GB disk space
  • 64-bit processor

These specifications allow CentOS Stream 10 and FirewallD to operate efficiently.

User permissions

You need sudo or root access to install and configure FirewallD. Most commands require administrative privileges to modify system-level settings.

To gain root access, use the command:

sudo su -

Alternatively, prefix each command with sudo.

Checking existing firewall configurations

Before installing FirewallD, check if any other firewall solutions are active, such as iptables. Conflicts can arise if multiple firewalls are running simultaneously.

To check the status of iptables, use the command:

systemctl status iptables

If iptables is active, you’ll need to stop and disable it.

Backing up existing configurations

As a precaution, back up your current firewall settings. This allows you to revert to the previous configuration if something goes wrong during the installation.

For iptables, you can save the current rules using:

iptables-save > iptables_backup.txt

This creates a backup file that you can restore later if needed.

Installing FirewallD on CentOS Stream 10

Installing FirewallD on CentOS Stream 10 is a straightforward process. Follow these steps to ensure a successful installation.

Checking if FirewallD is already installed

First, verify whether FirewallD is already installed on your system. This prevents redundant installations.

Run the following command:

rpm -q firewalld

If FirewallD is installed, the command will return the package name and version. If not, it will indicate that the package is not installed.

Installing FirewallD package

If FirewallD is not installed, use the dnf package manager to install it. The dnf package manager is the default package manager for CentOS Stream 10. Make sure your system is up to date.

Update your system by running:

dnf update

Then, install FirewallD using:

dnf install firewalld

Confirm the installation when prompted. This command downloads and installs FirewallD and its dependencies.

Handling conflicts with iptables

If iptables is running, it can conflict with FirewallD. Stop and disable iptables before proceeding.

Stop iptables using:

systemctl stop iptables

Disable iptables to prevent it from starting on boot:

systemctl disable iptables

Mask the iptables service to prevent it from being started by other services:

systemctl mask iptables

These steps ensure that FirewallD can operate without interference.

Verifying installation

After installation, verify that FirewallD is correctly installed. Use the following command to check the FirewallD version:

firewall-cmd --version

This command displays the FirewallD version, confirming successful installation.

Starting and Enabling FirewallD Service

Once FirewallD is installed, start the service and enable it to launch on boot. This ensures that your firewall is always active.

Checking FirewallD status

Before starting the service, check its current status:

systemctl status firewalld

This command shows whether FirewallD is active, inactive, or failed. The output provides valuable information for troubleshooting.

Starting FirewallD service

Start the FirewallD service using:

systemctl start firewalld

This command initiates the FirewallD daemon, activating the firewall.

Enabling FirewallD to start on boot

To ensure FirewallD starts automatically on boot, enable the service:

systemctl enable firewalld

This creates the necessary symbolic links, so FirewallD is started during system startup.

Verifying service status

After starting and enabling FirewallD, verify its status again to confirm that it is active and running:

systemctl status firewalld

The output should indicate that the service is active and enabled. This confirms that FirewallD is functioning correctly.

Understanding FirewallD Zones

FirewallD uses zones to manage network traffic based on trust levels. Understanding zones is essential for configuring your firewall effectively.

What are FirewallD zones?

FirewallD zones are predefined or custom-defined rulesets that dictate how the firewall handles network traffic. Each zone has a specific level of trust associated with it. For example, the trusted zone allows all traffic, while the drop zone blocks all incoming traffic.

Zones are applied to network interfaces, determining the firewall rules that apply to traffic entering or leaving through that interface. This approach simplifies firewall management by grouping rules based on the network environment.

Default zones in FirewallD

FirewallD comes with several predefined zones:

  • drop: All incoming connections are dropped without any response.
  • block: Similar to drop, but sends an ICMP “host prohibited” or IPv6 “no route to host” error message.
  • public: For use in public areas where you do not trust other computers on the network. Only selected incoming connections are accepted.
  • external: Used for external networks where you are acting as a gateway. NAT is enabled.
  • dmz: Used for computers in a DMZ (Demilitarized Zone). Only selected incoming connections are accepted.
  • work: Used in work environments. Trusts most computers on the network.
  • home: Used in home environments. Trusts most computers on the network.
  • internal: Used for internal networks. Trusts most computers on the network.
  • trusted: All network connections are accepted.

Each zone serves a specific purpose, allowing you to tailor your firewall rules to different network environments.

Checking default and active zones

To check the default zone, use the command:

firewall-cmd --get-default-zone

To list all active zones and their associated interfaces, use:

firewall-cmd --get-active-zones

These commands provide insight into the current zone configuration.

Zone assignment to network interfaces

Network interfaces are assigned to zones. The zone determines the firewall rules that apply to traffic on that interface. To change the zone for an interface, use the command:

firewall-cmd --zone=<zone_name> --change-interface=<interface_name> --permanent

Replace <zone_name> with the desired zone (e.g., public) and <interface_name> with the network interface name (e.g., eth0). The --permanent option ensures the change persists across reboots. You must reload FirewallD for the changes to take effect.

Viewing zone configurations

To view the configuration of a specific zone, use the command:

firewall-cmd --zone=<zone_name> --list-all

Replace <zone_name> with the name of the zone you want to inspect. The output includes the services, ports, and other settings configured for that zone. This information is essential for understanding how traffic is handled in each zone.

Basic FirewallD Configuration

Configuring FirewallD involves managing services, ports, and protocols to control network traffic. Here are the basic configuration steps.

Checking current configuration

Before making changes, review the current firewall configuration. Use the following command to list all settings:

firewall-cmd --list-all

This displays the default zone, interfaces, services, ports, and other settings. It provides a snapshot of the current firewall state.

Managing services

FirewallD uses predefined services to simplify the process of allowing common types of traffic. To list available services, use:

firewall-cmd --get-services

To add a service to a zone, use:

firewall-cmd --zone=<zone_name> --add-service=<service_name> --permanent

Replace <zone_name> with the target zone and <service_name> with the service you want to allow (e.g., http, https, ssh). To remove a service, use --remove-service instead of --add-service.

Managing ports

You can open or close specific ports to allow or block traffic. To open a port, use:

firewall-cmd --zone=<zone_name> --add-port=<port_number>/<protocol> --permanent

Replace <zone_name> with the zone, <port_number> with the port number, and <protocol> with the protocol (tcp or udp). For example, to open port 80 for HTTP traffic in the public zone, use:

firewall-cmd --zone=public --add-port=80/tcp --permanent

To remove a port, use --remove-port instead of --add-port.

Working with protocols

You can also allow or block specific protocols. To add a protocol, use:

firewall-cmd --zone=<zone_name> --add-protocol=<protocol_name> --permanent

Replace <zone_name> with the zone and <protocol_name> with the protocol you want to allow (e.g., icmp). To remove a protocol, use --remove-protocol instead of --add-protocol.

Applying changes

Remember that changes made with the --permanent option do not take effect immediately. You need to reload FirewallD to apply the changes.

Reloading FirewallD

To reload FirewallD and apply permanent changes, use the command:

firewall-cmd --reload

This command applies all permanent configurations without interrupting active connections. Always reload FirewallD after making permanent changes.

Advanced FirewallD Configuration

For more complex scenarios, FirewallD offers advanced features such as custom zones, custom services, rich rules, direct rules, and IP sets. Here’s how to use them.

Creating custom zones

You can create custom zones to define specific firewall rules for unique network environments. To create a new zone, use the command:

firewall-cmd --new-zone=<zone_name> --permanent

Replace <zone_name> with the name of your new zone. After creating the zone, you can add services, ports, and other rules as needed. Remember to reload FirewallD to activate the new zone.

Creating custom services

If the predefined services do not meet your needs, you can create custom services. Custom services are defined in XML files located in /etc/firewalld/services. Create a new XML file with the service definition:

<?xml version="1.0" encoding="utf-8"?>
 <service>
  <short><Service Name></short>
  <description><Service Description></description>
  <port protocol="tcp" port="<port_number>"/>
 </service>

Replace <Service Name>, <Service Description>, and <port_number> with appropriate values. Save the file with a .xml extension (e.g., my-custom-service.xml). Then, add the service to a zone using:

firewall-cmd --zone=<zone_name> --add-service=<custom_service_name> --permanent

Remember to reload FirewallD.

Rich rules

Rich rules provide a flexible way to create complex firewall rules. They allow you to specify conditions based on source and destination IP addresses, ports, protocols, and more. For example, to allow SSH access from a specific IP address, use:

firewall-cmd --zone=<zone_name> --add-rich-rule='rule family="ipv4" source address="<ip_address>" port port="22" protocol="tcp" accept' --permanent

Replace <zone_name> with the zone and <ip_address> with the IP address you want to allow. Rich rules are powerful but can be complex. Test them carefully before applying them to a production environment.

Direct rules

Direct rules allow you to bypass FirewallD and directly manipulate the underlying iptables rules. This is useful for advanced configurations that are not supported by FirewallD’s standard features. However, using direct rules can make your firewall configuration harder to manage and understand. Use them sparingly and with caution.

To add a direct rule, use the command:

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport <port_number> -j ACCEPT

Replace <port_number> with the port number you want to allow.

IP sets

IP sets allow you to manage groups of IP addresses efficiently. This is useful when you need to apply the same firewall rules to multiple IP addresses. First, create an IP set:

firewall-cmd --new-ipset=<ipset_name> --type=hash:ip --option=family=ipv4 --permanent

Replace <ipset_name> with the name of your IP set. Then, add IP addresses to the set:

firewall-cmd --ipset=<ipset_name> --add-entry=<ip_address> --permanent

Finally, use the IP set in a rich rule:

firewall-cmd --zone=<zone_name> --add-rich-rule='rule family="ipv4" source ipset="<ipset_name>" accept' --permanent

IP sets simplify the management of firewall rules for multiple IP addresses.

Security Best Practices with FirewallD

To maximize the security of your CentOS Stream 10 server, follow these best practices when configuring FirewallD.

Principle of least privilege

Only open the services and ports that are absolutely necessary. Avoid allowing unnecessary traffic, as this increases the attack surface. Review your firewall configuration regularly and remove any unused rules.

Regular auditing

Regularly audit your firewall rules to ensure they are still relevant and effective. Use the firewall-cmd --list-all command to review your configuration.

Logging and monitoring

Enable logging to track firewall events. This helps you identify potential security incidents and troubleshoot configuration issues. FirewallD logs events to the system journal. You can view the logs using the journalctl command:

journalctl -u firewalld

Consider using a log management tool to centralize and analyze your firewall logs.

Testing configurations

Before applying permanent changes, test them in a non-production environment. This prevents accidental disruptions to your production services. Use virtual machines or container to test your firewall configurations.

Handling common security scenarios

Here are some examples of secure FirewallD configurations for common scenarios:

  • Securing SSH access: Limit SSH access to specific IP addresses using rich rules.
  • Web server configuration: Allow HTTP and HTTPS traffic in the public zone.
  • Database server protection: Only allow database traffic from trusted IP addresses or networks.
  • Blocking malicious IPs: Use IP sets to block known malicious IP addresses.
  • Rate limiting connections: Use rich rules to limit the number of connections from a single IP address to prevent DoS attacks.

These examples provide a starting point for securing your CentOS Stream 10 server.

Practical Use Cases

FirewallD can be configured to address a variety of practical security needs. Here are some common use cases.

Securing SSH access

To secure SSH access, limit the IP addresses that can connect to your server. Use a rich rule to allow SSH access only from specific IP addresses:

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="<ip_address>" port port="22" protocol="tcp" accept' --permanent

Replace <ip_address> with the IP address you want to allow. This prevents unauthorized SSH access from other IP addresses.

Web server configuration

For a web server, allow HTTP (port 80) and HTTPS (port 443) traffic in the public zone:

firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent

This allows web traffic to reach your server while blocking other types of traffic.

Database server protection

To protect a database server, only allow traffic from trusted IP addresses or networks. Use a rich rule to allow traffic only from specific IP addresses:

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="<ip_address>" port port="<database_port>" protocol="tcp" accept' --permanent

Replace <ip_address> with the IP address of the database client and <database_port> with the database port (e.g., 3306 for MySQL). This prevents unauthorized access to your database server.

Blocking malicious IPs

Use IP sets to block known malicious IP addresses. First, create an IP set:

firewall-cmd --new-ipset=blacklist --type=hash:ip --option=family=ipv4 --permanent

Then, add the malicious IP addresses to the set:

firewall-cmd --ipset=blacklist --add-entry=<malicious_ip> --permanent

Finally, block traffic from the IP set:

firewall-cmd --zone=drop --add-source=ipset:blacklist --permanent

This blocks all traffic from the specified IP addresses.

Rate limiting connections

Use rich rules to limit the number of connections from a single IP address to prevent DoS attacks:

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="<ip_address>" limit value="10/m" protocol="tcp" port port="80" accept' --permanent

This limits connections from a single IP address to 10 connections per minute on port 80. Adjust the values as needed.

Troubleshooting FirewallD Issues

Despite its user-friendly interface, you might encounter issues while configuring FirewallD. Here are some common problems and their solutions.

Common error messages

Here are some common FirewallD error messages and their explanations:

  • “Failed to start firewalld.service: Unit not found.” This indicates that FirewallD is not installed or the service file is missing. Ensure that FirewallD is installed correctly and the service file exists.
  • “FirewallD is not running.” This means the FirewallD service is not active. Start the service using systemctl start firewalld.
  • “INVALID_ZONE: Zone ‘<zone_name>’ not found.” This indicates that the specified zone does not exist. Check the zone name and ensure it is spelled correctly.
  • “INVALID_SERVICE: Service ‘<service_name>’ not found.” This means the specified service does not exist. Check the service name and ensure it is available.

Understanding these error messages can help you quickly diagnose and resolve issues.

Debugging techniques

Use the following techniques to debug FirewallD configuration problems:

  • Check the FirewallD status: Use systemctl status firewalld to check the service status and identify any errors.
  • Review the FirewallD logs: Use journalctl -u firewalld to view the FirewallD logs and identify any issues.
  • Test the configuration: Use firewall-cmd --check-config to check the configuration for syntax errors.
  • Reload FirewallD: Use firewall-cmd --reload to apply any changes and resolve any inconsistencies.

These techniques can help you identify and resolve configuration problems.

Resetting FirewallD to defaults

If you encounter significant problems, you can reset FirewallD to its default configuration. This removes all custom rules and zones. Use the following command:

firewall-cmd --permanent --remove-zone=<zone_name>
rm -f /etc/firewalld/zones/*

Then, restart the FirewallD service:

systemctl restart firewalld

This resets FirewallD to its default state. Use this option as a last resort.

Service conflicts

Conflicts can arise if other services interfere with FirewallD. Ensure that no other firewall solutions are active. Disable and mask any conflicting services, such as iptables. Review your system configuration and identify any potential conflicts.

Congratulations! You have successfully installed FirewallD. Thanks for using this tutorial to install FirewallD on CentOS Stream 10. For additional help or useful information, we recommend you check the official CentOS website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button