In this tutorial, we will show you how to set up a Firewall using FirewallD on CentOS 8. For those of you who didn’t know, FirewallD is an alternative to the iptables service, for dynamically managing a system’s firewall with support for network (or firewall) zones and provides a D-Bus interface for managing configurations. Starting with CentOS 7, FirewallD replaces iptables as the default firewall management tool.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step by step Setup Firewall using FirewallD on CentOS 8.
Prerequisites
- A server running one of the following operating systems: CentOS 8.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- A
non-root sudo useror access to theroot user. We recommend acting as anon-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.
Setup Firewall using FirewallD on CentOS 8
Step 1. First, let’s start by ensuring your system is up-to-date.
sudo dnf install epel-release sudo dnf update
Step 2. Installing FirewallD on CentOS 8.
Firewalld is installed by default on CentOS 8 system, but if it is not installed on your system, you can execute the following command for its installation:
sudo dnf install firewalld sudo systemctl enable firewalld --now
Enable or disable Firewalld from starting automatically at system boot:
sudo systemctl enable firewalld sudo systemctl start firewalld
Check the current status of Firewalld and see if it’s running:
sudo systemctl status firewalld
Step 3. Setup and configuration of FirewallD.
Below are the predefined zones included in FirewallD:
- drop – Dropped all incoming connections without any reply and only allowed outgoing connections.
- block – It is the same as the zone drop, but all incoming connections are blocked with
icmp-host- prohibitedoricmp6-adm-prohibitedmessages. - public – It represents unreliable public areas.
- external – External networks in the event that the firewall uses as the gateway. Because it is configured for NAT masquerading and internal network will remain private but accessible.
- internal – Only accepted the selected incoming connections and it’s for the internal network.
- DMZ – Demilitarized zone, it is publicly accessible to the internal network with limited access and accepted only selected incoming connections.
- work – Using for work machines.
- home – Using for home machines.
- trusted – Accept all network connections.
By default, the public zone is the default zone after the firewall service is enabled. To list all available zones run:
firewall-cmd --get-zones
The below commands are used to change the default zone and verify.
firewall-cmd --set-default-zone=home firewall-cmd --get-default-zone
Example of open HTTP port 80 and HTTPS port 443, run the commands used to open temporarily:
firewall-cmd --zone=public --add-service=http firewall-cmd --zone=public --add-service=https
Below are commands used to open permanently:
firewall-cmd --zone=public --permanent --add-service=http firewall-cmd --zone=public --permanent --add-service=https
To implement the changes we need to reload the firewall with:
firewall-cmd --reload
Check for open ports/services:
firewall-cmd --list-all
Congratulations! You have successfully configured Firewall. Thanks for using this tutorial for installing FirewallD on CentOS 8 system. For additional help or useful information, we recommend you to check the official FirewallD website.