CentOS 7 / RHEL firewalld settings

CentOS 7 has adopted firelwalld by default over the previous iptables, which will require some new steps to configure your firewall.

Rule Permanence

In firewalld, rules can be designated as either permanent or immediate. If a rule is added or modified, by default, the behavior of the currently running firewall is modified. At the next boot, the old rules will be reverted.

Most firewall-cmd operations can take the --permanent flag to indicate that the non-ephemeral firewall should be targeted. This will affect the rule set that is reloaded upon boot. This separation means that you can test rules in your active firewall instance and then reload if there are problems. You can also use the --permanent flag to build out an entire set of rules over time that will all be applied at once when the reload command is issued.

Some key take-aways:

  • check active zones: firewall-cmd --get-active-zones
  • use “permanent” flag for rules you want to persist reload: firewall-cmd --permanent --zone=public --add-service=https
  • Add service FOR EACH ZONE you want. Leaving out the zone will just apply it to the default zone only.

    more info:

  • redhat.com – Security_Guide sec-Using_Firewalls
  • digitalocean – how-to-set-up-a-firewall-using-firewalld-on-centos-7
    # CentOS/RHEL 7 Firewall: 
    # add service to zone:
    $ firewall-cmd --permanent --zone=public --add-service=ssh
    # reload to add:
    $ firewall-cmd --reload
    # _or_ firewall-cmd --reload
    # check:
    $ sudo firewall-cmd --state
    $ firewall-cmd --zone=public --list-all
    ## apache / httpd:
    $ firewall-cmd --permanent --zone=public --add-service=http
    $ firewall-cmd --permanent --zone=public --add-service=https
    $ systemctl reload firewalld

    more info info: see:





    Example for setting mysql 3306 and 3307 to LAN (eth1 in this case, using “dmz” zone):

    Pre-configured services are in: /etc/firewalld/services (or similar).
    You can create your own like:

    firewall-cmd --zone=public --change-interface=eth0 --permanent
    firewall-cmd --zone=dmz --change-interface=eth1 --permanent
    firewall-cmd --zone=dmz --permanent --add-service=mysql
    firewall-cmd --zone=dmz --permanent --add-service=mysql-ro
    # verify:
    firewall-cmd --permanent --zone=public --list-all
    firewall-cmd --permanent --zone=dmz --list-all
    firewall-cmd --reload
    #if any network settings were updated:
    # NOTE: may disrupt network, take care on production machine
    systemctl restart network.service
    # to make sure firewalld settings are updated:
    systemctl restart firewalld.service

    mysql-ro (port 3307) service: /etc/firewalld/services/mysql-ro.xml

    <?xml version="1.0" encoding="utf-8"?>
      <description>MySQL Database Server - secondary port</description>
      <port protocol="tcp" port="3307"/>
  • Leave a Reply