How to Enable and Use firewalld on CentOS 7?

Firewalld is a dynamic firewall management tool for CentOS 7 that provides a user-friendly interface to configure and manage firewall rules. Unlike traditional iptables, firewalld supports network zones and allows changes without restarting the entire firewall service. This article demonstrates how to enable and effectively use firewalld on CentOS 7.

Installation and Setup

Firewalld is included with CentOS 7 but may not be enabled by default. First, check if firewalld is installed and running

sudo systemctl status firewalld

To enable and start the firewalld service

sudo systemctl enable firewalld
sudo systemctl start firewalld

Verify that firewalld is active

sudo firewall-cmd --state

running

Understanding Zones

Firewalld uses zones to define trust levels for network connections. Each zone has predefined rules for different network environments.

List available zones

sudo firewall-cmd --get-zones

block dmz drop external home internal public trusted work

Check the default zone

sudo firewall-cmd --get-default-zone

public

View active zones and their configurations

sudo firewall-cmd --get-active-zones
sudo firewall-cmd --list-all

Managing Services

Firewalld includes predefined services for common applications. View available services

sudo firewall-cmd --get-services

Allow a service (HTTP example)

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --reload

Remove a service

sudo firewall-cmd --zone=public --remove-service=http --permanent
sudo firewall-cmd --reload

Managing Ports

Open specific ports when predefined services don't match your requirements

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port=1234/udp --permanent
sudo firewall-cmd --reload

Remove ports

sudo firewall-cmd --zone=public --remove-port=8080/tcp --permanent
sudo firewall-cmd --reload

Rich Rules for Advanced Control

Rich rules provide fine-grained control over firewall behavior. Allow specific IP addresses

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" accept' --permanent

Block IP addresses

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.200" reject' --permanent

Allow service for specific subnet

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept' --permanent

Common Firewalld Operations

Creating Custom Zones

Create custom zones for specific requirements

sudo firewall-cmd --permanent --new-zone=webservers
sudo firewall-cmd --reload
sudo firewall-cmd --zone=webservers --add-service=http --permanent
sudo firewall-cmd --zone=webservers --add-service=https --permanent

Best Practices

• Always use --permanent flag for persistent rules and reload afterward

• Test rules without --permanent first they reset on reboot if issues occur

• Use firewall-cmd --check-config to validate configuration before reloading

• Regularly backup firewalld configuration from /etc/firewalld/

• Monitor logs in /var/log/messages for firewall-related events

Conclusion

Firewalld provides a powerful yet accessible way to manage firewall rules on CentOS 7. Its zone-based approach and dynamic rule management make it superior to traditional iptables for most use cases. By mastering basic service and port management, along with rich rules for advanced scenarios, administrators can effectively secure their systems while maintaining operational flexibility.