With Redhat Linux 7’s moving to systemd, not only has the init system been replaced, but other daemons and their utilities have been replaced such as systemd-journald(for event logging), systemd-logind, systemmd-undevd.
firewalld has been introduced to replace iptables for managing firewall. It is a service daemon with D-Bus interface.
firewalld supports a separation of runtime and permanent configuration. Changes can be done immediately in the runtime environment. No restart of the service or daemon is needed. The runtime configuration is only valid up to the next service reload and restart or to a system reboot. Then the permanent configuration will be loaded again.
With the runtime environment it is possible to use runtime for settings that should only be active for a limited amount of time. If the runtime configuration has been used for evaluation, and it is complete and working, then it is possible to save this configuration to the permanent environment.
Below is the firwalld structure:
Location of firewalld configuration file which contains the basic configuration.
Other important directories and files:
Here are some frequent used commands to manage firewalld:
- disable/enable firewalld
systemctl enable firewalld systemctl disable firewalld
2. manual start/stop firewalld
systemctl stop firewalld systemctl start firewalld systemctl restart firewalld
3. check firewalld status
systemctl status firewalld firewall-cmd --state
4. check default & active firewalld zone.
firewall-cmd --get-default-zone firewall-cmd --get-active-zones
5. list everything enabled in the default zone. Using “–zone=<zonename>” to specify a non-default zone.
firewall-cmd --list-all firewall-cmd --zone=<zonename> --list-all firewall-cmd --info-zone=<zonename>
6. list all ports opened
7. reload configuration so that permanent configuration becomes the runtime configuration. The difference between reload and complete-reload is that complete-reload includes netfilter kernel modules which likely will terminate active connections.
firewall-cmd --reload firewall-cmd --complete-reload
8. add a tcp port in the runtime configuration. Using “–permanent” to modify the permanent configuration. A restart/reload is needed to make changes effective.
firewall-cmd --zone=<zonename> --add-port=11117/tcp firewall-cmd --remove-port=11117/tcp
9. whitelist an IP or a range of IP or remove an IP from the whitelist
firewall-cmd --permanent --add-source=192.168.1.100 firewall-cmd --permanent --add-source=192.168.1.0/24 firewall-cmd --permanent --remove-source=192.168.1.100
10. add or remove a service
firewall-cmd --permanent --add-service=ssh firewall-cmd --permanent --remove-service=ssh
If you want to see what you can do with firewall-cmd, don’t forget to check the man page of firewall-cmd. Lots of advanced options/usage listed there.