Join Scott Simpson for an in-depth discussion in this video Setting up the firewall using firewalld, part of Up and Running with CentOS Linux.
CentOS 7 comes with firewall software called Firewalld. Which lets you allow and disallow access, through specific ports, with specific protocols. Let's take a quick look at how it works. The firewall manages security, in the context of zones. You can see these by typing, sudo firewall-cmd --get-zones. Unless you have a very complicated network setup, you probably won't use most of these. Common zones to modify are drop, block and public.
In this course, I'll set up a few rules in the public zone to allow access to various services. To find out what the current zone is, I'll type sudo firewall-cmd --get-active-zone. The public zone is active on my system. To see what's currently running in that zone I'll type sudo firewall-cmd--zone=public --list-all.
I can see that IPV 6 DHCP client is running and SSH is running. That's how I have been able to connect via SSH so far. Any other service I try to use will be blocked. There's two ways to add rules to the firewall, either explicitly or by service name. I need to allow access through port 80 for the web server I'll setup shortly. To do this explicitly, I'll type, sudo firewall-cmd --zone=public --add-port equals 80/tcp.
And at the end I'll put --permanent. The permanent flag allows this rule to persist across reboots, without it the rule is active only until the system restarts. Since I set the permanent flag, I'll need to restart the firewall to make the change stick. I'll type sudo service firewalld restart. Now, I'll check out the rules, with sudo firewall-cmd --zone=public --list-all. And I can see in fact, port 80 tcp is open.
To remove that rule, if I decide I don't want to have port 80 open any more, I can type sudo firewall-cmd --zone=public --remove-port=80/tcp. And I need to add the --permanent flag here as well, so it removes it from the permanent settings. I'll restart the firewall daemon again. And I'll check to see that that port's closed. And sure enough, it is. I mentioned earlier that I can add rules by specifying a service, too. That's similar to the individual port method.
All right. Sudo firewall-cmd --zone=public --add-service=http. And then the permanent flag. I'll restart the firewall and check it out. And now, instead of only port 80 on TCP being open, I see that I've added HTTP to the services that the firewall knows about. That will allow the access that the HTTP server needs to serve web pages. If I wanted to remove the service rule, I'd just use the remove service flag instead of add service.
That's the basics of adding and removing individual ports and services using firewalld. There's a lot that can be done with the firewall, but this is all we need for now
- What is CentOS?
- Installing CentOS
- Configuring networking with DHCP or a static IP
- Connecting remotely
- Working with SELinux
- Setting up a firewall
- Setting up a web server
- Connecting to shared folders
- Launching the graphical user interface (GUI)