Firewalld on CentOS 8
CentOS 8 uses firewalld.You can see all zones by running the following ls command:
# ls -l /usr/lib/firewalld/zones/ total 36 -rw-r--r--. 1 root root 299 Nov 8 11:48 block.xml -rw-r--r--. 1 root root 293 Nov 8 11:48 dmz.xml -rw-r--r--. 1 root root 291 Nov 8 11:48 drop.xml -rw-r--r--. 1 root root 304 Nov 8 11:48 external.xml -rw-r--r--. 1 root root 397 Nov 8 11:48 home.xml -rw-r--r--. 1 root root 412 Nov 8 11:48 internal.xml -rw-r--r--. 1 root root 343 Nov 8 11:48 public.xml -rw-r--r--. 1 root root 162 Nov 8 11:48 trusted.xml -rw-r--r--. 1 root root 339 Nov 8 11:48 work.xml |
Predefined Zones Explained
block – All incoming network connections rejected. Only network connections initiated from within the system are possible.
dmz – Classic demilitarized zone (DMZ) zone that provided limited access to your LAN and only allows selected incoming ports.
drop – All incoming network connections dropped, and only outgoing network connections allowed.
external – Useful for router type of connections. You need LAN and WAN interfaces too for masquerading (NAT) to work correctly.
home – Useful for home computers such as laptops and desktops within your LAN where you trust other computers. Allows only selected TCP/IP ports.
internal – For use on internal networks when you mostly trust the other servers or computers on the LAN.
public – You do not trust any other computers and servers on the network. You only allow the required ports and services. For cloud servers or server hosted at your place always use public zone.
trusted – All network connections are accepted. I do not recommend this zone for dedicated servers or VMs connected to WAN.
work – For use at your workplace where you trust your coworkers and other servers.
Run the following command to see all zones on CentOS 8:
# firewall-cmd --get-zones |
To get your default zone run:
# firewall-cmd --get-default-zone |
To see your network interface names run either ip command or nmcli command:
# ip link show # nmcli device status |
When new interface connection added (such as eth0 or ens3) to NetworkManager, they are attached to the default zone. Verify it by running the following command:
# firewall-cmd --get-active-zones
public
interfaces: eth0 |
How to Start and enable firewalld
# systemctl start firewalld # systemctl enable firewalld |
Stop and disable firewalld
# systemctl stop firewalld # systemctl disable firewalld |
Check the firewalld status
# firewall-cmd --state |
Command to reload a firewalld configuration when you make change to rules
# firewall-cmd --reload |
Get the status of the firewalld service
# systemctl status firewalld |
How to see firewall rules or services associated with the public zone
Run:
# firewall-cmd --list-all |
OR
# firewall-cmd --list-all --zone=public |
How to see which services are allowed in the current zone
# firewall-cmd --list-services |
OR
# firewall-cmd --list-services --zone=public |
Adding
Temporary Adds:
# firewall-cmd --zone=public --add-service=http |
Permanent Adds
# firewall-cmd --zone=public --add-service=https --permanent # firewall-cmd --reload # firewall-cmd --list-services # sudo firewall-cmd --list-services --permanent |
How to add a service to your zone
# firewall-cmd --zone=public --add-service=dns --permanent |
Add ports 5060 5061 for Asterisk by creating a service. Create the following Firewalld service:
# nano /etc/firewalld/services/asterisk.xml |
Add the code
<?xml version="1.0" encoding="utf-8"?> <service version="1.0"> <short>asterisk</short> <description>Asterisk is a software implementation of a telephone private branch exchange (PBX).</description> <port protocol="udp" port="10000-10100"/> <port protocol="udp" port="4569"/> <port protocol="udp" port="2727"/> <port protocol="udp" port="5060-5061"/> </service> |
Save the file and – WAIT 5 seconds – apply the new firewall rules by typing:
# firewall-cmd --add-service=asterisk --permanent # firewall-cmd --reload |
If you get an error – just wait and then retry. I received this error the first time:
# firewall-cmd --add-service=asterisk --permanent Error: INVALID_SERVICE: 'asterisk' not among existing services |
Finally check if the new firewall rules are applied successfully with:
# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: asterisk cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
Delete dns service
# firewall-cmd --zone=public --remove-service=dns --permanent |
How to allow/open TCP/UDP port/protocol
Open TCP port 80:
# firewall-cmd --zone=public --add-port=80/tcp --permanent |
To view added ports, run:
# firewall-cmd --zone=internal --list-ports |
Deny/block TCP/UDP port/protocol
# firewall-cmd --zone=public --remove-port=23/tcp --permanent |