CentOS 8

Firewalld on CentOS 8

The Geek Decoder

CentOS 8 uses firewalld.You can see all zones by running the following ls command:

# ls -l /usr/lib/firewalld/zones/
total 36
-rw-r--r--. 1 root root 299 Nov  8 11:48 block.xml
-rw-r--r--. 1 root root 293 Nov  8 11:48 dmz.xml
-rw-r--r--. 1 root root 291 Nov  8 11:48 drop.xml
-rw-r--r--. 1 root root 304 Nov  8 11:48 external.xml
-rw-r--r--. 1 root root 397 Nov  8 11:48 home.xml
-rw-r--r--. 1 root root 412 Nov  8 11:48 internal.xml
-rw-r--r--. 1 root root 343 Nov  8 11:48 public.xml
-rw-r--r--. 1 root root 162 Nov  8 11:48 trusted.xml
-rw-r--r--. 1 root root 339 Nov  8 11:48 work.xml

Predefined Zones Explained

block – All incoming network connections rejected. Only network connections initiated from within the system are possible.
dmz – Classic demilitarized zone (DMZ) zone that provided limited access to your LAN and only allows selected incoming ports.
drop – All incoming network connections dropped, and only outgoing network connections allowed.
external – Useful for router type of connections. You need LAN and WAN interfaces too for masquerading (NAT) to work correctly.
home – Useful for home computers such as laptops and desktops within your LAN where you trust other computers. Allows only selected TCP/IP ports.
internal – For use on internal networks when you mostly trust the other servers or computers on the LAN.
public – You do not trust any other computers and servers on the network. You only allow the required ports and services. For cloud servers or server hosted at your place always use public zone.
trusted – All network connections are accepted. I do not recommend this zone for dedicated servers or VMs connected to WAN.
work – For use at your workplace where you trust your coworkers and other servers.

Run the following command to see all zones on CentOS 8:

# firewall-cmd --get-zones

To get your default zone run:

# firewall-cmd --get-default-zone

To see your network interface names run either ip command or nmcli command:

# ip link show
# nmcli device status

When new interface connection added (such as eth0 or ens3) to NetworkManager, they are attached to the default zone. Verify it by running the following command:

# firewall-cmd --get-active-zones
public
  interfaces: eth0

How to Start and enable firewalld

# systemctl start firewalld
# systemctl enable firewalld

Stop and disable firewalld

# systemctl stop firewalld
# systemctl disable firewalld

Check the firewalld status

# firewall-cmd --state

Command to reload a firewalld configuration when you make change to rules

# firewall-cmd --reload

Get the status of the firewalld service

# systemctl status firewalld

How to see firewall rules or services associated with the public zone
Run:

# firewall-cmd --list-all

OR

# firewall-cmd --list-all --zone=public

How to see which services are allowed in the current zone

# firewall-cmd --list-services

OR

# firewall-cmd --list-services --zone=public

Adding

Temporary Adds:

# firewall-cmd --zone=public --add-service=http

Permanent Adds

# firewall-cmd --zone=public --add-service=https --permanent
# firewall-cmd --reload
# firewall-cmd --list-services
# sudo firewall-cmd --list-services --permanent

How to add a service to your zone

# firewall-cmd --zone=public --add-service=dns --permanent

Add ports 5060 5061 for Asterisk by creating a service. Create the following Firewalld service:

# nano /etc/firewalld/services/asterisk.xml

Add the code

<?xml version="1.0" encoding="utf-8"?>
<service version="1.0">
  <short>asterisk</short>
  <description>Asterisk is a software implementation of a telephone private branch exchange (PBX).</description>
  <port protocol="udp" port="10000-10100"/>
  <port protocol="udp" port="4569"/>
  <port protocol="udp" port="2727"/>
  <port protocol="udp" port="5060-5061"/>
</service>

Save the file and – WAIT 5 seconds – apply the new firewall rules by typing:

# firewall-cmd --add-service=asterisk --permanent
# firewall-cmd --reload

If you get an error – just wait and then retry. I received this error the first time:

# firewall-cmd --add-service=asterisk --permanent
Error: INVALID_SERVICE: 'asterisk' not among existing services

Finally check if the new firewall rules are applied successfully with:

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: asterisk cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Delete dns service

# firewall-cmd --zone=public --remove-service=dns --permanent

How to allow/open TCP/UDP port/protocol

Open TCP port 80:

# firewall-cmd --zone=public --add-port=80/tcp --permanent

To view added ports, run:

# firewall-cmd --zone=internal --list-ports

Deny/block TCP/UDP port/protocol

# firewall-cmd --zone=public --remove-port=23/tcp --permanent