In RHEL 7, a new firewall solution called Firewalld was introduced. Iptables serive no longer offer in RHEL 8
Firewalld is a dynamic firewall manager which used the iptables command to configure netfilter directly, as an improved alternative to the iptables service.
Firewalld Default Zone
- drop: All incoming packets are dropped and there is no reply
- block: Reject incoming traffic
- public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis. This is the default zone for all the newly created network interface.
- external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
- internal: The other side of the external zone, used for the internal network. Computer on same network are trusted, and only selected incoming connections are accepted.
- dmz: Used in DMZ zone. Only selected incoming connections are allowed.
- work: Used for work machines. Most compute on the same network are trusted, and only selected incoming connections are accepted.
- home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
- trusted: All network connection are accepted
Firewalld has number of pre-defined services which will help you identify particular network services to configure instead of online search for the relevant ports for the services.
To view the list of pre-defined service, you can list the default predefined services available from the pre-defined services configuration file (/usr/lib/firewalld/services) or use the firewall-cmd command to list it out.
Managing the Firewall from the command line – firewall-cmd
i. To show current default zone, type firewall-cmd –get-default-zone
ii. To show available zone, type firewall-cmd –get-zones
iii. To show firewall rules of the default zone
iv. To show firewall rules of select zone, example external zone
v. Add port to the permanent configuration to default zone, example add TCP 8140
Reload the firewall configuration to take effect
vi. Add pre-define service to the permanent configuration to default zone
vii) Add port to the permanent configuration to specific zone (external zone), example add TCP 8080
viii. Permanently remove port from zone
ix. Associate interface with specific zone instead of current zone
x. Change default zone