How to manage Firewall on RHEL 7/8

In RHEL 7, a new firewall solution called Firewalld was introduced. Iptables serive no longer offer in RHEL 8

Firewalld is a dynamic firewall manager which used the iptables command to configure netfilter directly, as an improved alternative to the iptables service.

Firewalld Default Zone

  • drop: All incoming packets are dropped and there is no reply
  • block: Reject incoming traffic
  • public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis. This is the default zone for all the newly created network interface.
  • external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
  • internal: The other side of the external zone, used for the internal network. Computer on same network are trusted, and only selected incoming connections are accepted.
  • dmz: Used in DMZ zone. Only selected incoming connections are allowed.
  • work: Used for work machines. Most compute on the same network are trusted, and only selected incoming connections are accepted.
  • home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
  • trusted: All network connection are accepted

Pre-defined Services

Firewalld has number of pre-defined services which will help you identify particular network services to configure instead of online search for the relevant ports for the services.

To view the list of pre-defined service, you can list the default predefined services available from the pre-defined services configuration file (/usr/lib/firewalld/services) or use the firewall-cmd command to list it out.

Managing the Firewall from the command line – firewall-cmd

i. To show current default zone, type firewall-cmd –get-default-zone

ii. To show available zone, type firewall-cmd –get-zones

iii. To show firewall rules of the default zone

iv. To show firewall rules of select zone, example external zone

v. Add port to the permanent configuration to default zone, example add TCP 8140

Reload the firewall configuration to take effect

To verify

vi. Add pre-define service to the permanent configuration to default zone

vii) Add port to the permanent configuration to specific zone (external zone), example add TCP 8080

viii. Permanently remove port from zone

ix. Associate interface with specific zone instead of current zone

x. Change default zone

Leave a Reply

Your email address will not be published. Required fields are marked *