RHCE Study Guide

This tutorial explains how to configure firewall in Linux step by step with examples including firewall-cmd command and its options for zones, services and ports management.

This tutorial is the second part of our article "How to configure Firewalld in RHEL Linux step by step". You can read first part of this article here

Firewall basic concepts Explained with examples

This part explains basic concept of Firewalld service such as Zones, Services, Ports, Rich Language, conflict between iptables service and firewalld service, how to disable iptables services and how to enable firewalld service.

For this tutorial I assume that :-

  • You are familiar with basic concepts of firewalld service such as Zone, Services, Ports and Rich Language
  • iptables service is disabled and masked
  • firewalld service is enabled and running. You can verify the running status of firewalld service with following commands
#firewall-cmd --state
#systemctl status firewalld

firewalld service status

Managing Firewalld Service with firewall-cmd command

We have three options to manage the firewalld service :-

  • Direct editing in configuration files
  • Using graphical tool firewall-config
  • Using command line tool firewall-cmd

Unless we have expert level of knowledge, first option is not recommended. Administrators rarely use this option for management purpose.

Second option will be available only if graphic environment (X-Window) is installed. This option is easy to use and if available, you should always use it. On downside it depends on graphic environment which is very rare on Linux servers in production environment. Due to security reason administrators rarely enable the graphic environment.

Third option will be available on all platforms unless RHEL is installed with minimum installation. Virtually we can perform all management tasks with this option. In this tutorial we will also use this option.

Running configuration Vs Startup configuration

Firewalld service uses two types of configuration; running configuration and startup configuration. Startup configuration is stored in configuration files. Running configuration is stored in memory. When firewalld service starts, it reads startup configuration from configuration files and load it in memory where it is known as running configuration. Unless you make any change in running configuration it is same as the startup configuration.

Any change made in running configuration will not be available at next time when the service is reloaded. Any change made in startup configuration will not be available in current configuration, it will be available at next time when the service is reloaded. By default firewalld service works with running configuration.

Let’s understand it with a simple example. Firewalld service starts and reads the startup configuration which blocks SSH service for network 192.168.1.0/24. Firewalld service loads this configuration in memory as running configuration. At this point no host from network 192.168.1.0/24 is allowed to access the SSH service. Now suppose we want to allow single host 192.168.1.10 from this network. Based on requirement we can allow temporary or permanently.

To allow temporary we will update only running configuration with allow permission. Since we did not change the startup configuration, this temporary access will be automatically removed at next reload.

To allow permanently we will update only startup configuration with allow permission. Since we did not change the running configuration, host will not be able to access the SSH service until next reload.

To allow both temporary and permanently we have to update both configurations. Running configuration will allow the access until service is reloaded. Startup configuration will allow access after the service is reloaded and so on.

To reload the configuration and restart the service following commands are used receptively

#firewall-cmd --reload
#systemctl restart firewalld

firewalld service restart

First command will reload the permanent rules without interrupting existing persistent connections. Second command will restart the service.

Zone management with firewall-cmd command

Zone is the first key element in firewalld service. The firewall-cmd command provides several options to manage the zone. Following table lists some important options

Option Description
--get-zones Display all available zones
--get-default-zone Display the zone which is currently set as default zone
--get-active-zones Display all active zones
-- list-all Display all configuration from default zone
-- list-all-zones Display configuration from all zones
--set-default-zone=<ZONE> Set specified zone as default zone
--new-zone Add a new zone [zone name need to be specified]
--delete-zone Delete a zone [Zone name need to be specified]
--zone Used to work with other zone. [Zone name need to be specified]
-- add-source=<CIDR> [ -- zone=<ZONE> ] Specified zone [Zone] will filter all incoming traffic from the specified network [CIDR].
-- remove-source=<CIDR> [ -- zone=<ZONE> ] Remove specified zone [Zone] from filtering all incoming traffic from specified network [CIDR].
-- add-interface=<INTERFACE> [ -- zone=<ZONE> ] Specified zone [Zone] will filter all incoming traffic from the specified interface [NIC].
-- change- interface=<INTERFACE> [--zone=<ZONE> ] Specified zone [Zone] will filter all incoming traffic from the specified (updated) interface [NIC].
--permanent To save change in startup configuration. By default change will save in running configuration.

To learn more about the zones such as what are zones and how they works in firewalld service, please see the first part of this tutorial which explains these topics in detail.

Let’s take some practical examples of how zones are managed with firewall-cmd command. Login from root account and access the shell prompt.

To view the current available zones we can use --get-zones option. To figure out which zone is set to default we can use --get-default-zone option.

firewall-cmd --get-zone

As output indicates current default zone is set to public which is also system default zone.

To view the current configuration from all zones we can use --list-all-zone option. To view the configuration only from default zone we can use --list-all option.

firewall-cmd --list-zone

To create a new zone we can use --new-zone option. For example following command will create a new zone (named rhcelab).

firewall-cmd --new-zone rhcelab --permanent

Since we used --permanent option, new zone will be available only after the reload. To test it, access the rhcelab zone without reloading the firewall. You will get INVALID_ZONE error.

Reload the firewall with following command

firewall-cmd --reload

Now set the new zone (rhcelab) as default zone with following command

firewall-cmd --set-default-zone rhcelab

To verify the change we can list default zone again with following command

firewall-cmd --get-default-zone

Following figure illustrates above process step by step

set default zone in firewall

Let’s add an interface in this zone. In order to do this we need the name of interface. We can view the name of all detected interfaces with ip addr show command.

As following output indicates the name of interface is eno16777736. If system has multiple interfaces, they will be listed subsequently.

ip addr show command

If system has only one interface (as above output indicates), firewalld will associate that with default zone automatically. We can verify it with --list-all option. Since (single) interface is already associated with default zone, we will get warning message if try to do the same again. Firewalld associates default interface with default zone at startup. If we multiple interfaces, only the default interface will be associated with default zone. To associate an interface with zone following command is used.

firewall-cmd --add-interface [InterfaceName] --zone [ZoneName] --permanent

As we know default interface is selected and associated with default zone only at startup for running configuration. If we have single interface then same interface will be selected as default interface. But if we have multiple interfaces, other interface may get selected as default interface. So it’s always a better idea to fix the interface with zone instead of relying on default selection process.

To fix an interface with zone we have to use the --permanent option. With permanent option, interface will get associated with defined zone permanently. Following command will associate interface eno16777736 with rhcelab zone.

firewall-cmd --add-interface eno16777736 --zone rhcelab --permanent

Following figure illustrates above process step by step

add interface in zone

Just like interface we can also associate network address with zone. Following command will add network 192.168.1.0/24 with zone rhcelab in running configuration.

firewall-cmd --add-source 192.168.1.0/24 --zone rhcelab

add source in firewall

To add permanently use --permanent option.

(Remember --permanent option require a configuration reload).

add source pamenently in firewall

At this point we have successfully created a new zone (named-rhcelab) and set it as default zone. We have also added our default interface and lab network in this zone. We will use this zone to practice the remaining topics of this tutorial.

Service management with firewall-cmd command

Services are the secondary key element in firewalld. The firewall-cmd command supports several options to manage the services. Following table lists some important options.

Option Description
--get-services Display all available services
--list-services Display all services from default zone
--list-services --zone [ZoneName] Display all services from specified zone [ZoneName]
--new-service [NewServiceName] --permanent Create a new service with specified name.
--delete-service [ServiceName] --permanent Delete the specified [existing] service
--add-service [ServiceName] Add service in default zone. To add service in particular zone specify its name as argument with --zone option. To add service permanently use --permanent option.
--query-service [ServiceName] Figure out whether the specified service is added in zone or not. If zone is not specified with --zone option, default zone will be used for query.
--remove-service [ServiceName] Remove service from default zone. To remove service from particular zone, provide its name as argument with --zone option. To remove service permanently use --permanent option.

Let’s understand above options in detail with some examples.

To list all pre-defined services we can use --get-services option. To list all services form particular zone we can use --list-services option. If we don’t specify the name of zone with --list-services option, it will list all services from default zone. Following figure explains both options.

firewall-cmd list services

Sometime pre-defined services are not sufficient. For example we may have custom applications which run their own services. To limit these applications we have to add their associated services in firewalld. To add new service we can use --new-service option. For example following command will add a new service named testservice.

firewall-cmd --new-service --permanent

firewall-cmd --add service

Once service is added we can associate it with any existing zone temporary or permanently. To add service only in running configuration (temporary) we can use following command

firewall-cmd --add-service [ServiceName]  --zone [ZoneName]

Here ServiceName is name of the service which we want to add and ZoneName is the name of the zone in which we want add the specified service.

To add the service permanently we will use following command

firewall-cmd --add-service [ServiceName]  --zone [ZoneName] --permanent

We may skip zone name, if adding service in default zone. For example following command will add testservice in default zone

firewall-cmd --add-service testservice

Since above command will add service only in running configuration, it will not preserve after the reload. To add service permanently we have to use --permanent option

firewall-cmd --add-service testservice --permanent

As we know any update made with --permanent needs configuration reload.

firewall-cmd --reload

After reload service will be added in default zone.

To add service in other zone we need to specify the zone name with --zone option. For example following command will add testservice in public zone.

firewall-cmd --add-service testservice --zone public

Following figure illustrates above process step by step

firewall cmd add service in zone

To remove a service from zone we can use --remove-service option. Just like add operation we can remove service temporary or permanently. For example following command will remove testservice from default zone temporary

firewall-cmd --remove-service testservice

To remove service permanently we have to add --permanent option with above command

firewall-cmd --remove-service testservice --permanent

Following command is used to delete a service from firewalld

firewall-cmd --delete-service [ServerName] --permanent

For example to delete testservice we will use following command

firewall-cmd --delete-service testservice --permanent

Following figure illustrates above process step by step

firewall-cmd remove service

Port management with firewall-cmd command

As we saw in previous section firewalld allows us to create and manage custom services. Custom services need custom ports. Like services we can also add or remove ports from firewall. The firewall-cmd command includes several options to manage the ports. Following table lists some important options.

Option Description
--list-ports Display all ports from default zone. To view ports from other zone, specify its name as argument with --zone option.
--add-port [PortNumer/ProtocolType] Add specified port in default zone. To add port in other zone, provide its name as argument with --zone option. To add port permanently use --permanent option.
--query-port [PortNumer/ProtocolType] Find out whether the specified port is added or not. To query in particular zone, use its name as argument with --zone option.
--remove-port [PortNumer/ProtocolType] Remove specified port from default zone. To remove port from other zone, provide its name as argument with --zone option. To remove port permanently use --permanent option.

Let’s understand above options in details with some examples:-

To list all available ports from default zone we will use following command

firewall-cmd --list-ports

We can also list ports from particular zone with --zone option. For example to list all available ports from dmz zone we will use following command

firewall-cmd --list-ports --zone dmz

To add port in default zone following command is used

firewall-cmd --add-port [PortNumber]/[Protocol]

Here PortNumber is the number of port which we want to add and Protocol is the protocol [TCP or UDP] of the port.

To add the port in other zone besides default zone, specify the zone name with --zone option as following command shows

firewall-cmd --add-port [PortNumber]/[Protocol] --zone [ZoneName]

Here ZoneName is the name of the zone in which we want to add the port.

To find out whether the port is successfully added in zone or not we can use --query-port option. For example following command will query in default zone for TCP port 23

firewall-cmd --query-port 23/tcp

To remove a port from zone use following command

firewall-cmd --remove-port [PortNumber]/[Protocol] --zone [ZoneName]

Just like other operation, remove operation also work with default zone unless we specify a zone name with --zone option.

Following figure illustrates above operations step by step

add remove port in firewall

To add or remove port in other zone we need to specify the zone name with --zone option. If require we can also make the change permanent with --permanent option. Following figure illustrates above operation with other zone and permanent option

port management in firewalld

In this tutorial we have worked with Zones, Services and Ports. These convenient options are limited in nature. Administrators need more control over firewall configuration. Firewalld supports rich rules which allow administrator to define custom rules. In next part of this tutorial we will understand rich rules in details with examples.