Configuration and Rule Creation When Utilizing FirewallD on CentOS

What is FirewallD

The program is a graphical for the iptables and, in addition to the interface, also differs in the interaction scheme:

  • distributes traffic not by zones, but according to the rules;
  • contains the rules of the “white” and “black” list, in accordance with which works on this network point;
  • can both restrict and block traffic.


Firewalld has a set of built-in rules:

  • Drop: Denies incoming connections but allows outgoing connections.
  • Block: Based on the name, completely blocks traffic.
  • Public: Opens connections via and DHCPlient.
  • External: Enables the NAT feature on the selected network interface.
  • Internal or Home: Opens ports for SSH, Samba, mDNS, and DHCP services.
  • Dmz: Enables the Demilitarized Zone option, which separates private services from public ones.
  • Work: Allows to SSH and DHCP services.
  • Trusted: translated as “trusted”. Allows all connections.

In addition to the standard set, the utility supports two boot modes. The first one is called Runtime. It means that the selected options are active until the application or server is restarted. If additional storage options are specified during this mode, they remain active at all times.

The second option is Permanent. Any changes made in this mode are saved forever.


Firewalld is not included with by default. Let’s install it:

sudo yum install firewalld

To place it in the autoload area, write:

sudo systemctl enable firewalld

Reboot the server platform to activate the changes.

Firewall configuration

Determine the current utility setting:

firewall-cmd --get-default-zone

Screenshot #1. current zone.

Now the public template is set, i.e. everything is allowed. If you need to get a detailed report, then use –list-all as a key. The result is shown below.

Important! The command is only run with sudo rights.

Screenshot #2. Detailed report.

Change of policy and interface

To change the template, use the –zone key together with the –change-interface option to change the network interface. , replace the public policy with work with its activation on eth0:

sudo firewall-cmd --zone=work --change-interface=eth0

If the operation is successful, a corresponding message will appear on the monitor. Let’s type the following command to make sure that the actions performed are correct:

sudo firewall-cmd --get-active-zones

Screenshot #3. Template changes.

As you can see in the image above, the network interface uses the work policy, while the others still work with public.

If you want to change the policy that is inherited by default for all interfaces, use a different syntax:

sudo firewall-cmd --set-default-zone=home

After executing the command, all network interfaces will be assigned the home template. To display the current level, enter the already known key –get-default-zone.

Opening a port (service)

Firewalld also grants services access to ports using the –add-service= switch. First, let’s check the list of services on the server by running the utility with the –get-services option.

Screenshot #4. Services list.

Get detailed information about any service by cating to firewalld’s internal list. For example, let’s look at the description of the audit service:

cat /usr/lib/firewalld/services/audit.xml

Screenshot #5. Description audit.

To activate the port of any service from the list, we write in the terminal:

sudo firewall-cmd --zone=work --add-service=audit

This configuration will be active only until the server platform is rebooted. To make it permanent, use the –permanent key:

sudo firewall-cmd --permanent --zone=work --add-service=audit

If the audit service is no longer needed, remove it using the –remove-service= option:

sudo firewall-cmd --zone=work --remove-service=audit --permanent

An alternative option for opening a port is to specify the protocol number and name with the –add-port flag:

sudo firewall-cmd --zone=work --add-port=443/tcp

Important! Any change in the list of services can be tracked using the –list-ports option.

The port is removed by replacing the –add-port key with –remove-port while maintaining the further syntax.

How to add a new service

As mentioned above, the full description of the services inside the server OS is located at the following path: /usr/lib/firewalld/services/, followed by an xml file with the name of the service.

To create a new service, we simply copy one of the ready-made options to the services folder, which is located inside the firewalld directory. As an example, we took the description of the SSH service and copied it with the name test:

sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/test.xml

Important! The copy operation is performed only with administrator rights.

Open it with the nano text editor:

sudo nano /etc/firewalld/services/test.xml

A detailed description of the SSH service will appear on the screen:

Screenshot #6. Let’s edit the description.

In the first paragraph, we change the name of the service to an arbitrary one. According to the short field, it is activated through commands in the future. The second paragraph gives a complete description of the service: we prescribe it in detail.

The third step is to specify the ports and protocol on which it will work. In the future, firewalld will activate the values ​​after specifying the appropriate key.

After editing the file, save the changes and restart the service.


Welcome to the world of DomainRooster, where roosters (and hens) rule the roost! We're a one-stop shop for all your entrepreneurial needs, bringing together domain names and website hosting, and all the tools you need to bring your ideas to life. With our help, you'll soar to new heights and hatch great success. Think of us as your trusty sidekick, always there to lend a wing and help you navigate the sometimes-complex world of domain names and web hosting. Our team of roosters are experts in their fields and are always on hand to answer any questions and provide guidance. So why wait? Sign up today and join the ranks of the world's greatest entrepreneurs. With DomainRooster, the sky's the limit! And remember, as the saying goes, "Successful people do what unsuccessful people are not willing to do." So don't be afraid to take that leap of faith - DomainRooster is here to help you reach for the stars. Caw on!