How To Manage Firewalld

What Is Firewalld?

In our CentOS7 environments, that do not include a cPanel/WHM installation, the default firewall system is firewalld. Administration of this system is a bit different than IPtables, in fact, I would say that it’s rather more user-friendly, as the commands are much more read and understand. In practice, the system has layers that allow for more advanced administrators to created and manage traffic in ways that can be incredibly fine-tuned.

While we will not be going over those advanced methods, we do want to present a quick how to list for managing this system at the basic level.

Enabling Firewalld

Using the systemctl commands we can initiate this service. By default, your system will have this service running as a starting service, unless you specify otherwise.

To enable the firewalld service please use the following command:

 systemctl start firewalld.service

Getting Firewalld State

You can retrieve the status of this command in two ways. One through the systemctl command and the other through the use of the firewalld native commands.

 systemctl status firewalld.service

 firewalld-cmd --State

Both of these commands will output the status of the service where the systemctl, due to its higher-level nature will be able to present more information. Where the firewalld native command is more of a binary (on/off) output.

Reloading Firewalld

Reloading the firewalld state is the key method for initializing new rules to the firewalld service to allow or deny traffic. There are a couple of ways to do this and the commands are native to the firewalld service.

 firewalld-cmd --reload 
 firewalld-cmd --complete-reload 

I recommend caution when using the complete-reload method as this will stop connections to the server instance to reload the service. This is not the same as restarting as the reload will retain state information like temporary rules. If you have implemented a new permanent rule to the firewall configuration reloading will be necessary to make the rule active.

Opening a Port in Firewalld

One of the more common commands that I find very useful is to open a port in your firewall. There will be some common ports already open by default in the public zone.

 firewall-cmd --zone=public --add-port=80/tcp

 firewall-cmd --permanent --zone=public --add-port=80/tcp

You can implement the rule to open ports on a temporary or permanent basis. If you choose to make the rule temporary please remember that the rule will not be active after a firewalld service restart or a server restart. If you do want the port to be opened on a permanent basis remember to reload the firewall state!

Enable Debugging In Firewalld Configuration

If you are finding that something is not working as intended, it may be necessary to enable debugging in the firewalld configuration. This will also require a level to which you are wanting to debug the service. Numerically the higher level argument the more the verbose the output.

To enable debugging, edit the /etc/sysconfig/firewalld file by adding the following to the line for FIREWALLD_ARGS

Debug Level Output
1 Loading config files, d-bus method calls
2 + backend calls, D-Bus Introspect method calls, access checks
3 + Rules that are added by the backends
4 + Transactions steps
5-9 Unused (no effect)
10 + Introspection of XML data