The new firewall in CentOS / Redhat 7: firewalld instead of iptables


The firewalld is the default firewall service used in CentOS 7 and RHEL 7.  This service replaces traditional IPTABLES used in earlier versions of the Linux operating systems.

Firewalld organizes rules in various zone. There are some created by default, and also we can create new ones if required.

To find out what the current zone is:

  • [root@CH22-LAP-COS-7 ~]# firewall-cmd –get-active-zone
    interfaces: eno16780032

Find exiting zones:

  • [root@CH22-LAP-COS-7 ~]# firewall-cmd –get-zones
    block dmz drop external home internal public trusted work

To find what is running on that zone:

  • [root@CH22-LAP-COS-7 ~]# firewall-cmd –zone=public –list-all
    public (default, active)
    interfaces: eno16780032
    services: dhcpv6-client ssh
    masquerade: no
    rich rules:

Create firewall to allow web traffic to port 80:

  • [root@CH22-LAP-COS-7 ~]# firewall-cmd –zone=public –add-port=80/tcp –permanent
    [root@CH22-LAP-COS-7 ~]# service firewalld restart

How do we keep the firewall rule permanent, which will stay after reboot

  • Add the “–permanent” flag at the end

How to remove the firewall rule to allow port 80

  • [root@CH22-LAP-COS-7 ~]# firewall-cmd –zone=public –remove-port=80/tcp –permanent
  • Restart the firewalld service

You may add firewalld rules using standard “service” names too.

  • [root@CH22-LAP-COS-7 ~]# firewall-cmd –zone=public –add-service=https –permanent
  • service firewalld restart

Customized rules can be added using the following command to block all http traffic from the network

  • firewall-cmd –zone=”public” –add-rich-rule=’rule family=”ipv4″ source address=”″ port protocol=”tcp” port=”80″ accept’

We van view the rich-rules by using the below command:

  • firewall-cmd –list-rich-rules

Be the first to comment on "The new firewall in CentOS / Redhat 7: firewalld instead of iptables"

Leave a comment