The new firewall in CentOS / Redhat 7: firewalld instead of iptables


The firewalld is the default firewall service used in CentOS 7 and RHEL 7.  This service replaces traditional IPTABLES used in earlier versions of the Linux operating systems.

To find out what the current zone is:

  • [root@CH22-LAP-COS-7 ~]# firewall-cmd –get-active-zone
    interfaces: eno16780032

Find exiting zones:

  • [root@CH22-LAP-COS-7 ~]# firewall-cmd –get-zones
    block dmz drop external home internal public trusted work

To find what is running on that zone:

  • [root@CH22-LAP-COS-7 ~]# firewall-cmd –zone=public –list-all
    public (default, active)
    interfaces: eno16780032
    services: dhcpv6-client ssh
    masquerade: no
    rich rules:

Create firewall to allow web traffic to port 80:

  • [root@CH22-LAP-COS-7 ~]# firewall-cmd –zone=public –add-port=80/tcp –permanent
    [root@CH22-LAP-COS-7 ~]# service firewalld restart

How do we keep the firewall rule permanent, which will stay after reboot

  • Add the “–permanent” flag at the end

How to remove the firewall rule to allow port 80

  • [root@CH22-LAP-COS-7 ~]# firewall-cmd –zone=public –remove-port=80/tcp –permanent
  • Restart the firewalld service

You may add firewalld rules using standard “service” names too.

  • [root@CH22-LAP-COS-7 ~]# firewall-cmd –zone=public –add-service=https –permanent
  • service firewalld restart

Customized rules can be added using the following command to block all http traffic from the network

  • firewall-cmd –zone=”public” –add-rich-rule=’rule family=”ipv4″ source address=”″ port protocol=”tcp” port=”80″ accept’

We van view the rich-rules by using the below command:

  • firewall-cmd –list-rich-rules

Be the first to comment on "The new firewall in CentOS / Redhat 7: firewalld instead of iptables"

Leave a comment