If you manage a CentOS 7 GUI-less server, you probably know that managing the firewall can be a bit of a hassle. Wouldn’t it be nice if there was a handy, ncurses-based tool to make this process a bit easier? Oh wait, there is. That tool is system-config-firewall-tui. With this tool, you can easily set a service/interface/port as trusted, to allow incoming traffic to that port. Only those trusted elements will be allowed in.

Out of the box, system-config-firewall-tui isn’t installed. I’m going to walk you through the process of installing the tool, enabling it to run, and then using it to open a port or two. I’ll be demonstrating on CentOS7, but this tool is also available for Fedora as well. This tool directly manages iptables rules, so having a simple to use frontend for that is pretty important for some users. Don’t get me wrong, system-config-firewall-tui doesn’t give you the massive power of iptables (for that you really need to dive into the deep waters of iptables), but it does make the basic task of opening ports (via iptables) quick and easy.

Let’s install and use system-config-firewall-tui.


The installation of the tool is pretty straightforward. Open up a terminal window and issue the command:

sudo yum install system-config-firewall-tui

That will install the tool. However, when you go to run the command sudo system-config-firewall-tui, you’ll be warned that firewalld is running, thus preventing the tool from opening. To get around this, issue the commands:

sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.service


At this point you can issue the command:

sudo system-config-firewall-tui

The ncurses interface will open (Figure A). You should immediately notice that the firewall isn’t enabled. Tab to the [ ] Enabled section and tap the keyboard spacebar to enable the firewall.

Figure A

With the firewall enabled, you can now tab down to Customize. In the new window (Figure B), you can scroll through the list of services to allow through the firewall.

Figure B

After you’ve enabled your services, tab down to Forward. This is not port forwarding, rather the “Next” button. In the next screen (Figure C), you can add, edit, or remove additional ports.

Figure C

If you tab to Add and hit Enter on your keyboard, you can then add a single port or port range, as well as a protocol. Do note, the protocol (tcp/udp) is required. Once you’ve taken care of that, tab to OK.

After you’ve added a custom port/protocol, tab down to Forward. In the resulting window (Figure D), you can list an interface as trusted.

Figure D

Enable as many interfaces as you need to be trusted and tab down to Forward. In the next screen, you can enable ports for port forwarding. Tab to Add and hit Enter on your keyboard. In the resulting screen (Figure E), enter the necessary source and destination information.

Figure E

In the next screen, you can mark ICMP types that should be rejected (Figure F). Enable each, from the list, and then tab to Forward, and tap your keyboard Enter key.

Figure F

In the next window (Figure H), you can add custom rules if necessary.

Figure H

Tab to Forward and hit Enter. Once you’ve finished with the custom rules, tab to OK and hit Enter. In the resulting screen, tab to Close and hit Enter. You will find yourself on the first screen where you can enable the firewall. Tab to OK and you will be warned that the new rules will override the current set. Tab to Yes and tap Enter on your keyboard. You’ve just created a new rule to the iptable chain, all with the help of a user-friendly ncurses GUI. If you issue the command sudo iptables -L you should see your new rules listed.

An easier route

Although system-config-firewall-tui isn’t quite as flexible as working directly with iptables, if you’re not ready to take the plunge into those deeper waters, this GUI is a much easier route to working with the firewall system on CentOS 7. Give system-config-firewall-tui a go and see if it doesn’t turn into your go-to for the platform.