Your firewall is a crucial component from preventing unwanted people from gaining access to your data. On a CentOS server, firewalld can easily be made responsible for serving as your complete firewall solution. This tool is highly capable, with features that extend your server’s security in ways that were significantly more challenging with iptables.
One particular concept found in firewalld is that of zones. Zones are predefined sets of rules that specify what traffic should be allowed, based on trust levels for network connections. For example, you can have zones for home, public, trusted, etc. Zones work on a one-to-many relation, so a connection can only be part of a single zone, but a zone can be used for many network connections. Different network interfaces and sources can be assigned to specific zones.
SEE: Information security policy (Tech Pro Research)
There are a number of zones provided by firewalld:
- drop: All incoming connections are dropped without notification, whereas all outgoing connections are allowed.
- block: All incoming connections are rejected with an icmp-host-prohibited message, whereas all outgoing connections are allowed.
- public: This zone is intended to be used in untrusted public areas. Other computers on this network are not to be trusted.
- external: This zone is intended to be used on external networks with NAT masquerading enabled.
- internal: This zone is intended to be used on internal networks when your system acts as a gateway or router. Other systems on this network are generally trusted.
- dmz: This zones is intended to be used for computers located in your demilitarized zone that will have limited access to the rest of your network.
- work: This zone is intended to be used for work machines. Other systems on this network are generally trusted.
- home: This zone is intended to be used for home machines. Other systems on this network are generally trusted.
- trusted: All network connections are accepted and other systems are trusted.
You can easily assign an interface to one of the above zones, but there is one thing to be taken care of first .
Installing firewalld
You might be surprised to find out that firewalld isn’t installed by default. To fix that issue, open a terminal window and issue the following command:
sudo yum install firewalld
Once that installation completes, you’ll need to start and enable firewalld with the commands:
sudo systemctl start firewalld
sudo systemctl enable firewalld
Viewing and changing the zones
The first thing you should do is view the default zone. Issue the command:
sudo firewall-cmd --get-default-zone
You will probably see that the default zone is set to public. If you want more information about that zone, issue the command:
sudo firewall-cmd --zone=public --list-all
You should see all the pertinent details about the public zone (Figure A).
Figure A
Let’s change the default zone. Say, for instance, you want to change the zone to work. Let’s first find out what zones are being used by our network interface(s). For that, issue the command:
sudo firewall-cmd --get-active-zones
You should see something like that found in Figure B.
Figure B
Let’s get a listing of our available zones with the command:
sudo firewall-cmd --get-zones
You should see all zones listed. Let’s say you want to change the eth0 interface to the work zone. To do that, issue the command:
sudo firewall-cmd --zone=work --change-interface=eth0
You should see “success” reported. You can now check the application by again issuing the command:
sudo firewall-cmd --get-active-zones
The eth0 interface is now attached to the work zone (Figure C).
Figure C
Now that eth0 is attached to work, it will generally trust all other systems attached to the same zone. You can then change eth1 to another zone with the same concept.
Easy zone management
And that’s how easy it is to manage zones with firewalld. Once you have a solid understanding of how each zone works, you’ll know exactly which zone to apply to various interfaces on your CentOS 7 servers. Anyone looking to add more flexibility to their CentOS 7 server security, should consider this a must-have feature.