How to Configure FirewallD in CentOS

Published October 28, 2023

Discover the art of effortlessly configuring FirewallD in CentOS.

Protecting your digital assets is just as important as securing your physical properties. One way to do this is by setting up FirewallD in CentOS.

This tool is available as the default firewall management system in many Linux distributions, including RHEL, Fedora, and SUSE. With FirewallD, you can manage your firewall and add firewall rules directly for services and applications. It also supports IPv4 and IPv6 firewall settings, as well as network zones, IP sets, and ethernet bridges. By taking these protective measures, you can ensure the safety of your location, financial information, and other valuable assets in the digital communication world.

 Configuring FirewallD

Explore More ; How can I insert 7Zip in Ubuntu, Debian, Centos & Fedora

What is FirewallD and Why Configure it?

Linux users are well aware that in the past, managing ports involved using the IPTABLES firewall.

However, with the introduction of Firewalld by Red Hat Enterprise Linux, things have become much simpler. Firewalld not only handles the system’s iptables rules but also provides a convenient D-Bus interface for seamless interaction.


With the arrival of CentOS 7, Firewalld has taken over as the default firewall administration program, replacing iptables.

This transition has made it incredibly easy for services, programs, and users to modify firewall settings. Thanks to the firewalld D-Bus interface, the firewall configuration tools, namely firewall-cmd, firewall-config, and firewall-applet, all utilize the same user-friendly interface.


One of the standout features of Firewalld is the ability to test and evaluate changes in real-time. This is made possible by the separation of runtime and permanent settings.

Any modifications made to the runtime configuration will only remain in effect until the next service reload, restart, or system reboot. Once any of these events occur, the permanent configuration will once again take precedence.

The runtime environment enables the usage of runtime for settings that should only be in effect for a brief time. The runtime configuration may be saved to the permanent environment if it has been used for evaluation and is complete and functional. Setup Firewalld in CentOS helps you to guarantee your system security.

Firewalld Zones

For various connection zones, Firewalld offers various protection levels. At least one network interface, like eth0, is connected to a zone. The firewalld daemon controls rule sets using objects referred to as “zones.” According to your level of trust in the networks your computer is linked to, zones are essentially sets of rules that specify what traffic should be permitted. To specify the activity that the firewall should permit, each network interface is given a zone.


Run the command below to view the preconfigured zones:

$ firewall-cmd –get-zones


block dmz drop external home internal libvirt public trusted work

as you see, block, dmz, drop, external, home, internal, libvirt, public, trusted, and work are the zones listed by default.


To use the firewall, we can make rules, modify the zone’s properties, and then allocate our network interfaces to the most suitable zones by doing so.

 Configuring FirewallD Services

Firewalld services are established rules that are zone-specific and specify the settings required to permit incoming traffic for a given service.

Firewalld permanent/immediate Rules

The configuration of Firewalld can be divided into two sets: runtime and permanent. The runtime configuration is the one currently in use and is not saved across reboots. It is created when the Firewalld service starts by loading the permanent configuration.


When you make changes to the Firewalld configuration using the firewall-cmd application, the runtime configuration is automatically updated. However, these changes are not permanent. To make them permanent, you can use the –permanent option.


So, remember that the runtime configuration is the one in use, while the permanent configuration is the one that persists across reboots. If you want to make changes permanent, simply use the –permanent option with the firewall-cmd application.

Prerequisites to Configure Firewall with FirewallD on CentOS

To check the firewall on CentOS your machine needs to meet all the below specifications:

  • A non-root user with sudo privileges.
  • A CentOS machine.
  • Access to a command line (Ctrl+Alt+T).

How to Check CentOS Firewalld Status

While Firewalld is enabled on CentOS 7 by default, run the command below to check firewall status if you are using a higher version of CentOS machine:

sudo systemctl status firewalld

If the firewall is active, you will notice bright green letters in your output indicating that it is running.

How to Disable FirewallD on CentOS

Now that you have learned how to check the status of the CentOS firewall, let’s find out how to temporarily or permanently stop the default firewalld manager on CentOS.

Disable CentOS Firewalld Temporarily

To stop firewalld temporarily on CentOS, run the command below command:

sudo systemctl stop firewalld

The firewall must be disabled now. You can check it by running the following command:

sudo systemctl status firewalld

The ”Active: running” you viewed on your recent output must have been changed to ”Active: inactive (dead)”.


The service is turned off until a reboot with the systemctl stop firewalld command. The firewalld service will resume operation following a system reboot and the conclusion of your runtime session.

Disable CentOS Firewalld Permanently

If you need to disable the firewalld permanently on CentOS, use the following commands to stop the firewall service and then disable it.


Run the following command to stop the firewalld tool:

sudo systemctl stop firewalld

Now, you can check the firewall status just like in the previous step:

sudo systemctl status firewalld

You should see the service is inactive in your output. But if not, use the following command to prevent the service from starting when the system boots up:

sudo systemctl disable firewalld

The firewall service on your CentOS 7 server has now been successfully stopped and disabled. However, other running services could make firewalld active. So, you need to mask firewalld from other services on the system to stop them from activating firewalld:

sudo systemctl mask –now firewalld

The firewalld service will now have a symbolic link (symlink) to /dev/null. The following should be the output:

<span style=”color: #808080;”>Output</span>

Created symlink from /etc/systemd/system/firewalld.service to /dev/null.

Steps to Enable FirewallD in CentOS

1. Install FirewallD in CentOS

While firewalld is installed on most Linux distributions such as CentOS by default, run the command below to install firewalld on your CentOS system:

sudo yum install firewalld

Since the Firewalld service is disabled by default, you need to enable it. But first, let’s see the firewall status using the command below:

sudo firewall-cmd –state

If not running is displayed, the firewalld must have been installed recently or not activated. But if you see running your firewalld is enabled.


However, you can run the following commands to start and enable Firewalld service:

sudo systemctl start firewalld

sudo systemctl enable firewalld

In this way, Firewalld service will be enabled on boot.

2. Configure Firewalld Zones

In this part of Setup Firewalld in CentOS, you will learn more about Firewall rules. Now that you enabled the FirewallD service, your default zone is the public zone. Run the command below to see the default zone:

sudo firewall-cmd –get-default-zone

Certainly, it will print public.


As we mentioned earlier, getting a list of all available zones is possible by typing sudo firewall-cmd –get-zones command. The default zone is given to all network interfaces by default. Run the command below to find out which zones are used by your network interface(s).

sudo firewall-cmd –get-active-zones

<span style=”color: #808080;”>output</span>


  interfaces: eth0 eth1

The aforementioned result indicates that eth0 and eth1 are both assigned to the public zone. The zone setup configurations can be printed using the below command:

sudo firewall-cmd –zone=public –list-all

<span style=”color: #808080;”>output</span>

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0 eth1


  services: ssh dhcpv6-client



  masquerade: no




  rich rules:

The public zone is active, set to default, and used by both the eth0 and eth1 interfaces, as can be seen from the output above. Additionally, connections linked to SSH and the DHCP client are permitted. Use the following command to view the setups for every zone that is currently accessible.

sudo firewall-cmd –list-all-zones

The command outputs a lengthy list of all available zone parameters.

 3. Change the Zone of an Interface

Using the –zone option along with the –change-interface option makes changing the Interface Zone simple. The eth1 interface will be assigned to the work zone using the command:

sudo firewall-cmd –zone=work –change-interface=eth1

To verify the changes, type:

sudo firewall-cmd –get-active-zones

<span style=”color: #808080;”>output</span>


  interfaces: eth1


  interfaces: eth0

4. Modify the Default zone

Use the –set-default-zone option and the name of the zone you want to set as default to change the default zone. For instance, run the following command to set the default zone to “office”:

sudo firewall-cmd –set-default-zone=office

To verify the changes, type:

sudo firewall-cmd –get-default-zone

<span style=”color: #808080;”>output</span>


5. Open a Port for Zone

To ensure that your applications have the necessary access, it is important to consider the modifiers that come after the keyword ‘Prompt’. In this case, we need to rewrite the text without mentioning these modifiers or the triggering word ‘Prompt’. Here’s the rewritten text:


Granting access to applications often requires meeting certain prerequisites, many of which are covered by the firewall services provided through firewalld installation. However, there may be situations where these services alone are not sufficient to meet your needs.


To enhance support for your applications, you can open the required ports in the appropriate zone(s). This can be achieved by specifying the protocol, port, or port range for the ports that need to be opened. In simpler terms, FirewallD allows you to utilize pre-made rules called services to enable traffic for specific ports.


To obtain a comprehensive list of all default ports and services that are readily available, simply run the following command:

sudo firewall-cmd –get-services

For instance, we may use the –add-port= argument to add our TCP-based application, which runs on port 5000, to the “public” zone for this session. tcp or udp are the two types of protocols:

sudo firewall-cmd –zone=public –add-port=5000/tcp

<span style=”color: #808080;”>output</span>


Using the –list-ports procedure, confirm that this was successful:

sudo firewall-cmd –zone=public –list-ports

<span style=”color: #808080;”>output</span>


The beginning and ending ports in the range can be separated with a dash to indicate a range of ports in order. For instance, we could type the following to open up UDP ports 4990 through 4999 on “public” if our application utilizes these ports:

sudo firewall-cmd –zone=public –add-port=4990-4999/udp

You would probably want to include these in the permanent firewall after testing. This can be done by keying in:

sudo firewall-cmd –zone=public –permanent –add-port=5000/tcp

sudo firewall-cmd –zone=public –permanent –add-port=4990-4999/udp

sudo firewall-cmd –zone=public –permanent –list-ports

<span style=”color: #808080;”>output</span>



5000/tcp 4990-4999/udp

6. Create a New FirewallD Service

The /usr/lib/firewalld/services directory houses the default services. The simplest way to start a new service is to copy an existing service file to the directory for user-created services, /etc/firewalld/services, and make the necessary changes.


For instance, we might use something like this to copy the SSH service definition and use it for our “example” service definition. The service name in the list of firewall services is determined by the filename, minus the.xml suffix:

sudo cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/example.xml

Change the service’s short name and description in the <short> and <description> tags of the newly formed example.xml file. The port tag, which specifies the protocol and port number you want to open, is the most crucial tag that needs to be changed.


To save the file and reload the FirewallD service, type:

sudo firewall-cmd –reload

In this way, you can use the example service in your zones.

7. Using FirewallD for Port Forwarding in CentOS

Using the –add-masquerade switch, first activate masquerading for the target zone before forwarding traffic from one port to another port or address. To enable masquerade for the external zone, run:

sudo firewall-cmd –zone=external –add-masquerade

Also, it is possible to forward traffic from one port to another on the same server. For instance, look at the below example that is forwarding the traffic from port 80 to port 8080 on the same server:

sudo firewall-cmd –zone=external –add-forward-port=port=80:proto=tcp:toport=8080

To forward traffic to another server, run a command like below in which forwarding the traffic from port 80 to port 80 on a server with IP can be done.

sudo firewall-cmd –zone=external –add-forward-port=port=80:proto=tcp:toaddr=


Forwarding Port with Firewalld is also done by forwarding traffic to another server on a different port. Have a look at the below example that the traffic from port 80 to port 80 is forwarding on a server with IP

sudo firewall-cmd –zone=external –add-forward-port=port=80:proto=tcp:toport=8080:toaddr=

8. Configure Firewall on your Web Server

Although the established zones are generally sufficient for most users, it is beneficial to customize your own zones that accurately reflect their intended purpose. In this crucial step, you will acquire the knowledge to effortlessly create your own zone and a ruleset using FirewallD for your web server.


Given that your server solely relies on the eth0 interface, it is imperative to allow inbound traffic exclusively on the SSH, HTTP, and HTTPS ports. The dmz (demilitarized) zone is the ideal choice as it inherently permits only SSH traffic. Execute the following commands to configure the default zone as dmz and assign it to the eth0 interface:

sudo firewall-cmd –set-default-zone=dmz

sudo firewall-cmd –zone=dmz –add-interface=eth0

Now, you can open HTTP and HTTPS ports adding permanent service rules to the dmz zone:

sudo firewall-cmd –permanent –zone=dmz –add-service=http

sudo firewall-cmd –permanent –zone=dmz –add-service=https

Then, reload the firewall to make the changes effective:

sudo firewall-cmd –reload

To verify the dmz zone configuration settings, run:

sudo firewall-cmd –zone=dmz –list-all

<span style=”color: #808080;”>output</span>

dmz (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0


  services: ssh http https



  masquerade: no




  rich rules:

The output above informs us that the ssh (22) http (80) and https (443) ports are open and that the dmz is the default zone, applied to the eth0 interface.

Explore More ; How To Configure Filezilla on any Windows OS

Get Connected with us on FacebookTwitter,Instagram.