As a Linux user, you can opt either to allow or restrict network access to some services or IP addresses using the firewalld firewall which is native to CentOS/RHEL 8 and most RHEL based distributions such as Fedora.
The firewalld firewall uses the firewall-cmd command-line utility to configure firewall rules.
Before we can perform any configurations, let’s first enable the firewalld service using the systemctl utility as shown:
$ sudo systemctl enable firewalld
Once enabled, you can now start firewalld service by executing:
$ sudo systemctl start firewalld
You can verify the status of firewalld by running the command:
$ sudo systemctl status firewalld
Configuring Rules using Firewalld
Now that we have firewalld running, we can go straight to making some configurations. Firewalld allows you to add and block ports, blacklist, as well as whitelist IP, addresses to provide access to the server. Once done with the configurations, always ensure that you reload the firewall for the new rules to take effect.
Adding a TCP/UDP Port
To add a port, say port 443 for HTTPS, use the syntax below. Note that you have to specify whether the port is a TCP or UDP port after the port number:
$ sudo firewall-cmd --add-port=22/tcp --permanent
Similarly, to add a UDP port, specify the UDP option as shown:
$ sudo firewall-cmd --add-port=53/udp --permanent
The --permanent flag ensures that the rules persist even after a reboot.
Blocking a TCP/UDP Port
To block a TCP port, like port 22, run the command.
$ sudo firewall-cmd --remove-port=22/tcp --permanent
Similarly, blocking a UDP port will follow the same syntax:
$ sudo firewall-cmd --remove-port=53/udp --permanent
Allowing a Service
Network services are defined in the /etc/services file. To allow a service such as https, execute the command:
$ sudo firewall-cmd --add-service=https
Blocking a Service
To block a service, for instance, FTP, execute:
$ sudo firewall-cmd --remove-service=https
Whitelisting an IP address
To allow a single IP address across the firewall, execute the command:
$ sudo firewall-cmd --permanent --add-source=192.168.2.50
You can also allow a range of IPs or an entire subnet using a CIDR (Classless Inter-Domain Routing) notation. For example to allow an entire subnet in the 255.255.255.0 subnet, execute.
$ sudo firewall-cmd --permanent --add-source=192.168.2.0/24
Removing a Whitelisted IP address
If you wish to remove a whitelisted IP on the firewall, use the --remove-source flag as shown:
$ sudo firewall-cmd --permanent --remove-source=192.168.2.50
For the entire subnet, run:
$ sudo firewall-cmd --permanent --remove-source=192.168.2.50/24
Blocking an IP address
So far, we have seen how you can add and remove ports and services as well as whitelisting and removing whitelisted IPs. To block an IP address, ‘rich rules’ are used for this purpose.
For example to block the IP 192.168.2.50 run the command:
$ sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.2.50' reject"
To block the entire subnet, run:
$ sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.2.0/24' reject"
Saving Firewall Rules
If you have made any changes to the firewall rules, you need to run the command below for the changes to be applied immediately:
$ sudo firewall-cmd --reload
Viewing the Firewall Rules
To have to peek at all the rules in the firewall, execute the command:
$ sudo firewall-cmd --list-all
This concludes this guide on how to allow or restrict network access using FirewallD on CentOS/RHEL 8. We hope you found this guide helpful.
