Live Chat 
(+972) 079-5599-110
Step 1: Setting Default Zone
If you would like to set the default zone as internal, external, drop, work, or any other zone, then you can use the below command to set the default zone. In this example, we are using the ‘internal’ zone as default.
# firewall-cmd --set-default-zone=internalAfter setting the zone, verify the default zone using the below command.
# firewall-cmd --get-default-zone
Set Firewalld Default Zone
Here, the Interface is ‘enp0s3′, If you need to check your zone in which interface is bound, you can use the below command.
# firewall-cmd --get-zone-of-interface=enp0s3
Check Interface Zone
Another interesting feature of firewallD is ‘icmptype‘ this is one of the ‘icmp’ types supported by firewallD. To get the listing of supported ‘icmp’ types we can use the below command.
# firewall-cmd --get-icmptypes
Step 2: Creating Own Services in Firewalld
Services are set of rules with ports and options which is used by FirewallD. Services which are enabled will be automatically loaded when the FirewallD service up and running. By default, many services are available; to get the list of all available services, use the following command.
# firewall-cmd --get-servicesList Firewalld Services
To get the list of all the default available services, go the the following directory, here you will get the list of services.
# cd /usr/lib/firewalld/services/List Default Firewalld Services
To create your own service, you need to define it at the following location. For example, here we want to add a service for RTMP port 1935; first make a copy of any one of the service from.
# cd /etc/firewalld/services/
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/And then, navigate to the location were our service file was copied, next rename the file ‘ssh.xml‘ to ‘rtmp.xml‘ as shown in the below picture.
# cd /etc/firewalld/services/Create Firewalld Service
Add Firewalld Service
Next, open and edit the file as Heading, Description, Protocol, and Port number, which you will need to use for the RTMP service as shown in below picture.
Configure FirewallD Service
To make these changes activate, restart the firewallD service or reload the settings.
# firewall-cmd --reloadTo confirm whether service is added, run the below command to get a list of services available.
# firewall-cmd --get-services
Step 3: Assigning Services to Zones
Here we are going to show you how to manage the firewall using the ‘firewall-cmd‘ command. To know the current state of the firewall and all active zones, type the following command.
# firewall-cmd --state
# firewall-cmd --get-active-zonesTo get the public zone for interface ‘enp0s3’, this is the default interface which is defined in the ‘/etc/firewalld/firewalld.conf’ file as ‘DefaultZone=public’.
To list all available services in this default interface zone.
# firewall-cmd --get-service
Step 4: Adding Services to Zones
In the above examples, we have shown how to create your own services by creating an ‘rtmp’ service, here we will show how to add the ‘rtmp’ service to the zone as well.
# firewall-cmd --add-service=rtmpTo remove an added zone, type.
# firewall-cmd --zone=public --remove-service=rtmpThe above step was temporary only. To make it permanent, you will need to run the below command with option ‘–permanent’.
# firewall-cmd --add-service=rtmp --permanent
# firewall-cmd --reloadDefine the rules for network source range and open any one of the ports. For example, if you would like to open a network range say ‘192.168.0.0/24’ and port ‘1935’, then use the following commands.
# firewall-cmd --permanent --add-source=192.168.0.0/24
# firewall-cmd --permanent --add-port=1935/tcpMake sure to reload the firewallD service after adding or removing any services or ports.
# firewall-cmd --reload
# firewall-cmd --list-allOpen Port in Firewalld
Step 5: Adding Rich Rules for Network Range
If you want to allow the services such as ‘http’, ‘https’, ‘vnc-server’, and ‘PostgreSQL’, you can use the following rules. First, add the rule and make it permanent before reloading the rules and check the status.
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept' --permanent
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept' --permanent
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept' --permanentNow, the Network range ‘192.168.0.0/24′ can use the above service from my server. The option ‘–permanent’ can be used in every rule, however, you have to define the rule and check with the client access; after that you have to make it permanent.
After adding the above rules, don’t forget to reload the firewall rules and list the rules using the below.
# firewall-cmd --reload # firewall-cmd --list-all List All FirewallD Active Rules
To know more about FirewallD.
# man firewalld
That’s it, we have seen how to setup net-filter using FirewallD in RHEL/CentOS 7 and Fedora 21.
Conclusion
Net-filter is the framework for firewall for each and every Linux distributions. Back in every RHEL and CentOS editions we used iptables but in version 7 they have introduced FirewallD. It’s easier to understand and use firewallD. Hope you have enjoyed the write-up.