CentOS 8 uses firewalld.You can see all zones by running the following ls command:
# ls -l /usr/lib/firewalld/zones/ total 36 -rw-r--r--. 1 root root 299 Nov 8 11:48 block.xml -rw-r--r--. 1 root root 293 Nov 8 11:48 dmz.xml -rw-r--r--. 1 root root 291 Nov 8 11:48 drop.xml -rw-r--r--. 1 root root 304 Nov 8 11:48 external.xml -rw-r--r--. 1 root root 397 Nov 8 11:48 home.xml -rw-r--r--. 1 root root 412 Nov 8 11:48 internal.xml -rw-r--r--. 1 root root 343 Nov 8 11:48 public.xml -rw-r--r--. 1 root root 162 Nov 8 11:48 trusted.xml -rw-r--r--. 1 root root 339 Nov 8 11:48 work.xml
Predefined Zones Explained
block – All incoming network connections rejected. Only network connections initiated from within the system are possible.
dmz – Classic demilitarized zone (DMZ) zone that provided limited access to your LAN and only allows selected incoming ports.
drop – All incoming network connections dropped, and only outgoing network connections allowed.
external – Useful for router type of connections. You need LAN and WAN interfaces too for masquerading (NAT) to work correctly.
home – Useful for home computers such as laptops and desktops within your LAN where you trust other computers. Allows only selected TCP/IP ports.
internal – For use on internal networks when you mostly trust the other servers or computers on the LAN.
public – You do not trust any other computers and servers on the network. You only allow the required ports and services. For cloud servers or server hosted at your place always use public zone.
trusted – All network connections are accepted. I do not recommend this zone for dedicated servers or VMs connected to WAN.
work – For use at your workplace where you trust your coworkers and other servers.
Run the following command to see all zones on CentOS 8:
# firewall-cmd --get-zones
To get your default zone run:
# firewall-cmd --get-default-zone
To see your network interface names run either ip command or nmcli command:
# ip link show # nmcli device status
When new interface connection added (such as eth0 or ens3) to NetworkManager, they are attached to the default zone. Verify it by running the following command:
# firewall-cmd --get-active-zones public interfaces: eth0
How to Start and enable firewalld
# systemctl start firewalld # systemctl enable firewalld
Stop and disable firewalld
# systemctl stop firewalld # systemctl disable firewalld
Check the firewalld status
# firewall-cmd --state
Command to reload a firewalld configuration when you make change to rules
# firewall-cmd --reload
Get the status of the firewalld service
# systemctl status firewalld
How to see firewall rules or services associated with the public zone
Run:
# firewall-cmd --list-all
OR
# firewall-cmd --list-all --zone=public
How to see which services are allowed in the current zone
# firewall-cmd --list-services
OR
# firewall-cmd --list-services --zone=public
Adding
Temporary Adds:
# firewall-cmd --zone=public --add-service=http
Permanent Adds
# firewall-cmd --zone=public --add-service=https --permanent # firewall-cmd --reload # firewall-cmd --list-services # sudo firewall-cmd --list-services --permanent
How to add a service to your zone
# firewall-cmd --zone=public --add-service=dns --permanent
Add ports 5060 5061 for Asterisk by creating a service. Create the following Firewalld service:
# nano /etc/firewalld/services/asterisk.xml
Add the code
asterisk
Asterisk is a software implementation of a telephone private branch exchange (PBX).
[/bash]
Save the file and - WAIT 5 seconds - apply the new firewall rules by typing:
# firewall-cmd --add-service=asterisk --permanent
# firewall-cmd --reload
If you get an error - just wait and then retry. I received this error the first time:
# firewall-cmd --add-service=asterisk --permanent
Error: INVALID_SERVICE: 'asterisk' not among existing services
Finally check if the new firewall rules are applied successfully with:
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: asterisk cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Delete dns service
# firewall-cmd --zone=public --remove-service=dns --permanent
How to allow/open TCP/UDP port/protocol
Open TCP port 80:
# firewall-cmd --zone=public --add-port=80/tcp --permanent
To view added ports, run:
# firewall-cmd --zone=internal --list-ports
Deny/block TCP/UDP port/protocol
# firewall-cmd --zone=public --remove-port=23/tcp --permanent