centos7

Firewalld configuration and usage

One of the new entries to the Fedora and CentOS worlds is firewalld.

The principle behind this is an abstracted layer so that a setting in this will provide rules for ipv4 and ipv6 rather than needing to set rules for them individually, along with clear output of exactly what is permitted from where.

There have been other tools to do this as a static translator from a friendly language to the iptables syntax, an example being shorewall, but adding to this firewalld allows for dynamic configuration over dbus so that permitted daemons can change configuration (eg a bittorent client could be allowed to open the port it is listening on automatically when needed) or so that NetworkManager can assign an interface to a particular zone. In addition due to the way the rules are manipulated it prevents the issue of a mistake in /etc/sysconfig/iptables causing the iptables service to fail to parse the rules and consequently not setting up any rules at all. If the default rule was set to DROP on the INPUT chain a 'service iptables restart' could completely lock out remote access to the system in this case.

There is frequently some apparent confusion over terms like 'Default Zone' and what that actually means which this article will hopefully clear up.

Subscribe to RSS - centos7