Step‑by‑Step Firewalld Configuration: Secure CentOS with IP‑Based Port Access

1. Introduction

Firewalld is the dynamic firewall management tool that comes with CentOS. It provides a front‑end for managing netfilter rules and offers a simplified, user‑friendly way to configure and manage the firewall.

2. Features and Functions

2.1 Zones Firewalld uses zones to represent different network environments (public, private, trusted, work, home). Each zone has its own set of rules, and you can select the appropriate zone for a given network.

2.2 Runtime and Permanent Configuration Changes made in runtime are lost after a reboot, while permanent configuration is saved and applied on restart.

2.3 Services and Ports Services are predefined rule groups that allow or deny specific network services; ports can be allowed or denied individually.

2.4 Dynamic Updates Rules can be added, removed or modified while the firewall is running without reloading the whole configuration.

2.5 Connection Tracking Firewalld tracks connection states and automatically permits reply traffic for established connections.

2.6 D‑Bus Interface A D‑Bus API lets other applications interact with firewalld for advanced configuration.

3. How to Set Rules

Example: restrict access to the nginx server’s port 8088 so that only the IP 192.168.2.100 can reach it, while other ports remain unrestricted.

Check that the firewalld service is running and enabled:

systemctl status firewalld

systemctl start firewalld

systemctl is-enabled firewalld

systemctl enable firewalld

Create a new service called nginxserver and add port 8088/tcp to it:

firewall-cmd --permanent --new-service=nginxserver --set-description="nginx Service"

firewall-cmd --permanent --service=nginxserver --add-port=8088/tcp

firewall-cmd --reload

List defined services and view the new service details:

firewall-cmd --get-services

firewall-cmd --info-service=nginxserver

Create a custom zone opsserver, add the source IP, and attach the service:

firewall-cmd --permanent --new-zone=opsserver --set-description="Ops Server Zone"

firewall-cmd --permanent --zone=opsserver --add-source=192.168.2.100

firewall-cmd --permanent --zone=opsserver --add-service=nginxserver

firewall-cmd --reload

Set the default zone to drop to discard all traffic that is not explicitly allowed:

firewall-cmd --set-default-zone=drop

firewall-cmd --reload

Alternatively, add a rich rule directly to the public zone:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.2.100" port protocol="tcp" port="8088" accept'

firewall-cmd --reload

4. Simple Rule Setup

If you do not need complex zones, you can add the port and source IP directly to the public zone, verify the default zone, and then add the rich rule as shown above.

Check the default zone and set it to public if necessary:

firewall-cmd --get-default-zone

firewall-cmd --set-default-zone=public

5. Querying Firewall Configuration

Show all active rules: firewall-cmd --list-all Show rules for a specific zone, port or service by replacing <zone> with the desired name:

firewall-cmd --zone=<zone> --list-all

firewall-cmd --zone=<zone> --list-ports

firewall-cmd --zone=<zone> --list-services

6. Conclusion

This article provides a basic example of firewalld configuration. It demonstrates how to restrict access to a specific port for a single IP address, but mastering firewalld requires further study and practice.