In this recipe, we want to show you how to create your own firewalld service definitions or how to change existing ones, which any CentOS 7 system administrator should know if the predefined service files don't fit your system's need.
To complete this recipe, you will require a minimal installation of the CentOS 7 operating system with root
privileges and a console-based text editor of your choice. We will be changing the SSH service's port number in firewalld, so make sure that you have configured the new port as shown in the recipe Locking down remote access and hardening SSH. Here, in our example, we have changed the port to 2223
. Also, we will create a new firewalld service for a small Python-based web server that we will use to demonstrate the integration of new system service's into firewalld. It's advantageous to grasp the basics of firewalld by working through the Working with a firewall recipe before starting here.
Here in this recipe, we will show you how to change and how to create new firewalld service definitions. In this recipe, it is considered that we are in the default public zone.
root
and copy the ssh
service to the right place to edit it:cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services
ssh
service definition file:vi /etc/firewalld/services/ssh.xml
22
to 2223
, then save the file and close it:<port protocol="tcp" port="2223"/>
firewall-cmd --reload
Perform the following steps to create your own new service:
vi /etc/firewalld/services/python-webserver.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>Python Webserver</short> <description>For pythons webservers</description> <port port="8000" protocol="tcp"/> </service>
firewall-cmd --reload
default
zone:firewall-cmd --add-service=python-webserver
8000
(press the key combination Ctrl + C to stop it):python -m SimpleHTTPServer 8000
8000
can now be reached from other computers in your network:http://<ip address of your computer>:8000/
Here in this recipe, we have shown how easy it is to customize or define new firewalld services if the predefined needs to be changed, or for new system services that are not defined at all. Service definition files are simple XML files where you define rules for a given system service or program. There are two distinct directories where our firewalld service files live: /usr/lib/firewalld/services
for all predefined services available from the system installation, and /etc/firewalld/services
for all custom and user-created services.
So, what did we learn from this experience?
We started this recipe by making a working copy of the SSH firewalld service file in the right place at /etc/firewalld/services
. We could just copy the original file because all files in this directory will overload the default configuration files from /usr/lib/firewalld/services
. In the next step, we then modified it by opening it and changing the default port from 22
to 2223
. We have to do this every time we change a system's service standard listening port to make the firewall aware that it should allow network traffic to flow through the changed port. As you can see when opening this file, service files are simple XML text files with some mandatory and some optional tags and attributes. They contain a list of one or more ports and protocols that defines exactly what firewalld should enable if the service is connected to a zone. There can be another important setting in the XML file: helper modules. For example, if you open the SAMBA service file at /usr/lib/firewalld/services/samba.xml
, you will see the tag, <module name="nf_conntrack_netbios_ns"/>
. These are special kernel netfilter helper modules that can be dynamically loaded into the underlying kernel-based firewall, and which are needed for some system services, such as Samba or FTP, which create dynamic connections on temporary TCP or UDP ports instead of using static ports. After reloading the firewall configuration, we should now be able to test the connection from another computer in our network using the altered port.
In the second part of this recipe, we created a brand-new service file for a new system service, which is a simple Python web server listening on port 8000 displaying a simple directory content listing. Therefore, we created a simple XML service file for the Python web server including the right port 8000, restarted the firewall, and afterwards added this new service to our default public zone so that we can actually open connections through this service. You should now be able to browse to our web server's start page using another computer in the same network. However, as we did not use the --permanent
flag, if you restart the firewalld daemon, the python-webserver
service will be gone from the public
zone (or you can also use the parameter, --remove-service=python-webserver
).
In summary, we can say that the recommended firewall choice in CentOS 7 is firewalld, as all important system services have already been set up to use it via predefined service rules. You should remember that Linux firewalls are a very complex topic that can easily fill up a whole book, and you can do a lot more with the firewall-cmd
that cannot be covered here in this book.
Often, you just want to quickly open a specific port to test out things before writing your own custom-made service definition. In order to do this, you can use the following command line, which will open port 2888
using the tcp protocol temporarily on the default
zone:
firewall-cmd --add-port=2888/tcp
Once you have finished your tests, just reload the firewall configuration to remove and close the specific port again.