Many sysadmins migrating from CentOS 6 to CentOS 7 were surprised to find the familiar setup utility's firewall configuration option missing. This change reflects Red Hat's shift toward firewalld as the default firewall management solution in RHEL-based systems.
Instead of the deprecated setup tool, CentOS 7 offers several powerful alternatives:
# Check firewalld status
systemctl status firewalld
# Enable and start firewalld
systemctl enable firewalld
systemctl start firewalld
To open web ports using firewalld's command-line interface:
# Add HTTP service
firewall-cmd --permanent --add-service=http
# Add HTTPS service
firewall-cmd --permanent --add-service=https
# Reload firewall
firewall-cmd --reload
# Verify changes
firewall-cmd --list-all
For those preferring graphical tools:
# Install the GUI tool
yum install firewall-config
# Launch the configuration UI
firewall-config
Firewalld service definitions are stored in XML files at /usr/lib/firewalld/services/. The http.xml file contains:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>WWW (HTTP)</short>
<description>HTTP is the protocol used to serve Web pages.</description>
<port protocol="tcp" port="80"/>
</service>
If services don't appear available after configuration:
# Check if ports are truly open
ss -tulnp | grep -E '80|443'
# Verify firewalld is active
firewall-cmd --state
# Check for conflicting iptables rules
iptables -L -n -v
In CentOS 6, many administrators relied on the interactive setup utility for basic firewall configuration. This text-based menu system included a convenient Firewall configuration option that simplified opening ports for services like HTTP and HTTPS.
With CentOS 7, this approach was deprecated in favor of firewalld, which provides more dynamic control and better integration with systemd. The setup utility still exists but no longer includes firewall configuration options.
Firewalld introduces several key concepts:
- Zones: Predefined rule sets for different trust levels
- Services: Predefined configurations for common applications
- Runtime vs Permanent: Temporary and persistent rule storage
Here's how to properly open web server ports using the new system:
# Add HTTP service (port 80) to the public zone permanently
sudo firewall-cmd --zone=public --add-service=http --permanent
# Add HTTPS service (port 443) to the public zone permanently
sudo firewall-cmd --zone=public --add-service=https --permanent
# Reload firewall to apply changes without interrupting existing connections
sudo firewall-cmd --reloadAfter making changes, verify the settings with these commands:
# List all active services in the public zone
sudo firewall-cmd --zone=public --list-services
# Check if a specific service is enabled
sudo firewall-cmd --zone=public --query-service=httpFor custom ports or when service definitions aren't available:
# Open port 8080 temporarily (won't survive reboot)
sudo firewall-cmd --zone=public --add-port=8080/tcp
# Make the change permanent
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanentIf services aren't accessible after configuration:
- Verify firewalld is running:
sudo systemctl status firewalld - Check active zones:
sudo firewall-cmd --get-active-zones - Ensure the correct network interface is assigned to your zone
For those transitioning from direct iptables usage:
# View current iptables rules
sudo iptables -L -n -v
# Create a permanent direct rule in firewalld
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 80 -j ACCEPT