------------------------------------------------------------------------------- FirewallD For more info see https://fedoraproject.org/wiki/FirewallD The firewall prepared different configurable 'zones', which are assigned to different interfaces using ZONE= in "ifcfg-???" files. If not given the "default" zone is assigned, and is freely changeable. Zones are divided into 'temporary' runtime configuration and permanent (set on reload) configuration. Note: Changing the zones or services does not effect existing network connections, until the firewall configuration is 'reloaded'. yum install firewall-config To stop firewalld (does not turn on iptables) systemctl stop firewalld.service # until next reboot systemctl disable firewalld.service # forever The firewall system is run seperatally to iptables, and itself sets all the iptables according to the rules added to firewall... ------------------------------------------------------------------------------ Interface Zones... public is the default (active) zone trusted target: ALLOWED -- basically disabling firewall block target %%reject%% -- ??? drop target: DROP -- basically disabling all incoming home & internal includes services: ssh samba-client external masquerades forwarded connections to outside world NOTE: only 'external' has masquerade enabled by default ------------------------------------------------------------------------------- firewal-config GUI interface to firewalld After making changes make sure to do... Options -> "Runtime To Permanent" Options -> "Reload Firewall" ------------------------------------------------------------------------------- Command Line Interface.... To check current permitted connections firewall-cmd --state firewall-cmd --get-active-zone # zone infaces get by default firewall-cmd --list-all # <---- *** firewall-cmd --list-all-zones firewall-cmd --info-zone=external # list specific zone firewall-cmd --zone=external --list-all # services in this zone firewall-cmd --runtime-to-permanent systemctl reload firewalld # Set up the zones... # Internal Zone firewall-cmd --set-default-zone=internal firewall-cmd --change-zone=em1 --zone=internal firewall-cmd --zone=internal --list-services firewall-cmd --zone=internal --list-ports | tr ' ' '\012' # External Zone firewall-cmd --change-zone=em2 --zone=external firewall-cmd --zone=external --add-service=ssh firewall-cmd --zone=external --add-service=http firewall-cmd --zone=external --add-port=4000/tcp firewall-cmd --zone=external --list-services firewall-cmd --zone=external --list-ports | tr ' ' '\012' # make permanent firewall-cmd --runtime-to-permanent # To make interface zone permanent (on boot) # Add the zone to the network scripts vi /etc/sysconfig/network-scripts/ifcfg-em1 ZONE=internal vi /etc/sysconfig/network-scripts/ifcfg-em2 ZONE=external -------------------------------------------------------------------------------