Securing Network Communication with firewalld
If you are in need of a dynamically managed firewall with support for network/ firewall zones, and with a trust level for network connections or interfaces, then firewalld is the tool for you. It is free, open source and built into RHEL 7.
The Linux kernel includes a powerful network filtering sub-system called netfilter. This allows kernel modules to inspect every packet traversing the system. This means that any incoming, outgoing or forwarded network packet can be inspected, modified, dropped or rejected in a programmatic way, before reaching components in the user space. That is the main building block for setting up a firewall on a Red Hat Enterprise Linux 7 (RHEL 7) machine.
Interacting with netfilter
Although it is theoretically possible for systems administrators to write their own kernel modules to interact with netfilter, this is typically not done. Instead, other programs are used to interact with netfilter. One of the most common and well-known of these programs is iptables. In previous RHEL releases, iptables was the main method of interacting with the kernel netfilter sub-system.
The iptables command is a low-level tool, and it can prove to be inadequate when managing firewalls. In addition, it only adjusts IPv4 firewall issues. Other utilities such as ip6tables for IPV6 and ebtables for software bridges need to be used for more complete firewall coverage.
Introducing firewalld
In RHEL 7, a new method of interacting with netfilter has been introduced – it is called firewalld, and is a system daemon that can configure and monitor the system’s firewall rules. Applications can talk to firewalld to request ports to be opened using the DBus messaging system, a feature that can be disabled or locked down. It covers IPv4, IPv6 and, potentially, ebtables settings. The firewalld daemon is installed from the firewalld package. This package is part of a base install, but not part of the minimal install.