Despectus in Viam Fidei

Hardening CentOS/Rocky Linux 9 with FirewallD

Secure your CentOS/Rocky Linux 9 server by implementing FirewallD. This guide covers essential security measures to protect your VPS.

Why Security Matters

FirewallD is the default firewall solution for RHEL-based distributions like CentOS and Rocky Linux. It provides dynamic zone-based firewall management without requiring service restarts when rules change.

Step 1: Install FirewallD

sudo dnf install firewalld -y
sudo systemctl start firewalld
sudo systemctl enable firewalld

Step 2: Configure Firewall Rules

Set up basic firewall rules:

# Set default zone to public
sudo firewall-cmd --set-default-zone=public

# Allow essential services
sudo firewall-cmd --zone=public --permanent --add-service=ssh
sudo firewall-cmd --zone=public --permanent --add-service=http
sudo firewall-cmd --zone=public --permanent --add-service=https

# Allow custom port (e.g., application on port 8080)
sudo firewall-cmd --zone=public --permanent --add-port=8080/tcp

# Remove unnecessary services
sudo firewall-cmd --zone=public --permanent --remove-service=cockpit

# Reload to apply changes
sudo firewall-cmd --reload

Step 3: Enable FirewallD

sudo systemctl enable firewalld
sudo systemctl restart firewalld

Step 4: Verify Configuration

sudo firewall-cmd --state
sudo firewall-cmd --list-all
sudo firewall-cmd --list-services
sudo firewall-cmd --list-ports

Additional Security Tips

• Use firewall-cmd --get-zones to see all available zones and organize rules by trust level
• Always use --permanent flag followed by --reload to persist rules across reboots
• Use rich rules for advanced filtering: firewall-cmd --add-rich-rule to restrict access by source IP

Conclusion

Your CentOS/Rocky Linux server is now protected with FirewallD. Regular security audits are recommended.