Nagios, Cacti and Centos 7 with Firewalld

Unfortunately one of our clients uses CentOS instead of Debian based Ubuntu. I think that Ubuntu has much better packaged configurations, but I am biased.

Centos 7 means learning systemd commands instead of upstart and dealing with firewalld… here is a little bit of info to help with Nagios and NRPE with Firewalld


There is not much info going around for Centos 7.


Firewalld is installed by default on CentOs 7 and replaces iptables for entering firewall rules:

sudo /bin/systemctl status firewalld.service

firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Fri 2014-08-15 15:41:34 UTC; 22min ago
Process: 17525 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 15104 (firewalld)
CGroup: /system.slice/firewalld.service
└─15104 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Aug 15 16:04:09 centos-7-server systemd[1]: Reloading firewalld - dynamic firewall daemon.
Aug 15 16:04:09 centos-7-server systemd[1]: Reloaded firewalld - dynamic firewall daemon.

Let’s check if it starts with the server:

systemctl list-unit-files | grep firewall

firewalld.service enabled

systemctl list-unit-files | grep iptables
iptables.service disabled

there are security zones and services, just like a real firewall! Sadly the default configuration on Redhat is obscure as usual, with little examples to follow.
so quickly check out the following:

ls -lah /lib/firewalld/zones/

block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml

These are the pre-defined zones, and the predefined services are below:

ls -lah /lib/firewalld/services/

total 196K
drwxr-x---. 2 root root 4.0K Aug 15 15:40 .
drwxr-x---. 5 root root 4.0K Jul 7 21:04 ..
-rw-r-----. 1 root root 412 Jun 10 07:19 amanda-client.xml
-rw-r-----. 1 root root 320 Jun 10 07:19 bacula-client.xml
-rw-r-----. 1 root root 346 Jun 10 07:19 bacula.xml

So if we want to customise one on these zones, the idea is to copy file to /etc/firewalld/zones/
or if we want to customise a service: /etc/firewalld/services/

sweet, so we need to add a new zone for monitoring the server and add services. Let’s do that:

sudo vim /etc/firewalld/zones/monitoring.xml

The file is an XML document, so we need to add a descriptionm tag, source address and some services:

<?xml version="1.0" encoding="utf-8"?>
<description>To allow devices in the monitor network to connect to this server. </description>
<source address=""/>
<service name="nrpe"/>
<service name="snmp"/>

Save the file and we need to create out services.

sudo vim /etc/firewalld/services/nrpe.xml </pre>
We need to add our rules for NRPE, it's a TCP port on 5666.

<?xml version="1.0" encoding="utf-8"?>
<short>NRPE (5666)</short>
<description>NRPE use to monitor services on this machine, via a remote Nagios server - Richard McKenna</description>
<port protocol="tcp" port="5666"/>

cool, save that and let's create a service for snmp since there is no pre-defined service available.

sudo vim /etc/firewalld/services/snmp.xml

<?xml version="1.0" encoding="utf-8"?>
<short>SNMP (UDP 161)</short>
<description>SNMP to monitor this server via a remote SNMP service - Richard McKenna</description>
<port protocol="udp" port="161"/>

cool, so our monitoring services are done. Let's apply the new rules by restarting the firewall:

sudo firewall-cmd --reload


great, now our new rules should be applied.

If we want to apply default services such as http, https, ftp etc to our public zone, we can easily do that:
Our default zone is public:

sudo firewall-cmd --get-default-zone


So we can just add our rules:

sudo firewall-cmd --add-service=ftp --permanent
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent

No comments yet.

Leave a Reply