firewalld basic use of firewall

firewalld is the default available firewall management tool on CentOS 7 servers. Basically, it is a package of iptables, including the graphical configuration tool firewall config and the command line tool firewall CMD. Using iptables service, each change requires refreshing old rules and reading new rules from / etc/sysconfig/iptables. However, firewalld only applies different parts of the change.

Install and view status

yum install firewalld

Start the service and start it when the system boots:

systemctl start firewalld
systemctl enable firewalld

Stop and disable:

systemctl stop firewalld
systemctl disable firewalld

Check the firewall status. The output should be running or not running

# firewall-cmd --state
running

By default, firewalld is running and rejects all incoming traffic, with a few exceptions, such as SSH.

To view the status of the FirewallD daemon:

systemctl status firewalld

Firewall D zone

Firewall D uses service s and zone s instead of iptables rule s and chain s.

By default, the following zone s are available:

  • drop – discards all incoming network packets without response, and only outgoing network connections are available.
  • block - reject all incoming network packets and respond to an ICMP message prohibited by the host. Only outgoing network connections are available.
  • Public - only the selected incoming network connections are accepted for public areas.
  • External - used for external networks with address camouflage enabled. Only selected incoming network connections are accepted.
  • DMZ - DMZ isolation area, which can only accept selected incoming network connections with restricted external access to the internal network.
  • **work** — For computers in your work area, only selected incoming network connections are accepted.
    
  • Home - for computers in your home area, only selected incoming network connections are accepted.
  • Internal - for computers on your internal network, only selected incoming network connections are accepted.
  • trusted - all network connections are accepted.

To list all available zones, run:

# firewall-cmd --get-zones
work drop internal external trusted home dmz public block

List default areas:

# firewall-cmd --get-default-zone
public

Change the default area:

# firewall-cmd --set-default-zone=dmz
# firewall-cmd --get-default-zone
dmz

All configurations for a specific area:

# firewall-cmd --zone=public --list-all   
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Configuration of all areas:

# firewall-cmd --list-all-zones                                                                 root@Test-Linux
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


dmz
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


drop
  target: DROP
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


external
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 


work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

FirewallD service

firewalld service uses XML configuration file to record firewalld service information.

List all available services:

# firewall-cmd --get-services
amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

The XML configuration files are stored in the / usr/lib/firewalld/services / and / etc/firewalld/services / directories.
The configuration files are located in two directories:

  • /Save the default configuration, such as default area and public service, in usr/lib/FirewallD. Avoid modifying them because they are overwritten every time the firewall package is updated.
  • /Save the system configuration file in / etc/firewalld. These files will overwrite the default configuration.

config set

FirewallD uses two configuration sets: runtime and persistent. When the system restarts or restarts FirewallD, the run-time configuration changes are not retained, and the changes to the persistent configuration set are not applied to the running system.

By default, the firewall CMD command applies to the run-time configuration, but is saved to the persistent configuration using the -- permanent flag. To add and activate persistence rules, you can use one of two methods.

1. Add rules to both the persistent rule set and the runtime rule set.

firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=http

2. Add the rule to the persistent rule set and reload FirewallD.

firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --reload

The reload command deletes all runtime configurations and applies persistent configurations. Because firewalld dynamically manages rule sets, it does not break existing connections and sessions.

Configure your firewall with firewall D

As an example, suppose you are running a web server with an SSH service port of 7022 and a mail service. You can configure your server using firewall D as follows:

First, set the default area to dmz.

# firewall-cmd --set-default-zone=dmz
# firewall-cmd --get-default-zone
dmz

HTTP and HTTPS rules for adding persistence to the dmz zone:

# firewall-cmd --zone=dmz --add-service=http --permanent
# firewall-cmd --zone=dmz --add-service=https --permanent

Open port 25 (SMTP) and port 465 (SMTPS):

firewall-cmd --zone=dmz --add-service=smtp --permanent
firewall-cmd --zone=dmz --add-service=smtps --permanent

Open IMAP, IMAPS, POP3 and POP3S ports:

firewall-cmd --zone=dmz --add-service=imap --permanent
firewall-cmd --zone=dmz --add-service=imaps --permanent
firewall-cmd --zone=dmz --add-service=pop3 --permanent
firewall-cmd --zone=dmz --add-service=pop3s --permanent

Since the SSH port is changed to 7022, remove the SSH service (port 22) and open port 7022:

firewall-cmd --remove-service=ssh --permanent
firewall-cmd --add-port=7022/tcp --permanent

To apply these changes, reload the firewall:

firewall-cmd --reload

Finally, you can list these rules:

# firewall-cmd –list-all
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: http https imap imaps pop3 pop3s smtp smtps
ports: 7022/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

Release ports 80 and 443

# firewall-cmd --permanent --add-port=80/tcp
# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --reload # Apply these rules to the current session

View the settings on the current firewall

# firewall-cmd --list-services
http https ssh

Posted by mits on Thu, 12 May 2022 08:30:09 +0300