firewalld [DS Wiki]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
===== Firewall daemon =====
====General====
In this manual, I just list the basic commands for setup and configure ''iptables'' firewall using ''firewalld'' agent.

**IMPORTANT:** The agent ''firewalld.service'' must be startet before you can use ''firewall-cmd'' command!

**NOTE:** To the most arguments, you can add ''--permanent'' option, to list the permanent settings (not dynamic ones!). You can eather use the ''--permanent'' option and then the ''firewall-cmd --reload'' command, or, do the command first with ''--permanent'' option and then do the same command without ''--permanent'' option.

  * List all options for ''firewall-cmd''<code bash>
firewall-cmd --help
</code>

====Firewall zones====
  * Get default firewall zone<code bash>
firewall-cmd --get-default-zone
public
</code>

  * To set the default zone<code bash>
--set-default-zone=myzone
</code>

  * Get all active firewall zones<code bash>
firewall-cmd --get-active-zones
public
  interfaces: enp0s31f6
</code>

To list everything from one zone, you can use the ''--list-all'' switch:

  * List everything in a zone<code bash>
firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s31f6
  sources:
  services: ssh mdns dhcpv6-client http https
  ports: 8080/tcp 8443/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
</code>

  * Get all firewall zones<code bash>
firewall-cmd --get-zones
FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work
</code>

  * Get all firewall (preconfigured) services<code bash>
firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc 
ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch 
freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https 
imap imaps ipp ipp-client ipsec iscsi-target kadmin kde-connect kerberos kibana klogin kpasswd kshell ldap ldaps libvirt 
libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole 
ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster 
quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync 
squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server 
wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
</code>

====Firewall interfaces====
  * Get firewall zone for interface ''enp0s31f6''<code bash>
firewall-cmd --get-zone-of-interface=enp0s31f6
public
</code>

  * Get firewall zone for interface ''virbr0''<code bash>
firewall-cmd --get-zone-of-interface=virbr0
no zone
</code>

NOTE: If you have given a wrong ethernet interface name, it will not complain about the name, but just list ''no zone''!

To list the interfaces of all zones, use this command:

  * Get intefaces of all zones<code bash>
for z in $(firewall-cmd --get-zones); do echo "=== $z:"; firewall-cmd --list-interfaces --zone=$z; done
=== FedoraServer:

=== FedoraWorkstation:

=== block:

=== dmz:

=== drop:

=== external:

=== home:

=== internal:

=== public:
enp0s31f6
=== trusted:

=== work:

</code>

====Firewall services====
A lot of services are preconfigured (port(s) and protocol(s)). Each zone can have different services,
to list all services of default zone, use following command:

  * List all services for default zones<code bash>
firewall-cmd --list-all-services
ssh mdns dhcpv6-client
</code>

  * List all services for a defined zones<code bash>
firewall-cmd --list-services --zone=<zone name>
ssh mdns dhcpv6-client
</code>

If you want to list all services, you can use this for loop:

  * Get services of all zones (per zone)<code bash>
for z in $(firewall-cmd --get-zones); do echo "=== $z:"; firewall-cmd --list-services --zone=$z; done
=== FedoraServer:
ssh dhcpv6-client
=== FedoraWorkstation:
dhcpv6-client ssh samba-client
=== block:

=== dmz:
ssh
=== drop:

=== external:
ssh
=== home:
ssh mdns samba-client dhcpv6-client
=== internal:
ssh mdns samba-client dhcpv6-client
=== public:
ssh mdns dhcpv6-client
=== trusted:

=== work:
ssh mdns dhcpv6-client
</code>
Sometimes you want to have more information about a service configuration, which is pre-defined.

  * Show service configuration<code bash>
firewall-cmd --info-service=vnc-server
vnc-server
  ports: 5900-5903/tcp
  protocols:
  source-ports:
  modules:
  destination:
</code>

====Firewall ports====
If the port is not defined in a //pre-defined// service, you also can add ports to the configuration of the firewall.
Here, I show how-to list these ports in a zone.

  * List active port in a zone<code bash>
firewall-cmd --list-ports --zone=public
8080/tcp 8443/tcp
</code>

  * Get default firewall ''zone''<code bash>
firewall-cmd --get-default-zone
public
</code>

=====Configure=====
**IMPORTANT:** Also for the configuration, you can add the ''--permanent'' switch, this will make the setting permanent. If you ommit
this switch, the setting is set dynamically, it will not survife a reboot!

**NOTE:** To setup a new service or port, you always should test it in dynamic mode, when fine, use the permanent switch.

**NOTE:** If you work on only one zone, it makes sense to define this zone as the default zone:

  * Get default firewall 'zone'<code bash>
firewall-cmd --set-default-zone=<zone name>
</code>

====Add a service====
**NOTE:** Don't forget the command to list all services, see <<Firewall services>>

  * Setup 'http' and 'https' services dynamically<code bash>
firewall-cmd --add-service=http --add-service=https --zone=public
success
</code>

  * Setup 'http' and 'https' services permanently<code bash>
firewall-cmd --permanent --add-service=http --add-service=https --zone=public
success
</code>

====Firewall ICMP types====
  * Get all available firewall ''icmp'' types<code bash>
firewall-cmd --get-icmptypes
address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy 
fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad 
neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable 
no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route 
required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded 
timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable 
ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
</code>

====IPSET informations====
  * Get all 'ipset' types<code bash>
firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
</code>

  * Show all available ''ipsets''<code bash>
firewall-cmd --get-ipsets
</code>

====Remove services====
**NOTE:** To list all services of the zone, check this out: <<Firewall services>>

  * Remove 'http' and 'https' services dynamically<code bash>
firewall-cmd --remove-service=http --remove-service=https --zone=public
success
</code>
  * Remove 'http' and 'https' services permanently<code bash>
firewall-cmd --permanent --remove-service=http --remove-service=https --zone=public
success
</code>

====Add a port====
If the service you want to configure is not pre-defined, you can add the ports manually.
  * Setup ''8080'' and ''8443'' port dynamically<code bash>
firewall-cmd --add-port=8080/tcp --add-port=8443/tcp --zone=public
success
</code>
  * Setup ''8080'' and ''8443'' ports permanently<code bash>
firewall-cmd --permanent --add-port=8080/tcp --add-port=8443/tcp --zone=public
success
</code>

====Remove ports====
**NOTE:** To list all ports in a zone, refer to <<Firewall ports>> chapter.

  * Setup ''8080'' and ''8443'' port dynamically<code bash>
firewall-cmd --remove-port=8080/tcp --remove-port=8443/tcp --zone=public
success
</code>
  * Setup ''8080'' and ''8443'' ports permanently<code bash>
firewall-cmd --permanent --remove-port=8080/tcp --remove-port=8443/tcp --zone=public
success
</code>

====Add interface to zone====
Sometimes, it's necesary to add an interface to a zone.

  * Add a interface to a zone
<code bash>
firewall-cmd --add-interface=eth0 --zone=public
</code>

=====Rich rules=====
Sometimes it's very helpful to define source IP's or IP ranges. To do this, you have to add a rich rule using this switch ''--add-rich-rule'':

==== Add a subnet (all ports) ====
In some cases, the whole subnet with enabling all ports is required. Next rule shows how-to.

  * Add the whole subnet (192.168.11.0/24, TCP) to config:<code bash>
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" protocol value=tcp accept' --zone=public
firewall-cmd --reload
</code>
  * The same, but for UDP:<code bash>
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" protocol value=udp accept' --zone=public
firewall-cmd --reload
</code>


====Rich rule for nfs service====
In this example, I add a rule for NFS service, which allows connections from '192.168.122.0/24' subnet.

  * Setup 'nfs' service to allow only from '192.168.122.0/24' network<code bash>
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" service name="nfs" accept' --zone=public
success
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" service name="nfs" accept' --zone=public
success
</code>

====Rich rule for ports====
It is also possible to add as specified port (in this case '389' for LDAP). This allows all connections from '192.168.122.0/24' subnet on this port:

  * Setup port ''389'' to allow only from ''192.168.122.0/24'' network<code bash>
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="389" protocol="tcp" accept' --zone=public
success
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="389" protocol="tcp" accept' --zone=public
success
</code>
**NOTE:** This could also be done using the service rule!

==== Rich rule for a UDP port ====
Sometimes, you also need some UDP port open. For example DNS:

  * Setup UDP port 53 for DNS service:<code bash>
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" port protocol=udp port=53 accept' --zone=public
firewall-cmd --reload
</code>

====Add/remove rich rules====
Sometimes it's necessary to add/remove special rules. For example you want to allow access to MySQL port '3306', but
only from a defined source (IP). This can be done by using rich rules, the next example shows the how-to:

  * Add a rich rule<code bash>
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="3306" protocol="tcp" accept' --zone=public
</code>
  * Remove a rich rule<code bash>
firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="3306" protocol="tcp" accept' --zone=public
</code>

**IMPORTANT:** In this example the rule is not defined permanently!


===== Direct rules =====
In some cases, a role is not possible to implement using standard firewalld command (including rich rules). In such a case, you can add direct rules (syntax of the corresponding firewall: ''iptables'' or ''nftables'' syntax).

<WRAP center round tip 60%>
Check, if the rule in that sequence where you expect it (the sequence of rules is very important! You can use ''iptables -S'' or ''nft list ruleset'' to check this out)
</WRAP>

<WRAP center round important 60%>
You should not use direct rules, if you can do the same using other firewalld rules!
</WRAP>



==== List all active direct rules ====

<code bash>
firewall-cmd --direct --get-all-rules
</code>

==== Add a direct rule ====
The syntax how-to add a direct rule is quite similar to the backend firewall (iptables, ebtables or nftables). Here an example:

<code bash>
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP 
</code>

Description (based on ''iptables'' backend):

<code bash>
firewall-cmd --direct --add-rule <protocol> <table (filter, mangle, nat, ...)> <chain> <priority> <arguments> -j <action (DROP, ACCEPT, ...)> 
</code>
==== Remove a direct rule ====
To remove a rich rule, the syntax is the same, except '' --remove-rule'':

<code bash>
firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
firewall-cmd --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP 
</code>

=====Forwarding ports=====
If you want to forward a port from extern to an internal network, you have to configure this on the ''external'' zone.

  * Allow port ''5665'' to internal network IP ''192.168.122.20''<code bash>
firewall-cmd --permanent --zone=external --add-forward-port=port=5665:proto=tcp:toaddr=192.168.122.20
</code>
  * Allow port ''2222'' to internal network IP ''192.168.122.17'' port ''22''<code bash>
firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.122.17
</code>
  * List forwarded ports<code bash>
firewall-cmd --zone=external --list-forward-ports
port=5665:proto=tcp:toport=:toaddr=192.168.122.20
port=2222:proto=tcp:toport=22:toaddr=192.168.122.17
</code>

=====IPSET=====
**Very important:** This procedure does not work with ''firewalld'' and ''nftables'' backend!

To setup a blacklist using ipset, you have to follow this example:

  - If you want to add first an old (active) ''ipset'' rule, do following:<code bash>
ipset save blockednets > ipsetsavelist.ipset
sed -e 's/^add blockednets //' ipsetsavelist.ipset | grep -Ev '^create' > list
</code>
  - Create the 'hash:net' ipset hash:<code bash>
firewall-cmd --permanent --new-ipset=blockednets --type=hash:net
</code>
  - Add the network, you want to drop, from a file list. Each line must have only one IP:<code bash>
firewall-cmd --permanent --ipset=blockednets --add-entries-from-file=list
</code>
  - Optionally add additional networks:<code bash>
firewall-cmd --permanent --ipset=blockednets --add-entry=119.6.204.0/24
</code>
  - Shows the permanent entries in a ipset:<code bash>
firewall-cmd --permanent --ipset=blockednets --get-entries
</code>
  - Add the ipset to the firewalld 'drop' zone and List forwarded ports:<code bash>
firewall-cmd --permanent --zone=drop --add-source=ipset:blockednets
</code>
  - Reload firewalld after these changes:<code bash>
firewall-cmd --reload
</code>

====Queries====

  * List all ipsets<code bash>
firewall-cmd --get-ipsets
</code>
  * List ipset sources<code bash>
firewall-cmd --permanent --list-sources --zone=drop
</code>
  * Example result for the ''drop'' zone<code bash>
ipset:blockednets ipset:blacklist
</code>

====Example====
Here an example, how-to add an official blacklist into ''ipset'':

  * Example to install the chinese IP's in the blacklist ''ipset''<code bash>
firewall-cmd --permanent --new-ipset=blacklist --type=hash:net --option=family=inet \
 --option=hashsize=4096 --option=maxelem=200000
wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
mkdir -p zones
cd zones
tar -xzf ../all-zones.tar.gz cn.zone
firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=cn.zone
firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
firewall-cmd --reload
</code>