===== Firewall daemon =====
====General====
In this manual, I just list the basic commands for setup and configure ''iptables'' firewall using ''firewalld'' agent.
**IMPORTANT:** The agent ''firewalld.service'' must be startet before you can use ''firewall-cmd'' command!
**NOTE:** To the most arguments, you can add ''--permanent'' option, to list the permanent settings (not dynamic ones!). You can eather use the ''--permanent'' option and then the ''firewall-cmd --reload'' command, or, do the command first with ''--permanent'' option and then do the same command without ''--permanent'' option.
* List all options for ''firewall-cmd''
firewall-cmd --help
====Firewall zones====
* Get default firewall zone
firewall-cmd --get-default-zone
public
* To set the default zone
--set-default-zone=myzone
* Get all active firewall zones
firewall-cmd --get-active-zones
public
interfaces: enp0s31f6
To list everything from one zone, you can use the ''--list-all'' switch:
* List everything in a zone
firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s31f6
sources:
services: ssh mdns dhcpv6-client http https
ports: 8080/tcp 8443/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
* Get all firewall zones
firewall-cmd --get-zones
FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work
* Get all firewall (preconfigured) services
firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc
ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch
freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https
imap imaps ipp ipp-client ipsec iscsi-target kadmin kde-connect kerberos kibana klogin kpasswd kshell ldap ldaps libvirt
libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole
ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster
quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync
squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server
wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
====Firewall interfaces====
* Get firewall zone for interface ''enp0s31f6''
firewall-cmd --get-zone-of-interface=enp0s31f6
public
* Get firewall zone for interface ''virbr0''
firewall-cmd --get-zone-of-interface=virbr0
no zone
NOTE: If you have given a wrong ethernet interface name, it will not complain about the name, but just list ''no zone''!
To list the interfaces of all zones, use this command:
* Get intefaces of all zones
for z in $(firewall-cmd --get-zones); do echo "=== $z:"; firewall-cmd --list-interfaces --zone=$z; done
=== FedoraServer:
=== FedoraWorkstation:
=== block:
=== dmz:
=== drop:
=== external:
=== home:
=== internal:
=== public:
enp0s31f6
=== trusted:
=== work:
====Firewall services====
A lot of services are preconfigured (port(s) and protocol(s)). Each zone can have different services,
to list all services of default zone, use following command:
* List all services for default zones
firewall-cmd --list-all-services
ssh mdns dhcpv6-client
* List all services for a defined zones
firewall-cmd --list-services --zone=
ssh mdns dhcpv6-client
If you want to list all services, you can use this for loop:
* Get services of all zones (per zone)
for z in $(firewall-cmd --get-zones); do echo "=== $z:"; firewall-cmd --list-services --zone=$z; done
=== FedoraServer:
ssh dhcpv6-client
=== FedoraWorkstation:
dhcpv6-client ssh samba-client
=== block:
=== dmz:
ssh
=== drop:
=== external:
ssh
=== home:
ssh mdns samba-client dhcpv6-client
=== internal:
ssh mdns samba-client dhcpv6-client
=== public:
ssh mdns dhcpv6-client
=== trusted:
=== work:
ssh mdns dhcpv6-client
Sometimes you want to have more information about a service configuration, which is pre-defined.
* Show service configuration
firewall-cmd --info-service=vnc-server
vnc-server
ports: 5900-5903/tcp
protocols:
source-ports:
modules:
destination:
====Firewall ports====
If the port is not defined in a //pre-defined// service, you also can add ports to the configuration of the firewall.
Here, I show how-to list these ports in a zone.
* List active port in a zone
firewall-cmd --list-ports --zone=public
8080/tcp 8443/tcp
* Get default firewall ''zone''
firewall-cmd --get-default-zone
public
=====Configure=====
**IMPORTANT:** Also for the configuration, you can add the ''--permanent'' switch, this will make the setting permanent. If you ommit
this switch, the setting is set dynamically, it will not survife a reboot!
**NOTE:** To setup a new service or port, you always should test it in dynamic mode, when fine, use the permanent switch.
**NOTE:** If you work on only one zone, it makes sense to define this zone as the default zone:
* Get default firewall 'zone'
firewall-cmd --set-default-zone=
====Add a service====
**NOTE:** Don't forget the command to list all services, see <>
* Setup 'http' and 'https' services dynamically
firewall-cmd --add-service=http --add-service=https --zone=public
success
* Setup 'http' and 'https' services permanently
firewall-cmd --permanent --add-service=http --add-service=https --zone=public
success
====Firewall ICMP types====
* Get all available firewall ''icmp'' types
firewall-cmd --get-icmptypes
address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy
fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad
neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable
no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route
required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded
timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable
ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
====IPSET informations====
* Get all 'ipset' types
firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
* Show all available ''ipsets''
firewall-cmd --get-ipsets
====Remove services====
**NOTE:** To list all services of the zone, check this out: <>
* Remove 'http' and 'https' services dynamically
firewall-cmd --remove-service=http --remove-service=https --zone=public
success
* Remove 'http' and 'https' services permanently
firewall-cmd --permanent --remove-service=http --remove-service=https --zone=public
success
====Add a port====
If the service you want to configure is not pre-defined, you can add the ports manually.
* Setup ''8080'' and ''8443'' port dynamically
firewall-cmd --add-port=8080/tcp --add-port=8443/tcp --zone=public
success
* Setup ''8080'' and ''8443'' ports permanently
firewall-cmd --permanent --add-port=8080/tcp --add-port=8443/tcp --zone=public
success
====Remove ports====
**NOTE:** To list all ports in a zone, refer to <> chapter.
* Setup ''8080'' and ''8443'' port dynamically
firewall-cmd --remove-port=8080/tcp --remove-port=8443/tcp --zone=public
success
* Setup ''8080'' and ''8443'' ports permanently
firewall-cmd --permanent --remove-port=8080/tcp --remove-port=8443/tcp --zone=public
success
====Add interface to zone====
Sometimes, it's necesary to add an interface to a zone.
* Add a interface to a zone
firewall-cmd --add-interface=eth0 --zone=public
=====Rich rules=====
Sometimes it's very helpful to define source IP's or IP ranges. To do this, you have to add a rich rule using this switch ''--add-rich-rule'':
==== Add a subnet (all ports) ====
In some cases, the whole subnet with enabling all ports is required. Next rule shows how-to.
* Add the whole subnet (192.168.11.0/24, TCP) to config:
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" protocol value=tcp accept' --zone=public
firewall-cmd --reload
* The same, but for UDP:
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" protocol value=udp accept' --zone=public
firewall-cmd --reload
====Rich rule for nfs service====
In this example, I add a rule for NFS service, which allows connections from '192.168.122.0/24' subnet.
* Setup 'nfs' service to allow only from '192.168.122.0/24' network
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" service name="nfs" accept' --zone=public
success
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" service name="nfs" accept' --zone=public
success
====Rich rule for ports====
It is also possible to add as specified port (in this case '389' for LDAP). This allows all connections from '192.168.122.0/24' subnet on this port:
* Setup port ''389'' to allow only from ''192.168.122.0/24'' network
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="389" protocol="tcp" accept' --zone=public
success
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="389" protocol="tcp" accept' --zone=public
success
**NOTE:** This could also be done using the service rule!
==== Rich rule for a UDP port ====
Sometimes, you also need some UDP port open. For example DNS:
* Setup UDP port 53 for DNS service:
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" port protocol=udp port=53 accept' --zone=public
firewall-cmd --reload
====Add/remove rich rules====
Sometimes it's necessary to add/remove special rules. For example you want to allow access to MySQL port '3306', but
only from a defined source (IP). This can be done by using rich rules, the next example shows the how-to:
* Add a rich rule
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="3306" protocol="tcp" accept' --zone=public
* Remove a rich rule
firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="3306" protocol="tcp" accept' --zone=public
**IMPORTANT:** In this example the rule is not defined permanently!
===== Direct rules =====
In some cases, a role is not possible to implement using standard firewalld command (including rich rules). In such a case, you can add direct rules (syntax of the corresponding firewall: ''iptables'' or ''nftables'' syntax).
Check, if the rule in that sequence where you expect it (the sequence of rules is very important! You can use ''iptables -S'' or ''nft list ruleset'' to check this out)
You should not use direct rules, if you can do the same using other firewalld rules!
==== List all active direct rules ====
firewall-cmd --direct --get-all-rules
==== Add a direct rule ====
The syntax how-to add a direct rule is quite similar to the backend firewall (iptables, ebtables or nftables). Here an example:
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
Description (based on ''iptables'' backend):
firewall-cmd --direct --add-rule -j
==== Remove a direct rule ====
To remove a rich rule, the syntax is the same, except '' --remove-rule'':
firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
firewall-cmd --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
=====Forwarding ports=====
If you want to forward a port from extern to an internal network, you have to configure this on the ''external'' zone.
* Allow port ''5665'' to internal network IP ''192.168.122.20''
firewall-cmd --permanent --zone=external --add-forward-port=port=5665:proto=tcp:toaddr=192.168.122.20
* Allow port ''2222'' to internal network IP ''192.168.122.17'' port ''22''
firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.122.17
* List forwarded ports
firewall-cmd --zone=external --list-forward-ports
port=5665:proto=tcp:toport=:toaddr=192.168.122.20
port=2222:proto=tcp:toport=22:toaddr=192.168.122.17
=====IPSET=====
**Very important:** This procedure does not work with ''firewalld'' and ''nftables'' backend!
To setup a blacklist using ipset, you have to follow this example:
- If you want to add first an old (active) ''ipset'' rule, do following:
ipset save blockednets > ipsetsavelist.ipset
sed -e 's/^add blockednets //' ipsetsavelist.ipset | grep -Ev '^create' > list
- Create the 'hash:net' ipset hash:
firewall-cmd --permanent --new-ipset=blockednets --type=hash:net
- Add the network, you want to drop, from a file list. Each line must have only one IP:
firewall-cmd --permanent --ipset=blockednets --add-entries-from-file=list
- Optionally add additional networks:
firewall-cmd --permanent --ipset=blockednets --add-entry=119.6.204.0/24
- Shows the permanent entries in a ipset:
firewall-cmd --permanent --ipset=blockednets --get-entries
- Add the ipset to the firewalld 'drop' zone and List forwarded ports:
firewall-cmd --permanent --zone=drop --add-source=ipset:blockednets
- Reload firewalld after these changes:
firewall-cmd --reload
====Queries====
* List all ipsets
firewall-cmd --get-ipsets
* List ipset sources
firewall-cmd --permanent --list-sources --zone=drop
* Example result for the ''drop'' zone
ipset:blockednets ipset:blacklist
====Example====
Here an example, how-to add an official blacklist into ''ipset'':
* Example to install the chinese IP's in the blacklist ''ipset''
firewall-cmd --permanent --new-ipset=blacklist --type=hash:net --option=family=inet \
--option=hashsize=4096 --option=maxelem=200000
wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
mkdir -p zones
cd zones
tar -xzf ../all-zones.tar.gz cn.zone
firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=cn.zone
firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
firewall-cmd --reload