firewalld

Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book(0 page(s))
 Help

This is an old revision of the document!

Firewall daemon

General

In this manual, I just list the basic commands for setup and configure iptables firewall using firewalld agent.

IMPORTANT: The agent firewalld.service must be startet before you can use firewall-cmd command!

NOTE: To the most arguments, you can add –permanent option, to list the permanent settings (not dynamic ones!). You can eather use the –permanent option and then the ``firewall-cmd –reload command, or, do the command first with –permanent option and then do the same command without –permanent option. * List all options for firewall-cmd<code bash> firewall-cmd –help </code> ====Firewall zones==== * Get default firewall zone<code bash> firewall-cmd –get-default-zone public </code> * To set the default zone<code bash> –set-default-zone=myzone </code> * Get all active firewall zones<code bash> firewall-cmd –get-active-zones public interfaces: enp0s31f6 </code> To list everything from one zone, you can use the –list-all switch: * List everything in a zone<code bash> firewall-cmd –list-all –zone=public public (active) target: default icmp-block-inversion: no interfaces: enp0s31f6 sources: services: ssh mdns dhcpv6-client http https ports: 8080/tcp 8443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: </code> * Get all firewall zones<code bash> firewall-cmd –get-zones FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work </code> * Get all firewall (preconfigured) services<code bash> firewall-cmd –get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kde-connect kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server </code> ====Firewall interfaces==== * Get firewall zone for interface enp0s31f6<code bash> firewall-cmd –get-zone-of-interface=enp0s31f6 public </code> * Get firewall zone for interface virbr0<code bash> firewall-cmd –get-zone-of-interface=virbr0 no zone </code> NOTE: If you have given a wrong ethernet interface name, it will not complain about the name, but just list no zone! To list the interfaces of all zones, use this command: * Get intefaces of all zones<code bash> for z in $(firewall-cmd –get-zones); do echo “=== $z:”; firewall-cmd –list-interfaces –zone=$z; done === FedoraServer: === FedoraWorkstation: === block: === dmz: === drop: === external: === home: === internal: === public: enp0s31f6 === trusted: === work: </code> ====Firewall services==== A lot of services are preconfigured (port(s) and protocol(s)). Each zone can have different services, to list all services of default zone, use following command: * List all services for default zones<code bash> firewall-cmd –list-all-services ssh mdns dhcpv6-client </code> * List all services for a defined zones<code bash> firewall-cmd –list-services –zone=<zone name> ssh mdns dhcpv6-client </code> If you want to list all services, you can use this for loop: * Get services of all zones (per zone)<code bash> for z in $(firewall-cmd –get-zones); do echo “=== $z:”; firewall-cmd –list-services –zone=$z; done === FedoraServer: ssh dhcpv6-client === FedoraWorkstation: dhcpv6-client ssh samba-client === block: === dmz: ssh === drop: === external: ssh === home: ssh mdns samba-client dhcpv6-client === internal: ssh mdns samba-client dhcpv6-client === public: ssh mdns dhcpv6-client === trusted: === work: ssh mdns dhcpv6-client </code> Sometimes you want to have more information about a service configuration, which is pre-defined. * Show service configuration<code bash> firewall-cmd –info-service=vnc-server vnc-server ports: 5900-5903/tcp protocols: source-ports: modules: destination: </code> ====Firewall ports==== If the port is not defined in a pre-defined service, you also can add ports to the configuration of the firewall. Here, I show how-to list these ports in a zone. * List active port in a zone<code bash> firewall-cmd –list-ports –zone=public 8080/tcp 8443/tcp </code> * Get default firewall zone<code bash> firewall-cmd –get-default-zone public </code> =====Configure===== IMPORTANT: Also for the configuration, you can add the –permanent switch, this will make the setting permanent. If you ommit this switch, the setting is set dynamically, it will not survife a reboot! NOTE: To setup a new service or port, you always should test it in dynamic mode, when fine, use the permanent switch. NOTE: If you work on only one zone, it makes sense to define this zone as the default zone: * Get default firewall 'zone'<code bash> firewall-cmd –set-default-zone=<zone name> </code> ====Add a service==== NOTE: Don't forget the command to list all services, see «Firewall services» * Setup 'http' and 'https' services dynamically<code bash> firewall-cmd –add-service=http –add-service=https –zone=public success </code> * Setup 'http' and 'https' services permanently<code bash> firewall-cmd –permanent –add-service=http –add-service=https –zone=public success </code> ====Firewall ICMP types==== * Get all available firewall icmp types<code bash> firewall-cmd –get-icmptypes address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option </code> ====IPSET informations==== * Get all 'ipset' types<code bash> firewall-cmd –get-ipset-types hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net </code> * Show all available ipsets<code bash> firewall-cmd –get-ipsets </code> ====Remove services==== NOTE: To list all services of the zone, check this out: «Firewall services» * Remove 'http' and 'https' services dynamically<code bash> firewall-cmd –remove-service=http –remove-service=https –zone=public success </code> * Remove 'http' and 'https' services permanently<code bash> firewall-cmd –permanent –remove-service=http –remove-service=https –zone=public success </code> ====Add a port==== If the service you want to configure is not pre-defined, you can add the ports manually. * Setup 8080 and 8443 port dynamically<code bash> firewall-cmd –add-port=8080/tcp –add-port=8443/tcp –zone=public success </code> * Setup 8080 and 8443 ports permanently<code bash> firewall-cmd –permanent –add-port=8080/tcp –add-port=8443/tcp –zone=public success </code> ====Remove ports==== NOTE: To list all ports in a zone, refer to «Firewall ports» chapter. * Setup 8080 and 8443 port dynamically<code bash> firewall-cmd –remove-port=8080/tcp –remove-port=8443/tcp –zone=public success </code> * Setup 8080 and 8443 ports permanently<code bash> firewall-cmd –permanent –remove-port=8080/tcp –remove-port=8443/tcp –zone=public success </code> ====Add interface to zone==== Sometimes, it's necesary to add an interface to a zone. * Add a interface to a zone <code bash> firewall-cmd –add-interface=eth0 –zone=public </code> =====Rich rules===== Sometimes it's very helpful to define source IP's or IP ranges. To do this, you have to add a rich rule using this switch –add-rich-rule: ==== Add a subnet (all ports) ==== In some cases, the whole subnet with enabling all ports is required. Next rule shows how-to. * Add the whole subnet (192.168.11.0/24, TCP) to config:<code bash> firewall-cmd –permanent –add-rich-rule 'rule family=“ipv4” source address=“192.168.11.0/24” protocol value=tcp accept' –zone=public firewall-cmd –reload </code> * The same, but for UDP:<code bash> firewall-cmd –permanent –add-rich-rule 'rule family=“ipv4” source address=“192.168.11.0/24” protocol value=udp accept' –zone=public firewall-cmd –reload </code> ====Rich rule for nfs service==== In this example, I add a rule for NFS service, which allows connections from '192.168.122.0/24' subnet. * Setup 'nfs' service to allow only from '192.168.122.0/24' network<code bash> firewall-cmd –permanent –add-rich-rule 'rule family=“ipv4” source address=“192.168.122.0/24” service name=“nfs” accept' –zone=public success firewall-cmd –add-rich-rule 'rule family=“ipv4” source address=“192.168.122.0/24” service name=“nfs” accept' –zone=public success </code> ====Rich rule for ports==== It is also possible to add as specified port (in this case '389' for LDAP). This allows all connections from '192.168.122.0/24' subnet on this port: * Setup port 389 to allow only from 192.168.122.0/24 network<code bash> firewall-cmd –permanent –add-rich-rule 'rule family=“ipv4” source address=“192.168.122.0/24” port port=“389” protocol=“tcp” accept' –zone=public success firewall-cmd –add-rich-rule 'rule family=“ipv4” source address=“192.168.122.0/24” port port=“389” protocol=“tcp” accept' –zone=public success </code> NOTE: This could also be done using the service rule! ==== Rich rule for a UDP port ==== Sometimes, you also need some UDP port open. For example DNS: * Setup UDP port 53 for DNS service:<code bash> firewall-cmd –permanent –add-rich-rule 'rule family=“ipv4” source address=“192.168.11.0/24” port protocol=udp port=53 accept' –zone=public firewall-cmd –reload </code> ====Add/remove rich rules==== Sometimes it's necessary to add/remove special rules. For example you want to allow access to MySQL port '3306', but only from a defined source (IP). This can be done by using rich rules, the next example shows the how-to: * Add a rich rule<code bash> firewall-cmd –add-rich-rule 'rule family=“ipv4” source address=“192.168.122.0/24” port port=“3306” protocol=“tcp” accept' –zone=public </code> * Remove a rich rule<code bash> firewall-cmd –remove-rich-rule 'rule family=“ipv4” source address=“192.168.122.0/24” port port=“3306” protocol=“tcp” accept' –zone=public </code> IMPORTANT: In this example the rule is not defined permanently! =====Forwarding ports===== If you want to forward a port from extern to an internal network, you have to configure this on the external zone. * Allow port 5665 to internal network IP 192.168.122.20<code bash> firewall-cmd –permanent –zone=external –add-forward-port=port=5665:proto=tcp:toaddr=192.168.122.20 </code> * Allow port 2222 to internal network IP 192.168.122.17 port 22<code bash> firewall-cmd –permanent –zone=external –add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.122.17 </code> * List forwarded ports<code bash> firewall-cmd –zone=external –list-forward-ports port=5665:proto=tcp:toport=:toaddr=192.168.122.20 port=2222:proto=tcp:toport=22:toaddr=192.168.122.17 </code> =====IPSET===== To setup a blacklist using ipset, you have to follow this example: - If you want to add first an old (active) ipset rule, do following:<code bash> ipset save blockednets > blockednets.ipset sed -e 's/^add blockednets ' blockednets.ipset | grep -Ev '^create' > blockednets </code> - Create the 'hash:net' ipset hash:<code bash> firewall-cmd –permanent –new-ipset=blockednets –type=hash:net </code> - Add the network, you want to drop, from a file list. Each line must have only one IP:<code bash> firewall-cmd –permanent –ipset=blockednets –add-entries-from-file=list </code> - Optionally add additional networks:<code bash> firewall-cmd –permanent –ipset=blockednets –add-entry=119.6.204.0/24 </code> - Optionally check the ipset list:<code bash> firewall-cmd –ipset=blockednets –get-entries </code> - Shows the permanent entries in a ipset:<code bash> firewall-cmd –permanent –ipset=blockednets –get-entries </code> - Add the ipset to the firewalld 'drop' zone and List forwarded ports:<code bash> firewall-cmd –permanent –zone=drop –add-source=ipset:blockednets </code> - Reload firewalld after these changes:<code bash> firewall-cmd –reload </code> ====Queries==== * List all ipsets<code bash> firewall-cmd –get-ipsets </code> * List ipset sources<code bash> firewall-cmd –permanent –list-sources –zone=drop </code> * Example result for the drop zone<code bash> ipset:blockednets ipset:blacklist </code> ====Example==== Here an example, how-to add an official blacklist into ipset: * Example to install the chinese IP's in the blacklist ipset<code bash> firewall-cmd –permanent –new-ipset=blacklist –type=hash:net –option=family=inet \ –option=hashsize=4096 –option=maxelem=200000 wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz mkdir -p zones cd zones tar -xzf ../all-zones.tar.gz cn.zone firewall-cmd –permanent –ipset=blacklist –add-entries-from-file=cn.zone firewall-cmd –permanent –zone=drop –add-source=ipset:blacklist firewall-cmd –reload </code>

  • firewalld.1550247068.txt.gz
  • Last modified: 2019/02/15 17:11
  • by admin