firewalld

Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book(0 page(s))
 Help

This is an old revision of the document!

Firewall daemon

General

In this manual, I just list the basic commands for setup and configure iptables firewall using firewalld agent.

IMPORTANT: The agent firewalld.service must be startet before you can use firewall-cmd command!

NOTE: To the most arguments, you can add –permanent option, to list the permanent settings (not dynamic ones!). You can eather use the –permanent option and then the firewall-cmd –reload command, or, do the command first with –permanent option and then do the same command without –permanent option.

  • List all options for firewall-cmd
    firewall-cmd --help

Firewall zones

  • Get default firewall zone
    firewall-cmd --get-default-zone
public
  • To set the default zone
    --set-default-zone=myzone
  • Get all active firewall zones
    firewall-cmd --get-active-zones
public
  interfaces: enp0s31f6

To list everything from one zone, you can use the –list-all switch:

  • List everything in a zone
    firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s31f6
  sources:
  services: ssh mdns dhcpv6-client http https
  ports: 8080/tcp 8443/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
  • Get all firewall zones
    firewall-cmd --get-zones
FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work
  • Get all firewall (preconfigured) services
    firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc 
ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch 
freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https 
imap imaps ipp ipp-client ipsec iscsi-target kadmin kde-connect kerberos kibana klogin kpasswd kshell ldap ldaps libvirt 
libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole 
ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster 
quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync 
squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server 
wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

Firewall interfaces

  • Get firewall zone for interface enp0s31f6
    firewall-cmd --get-zone-of-interface=enp0s31f6
public
  • Get firewall zone for interface virbr0
    firewall-cmd --get-zone-of-interface=virbr0
no zone

NOTE: If you have given a wrong ethernet interface name, it will not complain about the name, but just list no zone!

To list the interfaces of all zones, use this command:

  • Get intefaces of all zones
    for z in $(firewall-cmd --get-zones); do echo "=== $z:"; firewall-cmd --list-interfaces --zone=$z; done
=== FedoraServer:
 
=== FedoraWorkstation:
 
=== block:
 
=== dmz:
 
=== drop:
 
=== external:
 
=== home:
 
=== internal:
 
=== public:
enp0s31f6
=== trusted:
 
=== work:

Firewall services

A lot of services are preconfigured (port(s) and protocol(s)). Each zone can have different services, to list all services of default zone, use following command:

  • List all services for default zones
    firewall-cmd --list-all-services
ssh mdns dhcpv6-client
  • List all services for a defined zones
    firewall-cmd --list-services --zone=<zone name>
ssh mdns dhcpv6-client

If you want to list all services, you can use this for loop:

  • Get services of all zones (per zone)
    for z in $(firewall-cmd --get-zones); do echo "=== $z:"; firewall-cmd --list-services --zone=$z; done
=== FedoraServer:
ssh dhcpv6-client
=== FedoraWorkstation:
dhcpv6-client ssh samba-client
=== block:
 
=== dmz:
ssh
=== drop:
 
=== external:
ssh
=== home:
ssh mdns samba-client dhcpv6-client
=== internal:
ssh mdns samba-client dhcpv6-client
=== public:
ssh mdns dhcpv6-client
=== trusted:
 
=== work:
ssh mdns dhcpv6-client

Sometimes you want to have more information about a service configuration, which is pre-defined.

  • Show service configuration
    firewall-cmd --info-service=vnc-server
vnc-server
  ports: 5900-5903/tcp
  protocols:
  source-ports:
  modules:
  destination:

Firewall ports

If the port is not defined in a pre-defined service, you also can add ports to the configuration of the firewall. Here, I show how-to list these ports in a zone.

  • List active port in a zone
    firewall-cmd --list-ports --zone=public
8080/tcp 8443/tcp
  • Get default firewall zone
    firewall-cmd --get-default-zone
public

Configure

IMPORTANT: Also for the configuration, you can add the –permanent switch, this will make the setting permanent. If you ommit this switch, the setting is set dynamically, it will not survife a reboot!

NOTE: To setup a new service or port, you always should test it in dynamic mode, when fine, use the permanent switch.

NOTE: If you work on only one zone, it makes sense to define this zone as the default zone:

  • Get default firewall 'zone'
    firewall-cmd --set-default-zone=<zone name>

Add a service

NOTE: Don't forget the command to list all services, see «Firewall services»

  • Setup 'http' and 'https' services dynamically
    firewall-cmd --add-service=http --add-service=https --zone=public
success
  • Setup 'http' and 'https' services permanently
    firewall-cmd --permanent --add-service=http --add-service=https --zone=public
success

Firewall ICMP types

  • Get all available firewall icmp types
    firewall-cmd --get-icmptypes
address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy 
fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad 
neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable 
no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route 
required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded 
timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable 
ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option

IPSET informations

  • Get all 'ipset' types
    firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
  • Show all available ipsets
    firewall-cmd --get-ipsets

Remove services

NOTE: To list all services of the zone, check this out: «Firewall services»

  • Remove 'http' and 'https' services dynamically
    firewall-cmd --remove-service=http --remove-service=https --zone=public
success
  • Remove 'http' and 'https' services permanently
    firewall-cmd --permanent --remove-service=http --remove-service=https --zone=public
success

Add a port

If the service you want to configure is not pre-defined, you can add the ports manually.

  • Setup 8080 and 8443 port dynamically
    firewall-cmd --add-port=8080/tcp --add-port=8443/tcp --zone=public
success
  • Setup 8080 and 8443 ports permanently
    firewall-cmd --permanent --add-port=8080/tcp --add-port=8443/tcp --zone=public
success

Remove ports

NOTE: To list all ports in a zone, refer to «Firewall ports» chapter.

  • Setup 8080 and 8443 port dynamically
    firewall-cmd --remove-port=8080/tcp --remove-port=8443/tcp --zone=public
success
  • Setup 8080 and 8443 ports permanently
    firewall-cmd --permanent --remove-port=8080/tcp --remove-port=8443/tcp --zone=public
success

Add interface to zone

Sometimes, it's necesary to add an interface to a zone.

  • Add a interface to a zone
firewall-cmd --add-interface=eth0 --zone=public

Rich rules

Sometimes it's very helpful to define source IP's or IP ranges. To do this, you have to add a rich rule using this switch –add-rich-rule:

Add a subnet (all ports)

In some cases, the whole subnet with enabling all ports is required. Next rule shows how-to.

  • Add the whole subnet (192.168.11.0/24, TCP) to config:
    firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" protocol value=tcp accept' --zone=public
firewall-cmd --reload
  • The same, but for UDP:
    firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" protocol value=udp accept' --zone=public
firewall-cmd --reload

Rich rule for nfs service

In this example, I add a rule for NFS service, which allows connections from '192.168.122.0/24' subnet.

  • Setup 'nfs' service to allow only from '192.168.122.0/24' network
    firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" service name="nfs" accept' --zone=public
success
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" service name="nfs" accept' --zone=public
success

Rich rule for ports

It is also possible to add as specified port (in this case '389' for LDAP). This allows all connections from '192.168.122.0/24' subnet on this port:

  • Setup port 389 to allow only from 192.168.122.0/24 network
    firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="389" protocol="tcp" accept' --zone=public
success
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="389" protocol="tcp" accept' --zone=public
success

NOTE: This could also be done using the service rule!

Rich rule for a UDP port

Sometimes, you also need some UDP port open. For example DNS:

  • Setup UDP port 53 for DNS service:
    firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" port protocol=udp port=53 accept' --zone=public
firewall-cmd --reload

Add/remove rich rules

Sometimes it's necessary to add/remove special rules. For example you want to allow access to MySQL port '3306', but only from a defined source (IP). This can be done by using rich rules, the next example shows the how-to:

  • Add a rich rule
    firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="3306" protocol="tcp" accept' --zone=public
  • Remove a rich rule
    firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="3306" protocol="tcp" accept' --zone=public

IMPORTANT: In this example the rule is not defined permanently!

Forwarding ports

If you want to forward a port from extern to an internal network, you have to configure this on the external zone.

  • Allow port 5665 to internal network IP 192.168.122.20
    firewall-cmd --permanent --zone=external --add-forward-port=port=5665:proto=tcp:toaddr=192.168.122.20
  • Allow port 2222 to internal network IP 192.168.122.17 port 22
    firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.122.17
  • List forwarded ports
    firewall-cmd --zone=external --list-forward-ports
port=5665:proto=tcp:toport=:toaddr=192.168.122.20
port=2222:proto=tcp:toport=22:toaddr=192.168.122.17

IPSET

To setup a blacklist using ipset, you have to follow this example:

  1. If you want to add first an old (active) ipset rule, do following:
    ipset save blockednets > blockednets.ipset
sed -e 's/^add blockednets //' blockednets.ipset | grep -Ev '^create' > blockednets
  2. Create the 'hash:net' ipset hash:
    firewall-cmd --permanent --new-ipset=blockednets --type=hash:net
  3. Add the network, you want to drop, from a file list. Each line must have only one IP:
    firewall-cmd --permanent --ipset=blockednets --add-entries-from-file=list
  4. Optionally add additional networks:
    firewall-cmd --permanent --ipset=blockednets --add-entry=119.6.204.0/24
  5. Optionally check the ipset list:
    firewall-cmd --ipset=blockednets --get-entries
  6. Shows the permanent entries in a ipset:
    firewall-cmd --permanent --ipset=blockednets --get-entries
  7. Add the ipset to the firewalld 'drop' zone and List forwarded ports:
    firewall-cmd --permanent --zone=drop --add-source=ipset:blockednets
  8. Reload firewalld after these changes:
    firewall-cmd --reload

Queries

  • List all ipsets
    firewall-cmd --get-ipsets
  • List ipset sources
    firewall-cmd --permanent --list-sources --zone=drop
  • Example result for the drop zone
    ipset:blockednets ipset:blacklist

Example

Here an example, how-to add an official blacklist into ipset:

  • Example to install the chinese IP's in the blacklist ipset
    firewall-cmd --permanent --new-ipset=blacklist --type=hash:net --option=family=inet \
 --option=hashsize=4096 --option=maxelem=200000
wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
mkdir -p zones
cd zones
tar -xzf ../all-zones.tar.gz cn.zone
firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=cn.zone
firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
firewall-cmd --reload
  • firewalld.1550247123.txt.gz
  • Last modified: 2019/02/15 17:12
  • by admin