This is an old revision of the document!
Firewall daemon
General
In this manual, I just list the basic commands for setup and configure iptables firewall using firewalld agent.
IMPORTANT: The agent firewalld.service must be startet before you can use firewall-cmd command!
NOTE: To the most arguments, you can add –permanent option, to list the permanent settings (not dynamic ones!). You can eather use the –permanent option and then the firewall-cmd –reload command, or, do the command first with –permanent option and then do the same command without –permanent option.
- List all options for
firewall-cmdfirewall-cmd --help
Firewall zones
- Get default firewall zone
firewall-cmd --get-default-zone public
- To set the default zone
--set-default-zone=myzone
- Get all active firewall zones
firewall-cmd --get-active-zones public interfaces: enp0s31f6
To list everything from one zone, you can use the –list-all switch:
- List everything in a zone
firewall-cmd --list-all --zone=public public (active) target: default icmp-block-inversion: no interfaces: enp0s31f6 sources: services: ssh mdns dhcpv6-client http https ports: 8080/tcp 8443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
- Get all firewall zones
firewall-cmd --get-zones FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work
- Get all firewall (preconfigured) services
firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kde-connect kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
Firewall interfaces
- Get firewall zone for interface
enp0s31f6firewall-cmd --get-zone-of-interface=enp0s31f6 public
- Get firewall zone for interface
virbr0firewall-cmd --get-zone-of-interface=virbr0 no zone
NOTE: If you have given a wrong ethernet interface name, it will not complain about the name, but just list no zone!
To list the interfaces of all zones, use this command:
- Get intefaces of all zones
for z in $(firewall-cmd --get-zones); do echo "=== $z:"; firewall-cmd --list-interfaces --zone=$z; done === FedoraServer: === FedoraWorkstation: === block: === dmz: === drop: === external: === home: === internal: === public: enp0s31f6 === trusted: === work:
Firewall services
A lot of services are preconfigured (port(s) and protocol(s)). Each zone can have different services, to list all services of default zone, use following command:
- List all services for default zones
firewall-cmd --list-all-services ssh mdns dhcpv6-client
- List all services for a defined zones
firewall-cmd --list-services --zone=<zone name> ssh mdns dhcpv6-client
If you want to list all services, you can use this for loop:
- Get services of all zones (per zone)
for z in $(firewall-cmd --get-zones); do echo "=== $z:"; firewall-cmd --list-services --zone=$z; done === FedoraServer: ssh dhcpv6-client === FedoraWorkstation: dhcpv6-client ssh samba-client === block: === dmz: ssh === drop: === external: ssh === home: ssh mdns samba-client dhcpv6-client === internal: ssh mdns samba-client dhcpv6-client === public: ssh mdns dhcpv6-client === trusted: === work: ssh mdns dhcpv6-client
Sometimes you want to have more information about a service configuration, which is pre-defined.
- Show service configuration
firewall-cmd --info-service=vnc-server vnc-server ports: 5900-5903/tcp protocols: source-ports: modules: destination:
Firewall ports
If the port is not defined in a pre-defined service, you also can add ports to the configuration of the firewall. Here, I show how-to list these ports in a zone.
- List active port in a zone
firewall-cmd --list-ports --zone=public 8080/tcp 8443/tcp
- Get default firewall
zonefirewall-cmd --get-default-zone public
Configure
IMPORTANT: Also for the configuration, you can add the –permanent switch, this will make the setting permanent. If you ommit
this switch, the setting is set dynamically, it will not survife a reboot!
NOTE: To setup a new service or port, you always should test it in dynamic mode, when fine, use the permanent switch.
NOTE: If you work on only one zone, it makes sense to define this zone as the default zone:
- Get default firewall 'zone'
firewall-cmd --set-default-zone=<zone name>
Add a service
NOTE: Don't forget the command to list all services, see «Firewall services»
- Setup 'http' and 'https' services dynamically
firewall-cmd --add-service=http --add-service=https --zone=public success
- Setup 'http' and 'https' services permanently
firewall-cmd --permanent --add-service=http --add-service=https --zone=public success
Firewall ICMP types
- Get all available firewall
icmptypesfirewall-cmd --get-icmptypes address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
IPSET informations
- Get all 'ipset' types
firewall-cmd --get-ipset-types hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
- Show all available
ipsetsfirewall-cmd --get-ipsets
Remove services
NOTE: To list all services of the zone, check this out: «Firewall services»
- Remove 'http' and 'https' services dynamically
firewall-cmd --remove-service=http --remove-service=https --zone=public success
- Remove 'http' and 'https' services permanently
firewall-cmd --permanent --remove-service=http --remove-service=https --zone=public success
Add a port
If the service you want to configure is not pre-defined, you can add the ports manually.
- Setup
8080and8443port dynamicallyfirewall-cmd --add-port=8080/tcp --add-port=8443/tcp --zone=public success
- Setup
8080and8443ports permanentlyfirewall-cmd --permanent --add-port=8080/tcp --add-port=8443/tcp --zone=public success
Remove ports
NOTE: To list all ports in a zone, refer to «Firewall ports» chapter.
- Setup
8080and8443port dynamicallyfirewall-cmd --remove-port=8080/tcp --remove-port=8443/tcp --zone=public success
- Setup
8080and8443ports permanentlyfirewall-cmd --permanent --remove-port=8080/tcp --remove-port=8443/tcp --zone=public success
Add interface to zone
Sometimes, it's necesary to add an interface to a zone.
- Add a interface to a zone
firewall-cmd --add-interface=eth0 --zone=public
Rich rules
Sometimes it's very helpful to define source IP's or IP ranges. To do this, you have to add a rich rule using this switch –add-rich-rule:
Add a subnet (all ports)
In some cases, the whole subnet with enabling all ports is required. Next rule shows how-to.
- Add the whole subnet (192.168.11.0/24, TCP) to config:
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" protocol value=tcp accept' --zone=public firewall-cmd --reload
- The same, but for UDP:
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" protocol value=udp accept' --zone=public firewall-cmd --reload
Rich rule for nfs service
In this example, I add a rule for NFS service, which allows connections from '192.168.122.0/24' subnet.
- Setup 'nfs' service to allow only from '192.168.122.0/24' network
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" service name="nfs" accept' --zone=public success firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" service name="nfs" accept' --zone=public success
Rich rule for ports
It is also possible to add as specified port (in this case '389' for LDAP). This allows all connections from '192.168.122.0/24' subnet on this port:
- Setup port
389to allow only from192.168.122.0/24networkfirewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="389" protocol="tcp" accept' --zone=public success firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="389" protocol="tcp" accept' --zone=public success
NOTE: This could also be done using the service rule!
Rich rule for a UDP port
Sometimes, you also need some UDP port open. For example DNS:
- Setup UDP port 53 for DNS service:
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" port protocol=udp port=53 accept' --zone=public firewall-cmd --reload
Add/remove rich rules
Sometimes it's necessary to add/remove special rules. For example you want to allow access to MySQL port '3306', but only from a defined source (IP). This can be done by using rich rules, the next example shows the how-to:
- Add a rich rule
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="3306" protocol="tcp" accept' --zone=public
- Remove a rich rule
firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="3306" protocol="tcp" accept' --zone=public
IMPORTANT: In this example the rule is not defined permanently!
Direct rules
In some cases, a role is not possible to implement using standard firewalld command (including rich rules). In such a case, you can add direct rules (syntax of the corresponding firewall: iptables or nftables syntax).
List all active direct rules
firewall-cmd --direct --get-all-rules
Add a direct rule
The syntax how-to add a direct rule is quite similar to the liable firewall (iptables, ebtables or nftables). Here an example:
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
Remove a direct rule
To remove a rich rule, the syntax is the same, except –remove-rule:
firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP firewall-cmd --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
Forwarding ports
If you want to forward a port from extern to an internal network, you have to configure this on the external zone.
- Allow port
5665to internal network IP192.168.122.20firewall-cmd --permanent --zone=external --add-forward-port=port=5665:proto=tcp:toaddr=192.168.122.20
- Allow port
2222to internal network IP192.168.122.17port22firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.122.17
- List forwarded ports
firewall-cmd --zone=external --list-forward-ports port=5665:proto=tcp:toport=:toaddr=192.168.122.20 port=2222:proto=tcp:toport=22:toaddr=192.168.122.17
IPSET
To setup a blacklist using ipset, you have to follow this example:
- If you want to add first an old (active)
ipsetrule, do following:ipset save blockednets > blockednets.ipset sed -e 's/^add blockednets //' blockednets.ipset | grep -Ev '^create' > blockednets
- Create the 'hash:net' ipset hash:
firewall-cmd --permanent --new-ipset=blockednets --type=hash:net
- Add the network, you want to drop, from a file list. Each line must have only one IP:
firewall-cmd --permanent --ipset=blockednets --add-entries-from-file=list
- Optionally add additional networks:
firewall-cmd --permanent --ipset=blockednets --add-entry=119.6.204.0/24
- Optionally check the ipset list:
firewall-cmd --ipset=blockednets --get-entries
- Shows the permanent entries in a ipset:
firewall-cmd --permanent --ipset=blockednets --get-entries
- Add the ipset to the firewalld 'drop' zone and List forwarded ports:
firewall-cmd --permanent --zone=drop --add-source=ipset:blockednets
- Reload firewalld after these changes:
firewall-cmd --reload
Queries
- List all ipsets
firewall-cmd --get-ipsets - List ipset sources
firewall-cmd --permanent --list-sources --zone=drop
- Example result for the
dropzoneipset:blockednets ipset:blacklist
Example
Here an example, how-to add an official blacklist into ipset:
- Example to install the chinese IP's in the blacklist
ipsetfirewall-cmd --permanent --new-ipset=blacklist --type=hash:net --option=family=inet \ --option=hashsize=4096 --option=maxelem=200000 wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz mkdir -p zones cd zones tar -xzf ../all-zones.tar.gz cn.zone firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=cn.zone firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist firewall-cmd --reload