This is an old revision of the document!
Firewall daemon
General
In this manual, I just list the basic commands for setup and configure iptables firewall using firewalld agent.
IMPORTANT: The agent firewalld.service must be startet before you can use firewall-cmd command!
NOTE: To the most arguments, you can add –permanent option, to list the permanent settings (not dynamic ones!). You can eather use the –permanent option and then the firewall-cmd –reload command, or, do the command first with –permanent option and then do the same command without –permanent option.
- List all options for
firewall-cmdfirewall-cmd --help
Firewall zones
- Get default firewall zone
firewall-cmd --get-default-zone public
- To set the default zone
--set-default-zone=myzone
- Get all active firewall zones
firewall-cmd --get-active-zones public interfaces: enp0s31f6
To list everything from one zone, you can use the –list-all switch:
- List everything in a zone
firewall-cmd --list-all --zone=public public (active) target: default icmp-block-inversion: no interfaces: enp0s31f6 sources: services: ssh mdns dhcpv6-client http https ports: 8080/tcp 8443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
- Get all firewall zones
firewall-cmd --get-zones FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work
- Get all firewall (preconfigured) services
firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kde-connect kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
Firewall interfaces
- Get firewall zone for interface
enp0s31f6firewall-cmd --get-zone-of-interface=enp0s31f6 public
- Get firewall zone for interface
virbr0firewall-cmd --get-zone-of-interface=virbr0 no zone
NOTE: If you have given a wrong ethernet interface name, it will not complain about the name, but just list no zone!
To list the interfaces of all zones, use this command:
- Get intefaces of all zones
for z in $(firewall-cmd --get-zones); do echo "=== $z:"; firewall-cmd --list-interfaces --zone=$z; done === FedoraServer: === FedoraWorkstation: === block: === dmz: === drop: === external: === home: === internal: === public: enp0s31f6 === trusted: === work:
Firewall services
A lot of services are preconfigured (port(s) and protocol(s)). Each zone can have different services, to list all services of default zone, use following command:
- List all services for default zones
firewall-cmd --list-all-services ssh mdns dhcpv6-client
- List all services for a defined zones
firewall-cmd --list-services --zone=<zone name> ssh mdns dhcpv6-client
If you want to list all services, you can use this for loop:
- Get services of all zones (per zone)
for z in $(firewall-cmd --get-zones); do echo "=== $z:"; firewall-cmd --list-services --zone=$z; done === FedoraServer: ssh dhcpv6-client === FedoraWorkstation: dhcpv6-client ssh samba-client === block: === dmz: ssh === drop: === external: ssh === home: ssh mdns samba-client dhcpv6-client === internal: ssh mdns samba-client dhcpv6-client === public: ssh mdns dhcpv6-client === trusted: === work: ssh mdns dhcpv6-client
Sometimes you want to have more information about a service configuration, which is pre-defined.
- Show service configuration
firewall-cmd --info-service=vnc-server vnc-server ports: 5900-5903/tcp protocols: source-ports: modules: destination:
Firewall ports
If the port is not defined in a pre-defined service, you also can add ports to the configuration of the firewall. Here, I show how-to list these ports in a zone.
- List active port in a zone
firewall-cmd --list-ports --zone=public 8080/tcp 8443/tcp
- Get default firewall
zonefirewall-cmd --get-default-zone public
Configure
IMPORTANT: Also for the configuration, you can add the –permanent switch, this will make the setting permanent. If you ommit
this switch, the setting is set dynamically, it will not survife a reboot!
NOTE: To setup a new service or port, you always should test it in dynamic mode, when fine, use the permanent switch.
NOTE: If you work on only one zone, it makes sense to define this zone as the default zone:
- Get default firewall 'zone'
firewall-cmd --set-default-zone=<zone name>
Add a service
NOTE: Don't forget the command to list all services, see «Firewall services»
- Setup 'http' and 'https' services dynamically
firewall-cmd --add-service=http --add-service=https --zone=public success
- Setup 'http' and 'https' services permanently
firewall-cmd --permanent --add-service=http --add-service=https --zone=public success
Firewall ICMP types
- Get all available firewall
icmptypesfirewall-cmd --get-icmptypes address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
IPSET informations
- Get all 'ipset' types
firewall-cmd --get-ipset-types hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
- Show all available
ipsetsfirewall-cmd --get-ipsets
Remove services
NOTE: To list all services of the zone, check this out: «Firewall services»
- Remove 'http' and 'https' services dynamically
firewall-cmd --remove-service=http --remove-service=https --zone=public success
- Remove 'http' and 'https' services permanently
firewall-cmd --permanent --remove-service=http --remove-service=https --zone=public success
Add a port
If the service you want to configure is not pre-defined, you can add the ports manually.
- Setup
8080and8443port dynamicallyfirewall-cmd --add-port=8080/tcp --add-port=8443/tcp --zone=public success
- Setup
8080and8443ports permanentlyfirewall-cmd --permanent --add-port=8080/tcp --add-port=8443/tcp --zone=public success
Remove ports
NOTE: To list all ports in a zone, refer to «Firewall ports» chapter.
- Setup
8080and8443port dynamicallyfirewall-cmd --remove-port=8080/tcp --remove-port=8443/tcp --zone=public success
- Setup
8080and8443ports permanentlyfirewall-cmd --permanent --remove-port=8080/tcp --remove-port=8443/tcp --zone=public success
Add interface to zone
Sometimes, it's necesary to add an interface to a zone.
- Add a interface to a zone
firewall-cmd --add-interface=eth0 --zone=public
Rich rules
Sometimes it's very helpful to define source IP's or IP ranges. To do this, you have to add a rich rule using this switch –add-rich-rule:
Add a subnet (all ports)
In some cases, the whole subnet with enabling all ports is required. Next rule shows how-to.
- Add the whole subnet (192.168.11.0/24, TCP) to config:
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" protocol value=tcp accept' --zone=public firewall-cmd --reload
- The same, but for UDP:
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" protocol value=udp accept' --zone=public firewall-cmd --reload
Rich rule for nfs service
In this example, I add a rule for NFS service, which allows connections from '192.168.122.0/24' subnet.
- Setup 'nfs' service to allow only from '192.168.122.0/24' network
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" service name="nfs" accept' --zone=public success firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" service name="nfs" accept' --zone=public success
Rich rule for ports
It is also possible to add as specified port (in this case '389' for LDAP). This allows all connections from '192.168.122.0/24' subnet on this port:
- Setup port
389to allow only from192.168.122.0/24networkfirewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="389" protocol="tcp" accept' --zone=public success firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="389" protocol="tcp" accept' --zone=public success
NOTE: This could also be done using the service rule!
Rich rule for a UDP port
Sometimes, you also need some UDP port open. For example DNS:
- Setup UDP port 53 for DNS service:
firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.11.0/24" port protocol=udp port=53 accept' --zone=public firewall-cmd --reload
Add/remove rich rules
Sometimes it's necessary to add/remove special rules. For example you want to allow access to MySQL port '3306', but only from a defined source (IP). This can be done by using rich rules, the next example shows the how-to:
- Add a rich rule
firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="3306" protocol="tcp" accept' --zone=public
- Remove a rich rule
firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="192.168.122.0/24" port port="3306" protocol="tcp" accept' --zone=public
IMPORTANT: In this example the rule is not defined permanently!
Direct rules
In some cases, a role is not possible to implement using standard firewalld command (including rich rules). In such a case, you can add direct rules (syntax of the corresponding firewall: iptables or nftables syntax).
Check, if the rule in that sequence where you expect it (the sequence of rules is very important!)
You should not use direct rules, if you can do the same using other firewalld rules!
List all active direct rules
firewall-cmd --direct --get-all-rules
Add a direct rule
The syntax how-to add a direct rule is quite similar to the backend firewall (iptables, ebtables or nftables). Here an example:
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
Remove a direct rule
To remove a rich rule, the syntax is the same, except –remove-rule:
firewall-cmd --permanent --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP firewall-cmd --direct --remove-rule ipv4 filter FORWARD 1 -i ens192 -j DROP
Forwarding ports
If you want to forward a port from extern to an internal network, you have to configure this on the external zone.
- Allow port
5665to internal network IP192.168.122.20firewall-cmd --permanent --zone=external --add-forward-port=port=5665:proto=tcp:toaddr=192.168.122.20
- Allow port
2222to internal network IP192.168.122.17port22firewall-cmd --permanent --zone=external --add-forward-port=port=2222:proto=tcp:toport=22:toaddr=192.168.122.17
- List forwarded ports
firewall-cmd --zone=external --list-forward-ports port=5665:proto=tcp:toport=:toaddr=192.168.122.20 port=2222:proto=tcp:toport=22:toaddr=192.168.122.17
IPSET
To setup a blacklist using ipset, you have to follow this example:
- If you want to add first an old (active)
ipsetrule, do following:ipset save blockednets > blockednets.ipset sed -e 's/^add blockednets //' blockednets.ipset | grep -Ev '^create' > blockednets
- Create the 'hash:net' ipset hash:
firewall-cmd --permanent --new-ipset=blockednets --type=hash:net
- Add the network, you want to drop, from a file list. Each line must have only one IP:
firewall-cmd --permanent --ipset=blockednets --add-entries-from-file=list
- Optionally add additional networks:
firewall-cmd --permanent --ipset=blockednets --add-entry=119.6.204.0/24
- Optionally check the ipset list:
firewall-cmd --ipset=blockednets --get-entries
- Shows the permanent entries in a ipset:
firewall-cmd --permanent --ipset=blockednets --get-entries
- Add the ipset to the firewalld 'drop' zone and List forwarded ports:
firewall-cmd --permanent --zone=drop --add-source=ipset:blockednets
- Reload firewalld after these changes:
firewall-cmd --reload
Queries
- List all ipsets
firewall-cmd --get-ipsets - List ipset sources
firewall-cmd --permanent --list-sources --zone=drop
- Example result for the
dropzoneipset:blockednets ipset:blacklist
Example
Here an example, how-to add an official blacklist into ipset:
- Example to install the chinese IP's in the blacklist
ipsetfirewall-cmd --permanent --new-ipset=blacklist --type=hash:net --option=family=inet \ --option=hashsize=4096 --option=maxelem=200000 wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz mkdir -p zones cd zones tar -xzf ../all-zones.tar.gz cn.zone firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=cn.zone firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist firewall-cmd --reload