Managing Your Firewall on Centos 7 with Firewalld

Understanding How Firewalld Works

# systemctl start firewalld && systemctl enable
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
# firewall-cmd --state
running

The Purpose of Zones in Firewalld

  • trusted immutable: allow all network connections
  • drop immutable: all incoming packets are dropped and there is no reply but ongoing packets are accepted
  • block immutable: all incoming packets are rejected with ICMP host-prohibited messages to the sender
  • public mutable: it’s the default zone for all the newly created network interface. It represents a public area for untrusted network where only limited connections are accepted. It means to don’t trust the other computers
  • external mutable: for external networks with NAT masquerading enabled where only selected incoming packets are accepted, protecting a local network.
  • dmz mutable: for computers in a demilitarized zone publicly accessible, here only selected incoming packets are accepted. The computer have limited access to the internal network.
  • home mutable: for trusted home networks with only selected incoming packets accepted. Most computers on the same network are trusted
  • work mutable: for trusted work networks with only selected incoming connections accepted.
  • internal mutable: for internal networks with a restriction on incoming connections.
# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
# cat /usr/lib/firewalld/zones/dmz.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>DMZ</short>
<description>For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
</zone>

Manage the Zones with firewall-cmd

  • — get-zones: displays all the zones in your environment
  • — get-default-zone: shows the actual default zone
  • — list-all: lists the configuration (services) of the default zone only
  • — list-all-zones: lists the configuration (services) of all the zones presents at once
  • — get-active-zones: shows all the actives zones. You can have more than one zone.
# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
# firewall-cmd --get-default-zone
public
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33 ens34
sources:
services: dhcpv6-client ssh
ports: 3389/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --get-active-zones
public
interfaces: ens33 ens34
# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:


home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


public (active)
target: default
icmp-block-inversion: no
interfaces: ens33 ens34
sources:
services: dhcpv6-client ssh
ports: 3389/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --zone=dmz --list-all
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Edit a Zone

# firewall-cmd --set-default-zone=work
success
# firewall-cmd --get-default-zone
work
# firewall-cmd --zone=external --change-interface=ens34
success
# firewall-cmd --get-active-zones
work
interfaces: ens33
external
interfaces: ens34
# firewall-cmd --zone=work --query-interface=ens34
no
# firewall-cmd --zone=work --add-masquerade
success
# firewall-cmd --zone=work --list-all | grep masq
masquerade: yes

Firewalld Services

# ls /usr/lib/firewalld/services
amanda-client.xml kadmin.xml puppetmaster.xml
amanda-k5-client.xml kerberos.xml quassel.xml
......
......
https.xml pmwebapi.xml transmission-client.xml
http.xml pop3s.xml vdsm.xml
imaps.xml pop3.xml vnc-server.xml
imap.xml postgresql.xml wbem-https.xml
ipp-client.xml privoxy.xml xmpp-bosh.xml
ipp.xml proxy-dhcp.xml xmpp-client.xml
ipsec.xml ptp.xml xmpp-local.xml
iscsi-target.xml pulseaudio.xml xmpp-server.xml
# cat /usr/lib/firewalld/services/https.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Secure WWW (HTTPS)</short>
<description>HTTPS is a modified HTTP used to serve Web pages when security is important. Examples are sites that require logins like stores or web mail. This option is not required for viewing pages locally or developing Web pages. You need the httpd package installed for this option to be useful.</description>
<port protocol="tcp" port="443"/>
</service>

Manage Services with Firewalld

# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry
....
# firewall-cmd --list-services
ssh dhcpv6-client
# firewall-cmd --zone=internal --list-ports

Add and Remove Services and Ports

# firewall-cmd --add-service=https
success
# firewall-cmd --zone=home --add-port=5901-5910/tcp
success
# firewall-cmd --permanent --zone=public --add-port=993/tcp
success
# firewall-cmd --reload 
success
# firewall-cmd --permanent --zone=public --add-port=6350-6400/tcp && firewall-cmd --reload
success
success
# firewall-cmd --permanent --remove-service=https
success
# firewall-cmd --permanent --zone=external --remove-port=143
success
# firewall-cmd --zone=external --query-service=ssh
yes
# firewall-cmd --zone=public --query-port=3389/tcp
yes

Add and Remove a Source

# firewall-cmd --permanent --zone=trusted --add-source=172.16.8.0/24
success
# firewall-cmd --zone=trusted --list-sources
172.16.8.0/24
# firewall-cmd --permanent --zone=trusted --remove-source=172.16.8.0/24
success

Configure Port Forwarding

# firewall-cmd --zone=external --query-masquerade
yes
# firewall-cmd --permanent --zone=external --add-masquerade
# firewall-cmd --permanent --zone=external --add-forward-port=port=143:proto=tcp:toport=4545:toaddr=192.1.0.20
success
# firewall-cmd --permanent --zone=external --remove-forward-port=port=143:proto=tcp:toport=4545:toaddr=192.1.0.20
success

Allow and Block ICMP Packets

# firewall-cmd --get-icmptypes
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable
....
....
# firewall-cmd --permanent --zone=external --add-icmp-block=echo-reply
success
# firewall-cmd --zone=external --list-all | grep icmp
icmp-block-inversion: no
icmp-blocks: echo-reply

Add and Remove Multiple Ports and Services at Once

# vim firewalld-ports.sh

#!/bin/bash
for i in 443 465 993 2626 3232
do
firewall-cmd --permanent --zone=public --add-port=${i}/tcp && firewall-cmd --reload
done
# chmod +x firewalld-ports.sh
# ./firewalld-port.sh 
success
success
success
success
success
success
success
# vim firewalld-services.sh    #!/bin/bash
for i in https imaps snmp smtps
do
firewall-cmd --permanent --zone=public --add-service=${i} && firewall-cmd --reload
done

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

ChaosBlade x SkyWalking: High Availability Microservices Practices

Decluttering for sanity’s sake

How to Set Up Django with Postgres, Nginx, and Gunicorn on Ubuntu 16.04

Developing and Deploying Frontend Code in Taobao: Eight-year Long Case Study Analysis

Introduction to Backend as a Service (BaaS)

On-demand Schemaless Slicing in PostgreSQL with TimescaleDB

Basic of Python — 2 : Classes

(Really) basic chess opening theory

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

LitmusChaos at KubeCon EU 2022

Hashicorp Vault Part 1 -Getting started

The Client for our app

ABC Security — Zero Trust