Firewalld

Concepts

FirewallD is frontend controller for iptables used to implement persistent network traffic rules. It provides command line and graphical interfaces and is available in the repositories of most Linux distributions. Working with FirewallD has two main differences compared to directly controlling iptables:

  1. FirewallD uses zones and services instead of chain and rules.
  2. It manages rulesets dynamically, allowing updates without breaking existing sessions and connections.

FirewallD is a wrapper for iptables to allow easier management of iptables rules–it is not an iptables replacement. While iptables commands are still available to FirewallD, it’s recommended to use only FirewallD commands with FirewallD.

firewalld has a two layer design: The core layer and the D-Bus layer on top. The core layer is responsible for handling the configuration and the back ends like iptables, ip6tables, ebtables, ipset and the module loader. The firewalld D-Bus interface is the primary way to alter and create the firewall configuration. The interface is used by all firewalld provided online tools, like for example firewall-cmd, firewallctl, firewall-config and firewall-applet. firewall-offline-cmd is not talking to firewalld, but altering and creating firewalld config files directly using the firewalld core with the IO handlers. firewall-offline-cmd can be used while firewalld is running, but it is not recommended as it is only able to alter the permanent configuration that are visible in firewall after about five seconds.

A firewall zone defines the trust level for a connection, interface or source address binding. This is a one to many relation, which means that a connection, interface or source can only be part of one zone, but a zone can be used for many network connections, interfaces and sources.

A firewalld service can be a list of local ports and destinations and additionally also a list of firewall helper modules automatically loaded if a service is enabled. The use of predefined services makes it easier for the user to enable and disable access to a service.

An ipset can be used to group several IP or MAC addresses together. An ipset for IP addresses is either usable for IPv4 or IPv6. This is defined by the family setting of the ipset. It can be either inet (the default) or inet6.With the use of ipsets, the number of rules for black or white listing for example is reduced to only a few rules for a long list of addresses in the ipset. The number of needed rules depends on the use case .

The Internet Control Message Protocol (ICMP) is used to exchange information and also error messages in the Internet Protocol (IP). ICMP types can be used in firewalld to limit the exchange of these messages.

firewalld does not depend on NetworkManager, but the use is recommended. If NetworkManager is not used, there are some limitations: firewalld will not get notified about network device renames. If firewalld gets started after the network is already up, the connections and manually created interfaces are not bound to a zone. You can add them to a zone with firewall-cmd [--permanent] --zone=zone --add-interface=interface, but make sure that if there’s a /etc/sysconfig/network-scripts/ifcfg-<interface>, the zone specified there with ZONE=zone is the same (or both are empty/missing for default zone), otherwise the behaviour would be undefined.On systems supporting ifcfg files for interfaces, the zone could be stored in the ifcfg with the ZONE= option. If the option is missing or empty, the default zone set in firewalld is used.

Configuration directories

Firewalld is configured with XML files. Except for very specific configurations, you won’t have to deal with them and firewall-cmd should be used instead.

Configuration files are located in two directories:

  • /usr/lib/FirewallD holds default configurations like default zones and common services. Avoid updating them because those files will be overwritten by each firewalld package update.
  • /etc/firewalld holds system configuration files. These files will overwrite a default configuration.
/etc/firewalld/ The system or user configuration stored in /etc/firewalld is either created by the system administrator or by customization with the configuration interface of firewalld or by hand. The files will overload the default configuration files.
|– firewalld.conf If there is no /etc/firewalld directory of if it there is no configuration in there, firewalld will start using the default configuration and default settings for firewalld.conf.

DefaultZone=public

MinimalMark=100 =>
Marks up to this minimum are free for use for example in the direct
interface. If more free marks are needed, increase the minimum.

CleanupOnExit=yes => If set to no or false the firewall configuration will not get cleaned up on exit or stop of firewalld.

Lockdown=no => If set to enabled, firewall changes with the D-Bus interface will be limited to applications that are listed in the lockdown whitelist. The lockdown whitelist file is lockdown-whitelist.xml.

IPv6_rpfilter=yes => Performs a reverse path filter test on a packet for IPv6. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped. The rp_filter for IPv4 is controlled using sysctl.

IndividualCalls=no => Do not use combined -restore calls, but individual calls. This increases the time that is needed to apply changes and to start the daemon, but is good for debugging.

LogDenied=off => Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones. Possible values are: all, unicast, broadcast, multicast and off.

 

|– icmptypes
|– lockdown-whitelist.xml
|– services
\– zones

  |– public.xml

  \– public.xml.old

/usr/lib/firewalld/ The directory /usr/lib/firewalld contains the default and fallback configuration provided by firewalld for icmptypes, services and zones. The files provided with the firewalld package should not get changed and the changes are gone with an update of the firewalld package. Additional icmptypes, services and zones can be provided with packages or by creating files.
|– icmptypes

  |– destination-unreachable.xml

  |– echo-reply.xml

|   |– echo-request.xml

  |– parameter-problem.xml

  |– redirect.xml

  |– router-advertisement.xml

|   |– router-solicitation.xml

  |– source-quench.xml

  |– time-exceeded.xml

|   |– timestamp-reply.xml

|   `– timestamp-request.xml

example icmptypes:

---------------------------------------------echo-request---------------------------------------------

<?xml version="1.0" encoding="utf-8"?>

<icmptype>
 

<short>Echo Request (ping)</short>
 

<description>This message is used to test if a host is reachable mostly with the ping utility.</description>

</icmptype>

---------------------------------------------echo-reply---------------------------------------------

<?xml version="1.0" encoding="utf-8"?>
 

<icmptype>

<short>Echo Reply (pong)</short>

<description>This message is the answer to an Echo Request.</description>

</icmptype>

----------------------------------------------------------------------------------------------------

 

|– ipsets

  `– README

|– services

  |– amanda-client.xml

  |– amanda-k5-client.xml

  |– bacula-client.xml

|   |– bacula.xml

|   |– ceph-mon.xml

  |– ceph.xml

|   |– dhcpv6-client.xml

  |– dhcpv6.xml

  |– dhcp.xml

  |– dns.xml

  |– docker-registry.xml

  |– dropbox-lansync.xml

  |– freeipa-ldaps.xml

|   |– freeipa-ldap.xml

|   |– freeipa-replication.xml

|   |– ftp.xml

  |– high-availability.xml

|   |– https.xml

  |– http.xml

  |– imaps.xml

  |– imap.xml

|   |– ipp-client.xml

  |– ipp.xml

  |– ipsec.xml

|   |– iscsi-target.xml

|   |– kadmin.xml

  |– kerberos.xml

  |– kpasswd.xml

  |– ldaps.xml

  |– ldap.xml

  |– libvirt-tls.xml

|   |– libvirt.xml

  |– mdns.xml

  |– mosh.xml

  |– mountd.xml

  |– ms-wbt.xml

  |– mysql.xml

  |– nfs.xml

  |– ntp.xml

  |– openvpn.xml

  |– pmcd.xml

|   |– pmproxy.xml

  |– pmwebapis.xml

  |– pmwebapi.xml

|   |– pop3s.xml

|   |– pop3.xml

  |– postgresql.xml

|   |– privoxy.xml

  |– proxy-dhcp.xml

  |– ptp.xml

|   |– pulseaudio.xml

  |– puppetmaster.xml

  |– radius.xml

  |– RH-Satellite-6.xml

|   |– rpc-bind.xml

  |– rsyncd.xml

|   |– samba-client.xml

  |– samba.xml

|   |– sane.xml

  |– smtps.xml

  |– smtp.xml

  |– snmptrap.xml

|   |– snmp.xml

  |– squid.xml

|   |– ssh.xml

  |– synergy.xml

  |– syslog-tls.xml

  |– syslog.xml

  |– telnet.xml

  |– tftp-client.xml

|   |– tftp.xml

  |– tinc.xml

  |– tor-socks.xml

  |– transmission-client.xml

|   |– vdsm.xml

|   |– vnc-server.xml

|   |– wbem-https.xml

|   |– xmpp-bosh.xml

|   |– xmpp-client.xml

|   |– xmpp-local.xml

  `– xmpp-server.xml

You can get more details about each of these services by looking at their associated .xml file within the /usr/lib/firewalld/services directory.
For instance, the SSH service is defined like this:
---------------------------------------------

/usr/lib/firewalld/services/ssh.xml

<?xml version="1.0" encoding="utf-8"?>

<service>

<short>SSH</short>

<description>Secure
Shell (SSH) is a protocol for logging into and executing commands on
remote machines. It provides secure encrypted communications. If you
plan on accessing your machine remotely via SSH over a firewalled
interface,  enable this option. You need the openssh-server package
installed for this option to be useful.</description>

<port protocol="tcp" port="22"/>

</service>

---------------------------------------------

You can enable a service for a zone using the --add-service= parameter. The operation will target the default zone or whatever zone is specified by the --zone= parameter. By default, this will only adjust the current firewall session. You can adjust the permanent firewall configuration by including the --permanent flag.

---------------------------------------------

The firewall services
that are included with the firewalld installation represent many of the
most common requirements for applications that you may wish to allow
access to. However, there will likely be scenarios where these services
do not fit your requirements.

In this situation, you have two options:

Opening a Port for your Zones
The easiest way to add support for your specific application is to open up the ports that it uses in the appropriate zone(s). This is as easy as specifying the port or port range, and the associated protocol for the ports you need to open.

Defining a Service

Opening
ports for your zones is easy, but it can be difficult to keep track of
what each one is for. If you ever decommission a service on your server,
you may have a hard time remembering which ports that have been opened
are still required. To avoid this situation, it is possible to define a
service.

 

cp   /usr/lib/firewalld/services/ssh.xml   /etc/firewalld/services/example.xml 

vi /etc/firewalld/services/example.xml

<?xml version="1.0" encoding="utf-8"?>

<service>

<short>Example Service</short>

<description>This is just an example service. It probably shouldn't be used on a real system.</description>

<port protocol="tcp" port="7777"/>

<port protocol="udp" port="8888"/>


</service>

firewall-cmd --reload

firewall-cmd --get-services

OR

firewall-cmd --permanent --new-service=myservice

firewall-cmd --permanent --service=service --set-description=description
firewall-cmd --permanent --service=service --set-short=description
firewall-cmd --permanent --service=service --add-port=portid[-portid]/protocol
firewall-cmd --permanent --service=service --add-protocol=protocol
firewall-cmd --permanent --service=service --add-source-port=portid[-portid]/protocol
firewall-cmd --permanent --service=service --add-module=module
firewall-cmd --permanent --service=service --set-destination=ipv:address[/mask]

 

---------------------------------------------

 


|– xmlschema

|   |– check.sh

|   |– icmptype.xsd

  |– ipset.xsd

|   |– service.xsd

|   `– zone.xsd

`– zones

    |– block.xml

    |– dmz.xml

    |– drop.xml

    |– external.xml

    |– home.xml

    |– internal.xml

    |– public.xml

    |– trusted.xml

    `– work.xml

The firewalld daemon manages groups of rules using entities called “zones“. Zones are basically sets of rules dictating what traffic should be allowed depending on the level of trust you have in the networks your computer is connected to. Network interfaces are assigned a zone to dictate the behavior that the firewall should allow.
In order from least trusted to most trusted, the predefined zones within firewalld are:

  • drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
  • block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
  • public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
  • external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
  • internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
  • dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
  • work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
  • home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
  • trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.

To use the firewall, we can create rules and alter the properties of our zones and then assign our network interfaces to whichever zones are most appropriate.

Configuration utilities

firewalld-cmd

Check the firewall status firewall-cmd --state
We can see which zone is currently selected as the default by typing firewall-cmd --get-default-zone
We can see active zones by typing firewall-cmd --get-active-zones

We can print out the default zone’s configuration by typing

firewall-cmd --list-all
To get a list of the available zones, type firewall-cmd --get-zones
We can see the specific configuration associated with a zone by typing firewall-cmd --zone=home --list-all
You can output all of the zone definitions by using

firewall-cmd --list-all-zones

You can transition an interface between zones during a session by using

firewall-cmd --zone=home --change-interface=eth0

Whenever you are transitioning an interface to a new zone, be aware that you are probably modifying the services that will be operational.

You can change the default zone with

firewall-cmd --set-default-zone=home

To get a list of the available services, type

firewall-cmd --get-services

Adding a service to specific zone

firewall-cmd --zone=public (--permanent) --add-service=http

You can leave out the --zone= if you wish to modify the default zone.

See added services of specific zone

firewall-cmd --zone=public (--permanent)--list-services

Adding a port to specific zone

firewall-cmd --zone=public (--permanent) --add-port=5000/tcp

firewall-cmd --zone=public (--permanent) --add-port=4990-4999/udp  => for port range

Removing a port from specific zone firewall-cmd --zone=public (--permanent) --remove-port=12345/tcp 
See added ports of specific zone

firewall-cmd --zone=public (--permanent) --list-ports

By default, firewall-cmd commands apply to runtime configuration but using the --permanent flag will establish a persistent configuration.Add the rule to both the permanent and runtime sets.

1 firewall-cmd --zone=public --add-service=http --permanent

firewall-cmd --zone=public --add-service=http

2 firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --reload
Adding run time configurations to permanent configurations

firewall-cmd --runtime-to-permanent

Creating Your Own Zones

While the predefined zones will probably be more than enough for most users, it can be helpful to define your own zones that are more descriptive of their function.

For instance, you might want to create a zone for your web server, called “publicweb”. However, you might want to have another zone configured for the DNS service you provide on your private network. You might want a zone called “privateDNS” for that.

When adding a zone, you must add it to the permanent firewall configuration. You can then reload to bring the configuration into your running session.

Creating a new zone

firewall-cmd (--permanent) --new-zone=publicweb

Now, you can begin assigning the appropriate services and ports to your zones. It’s usually a good idea to adjust the active instance and then transfer those changes to the permanent configuration after testing.

 

Port Forwarding

To forward a port to the same server firewall-cmd --zone="public" (--permanent) --add-forward-port=port=80:proto=tcp:toport=12345
To forward a port to a different server firewall-cmd --zone=public --add-masquerade

firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9

firewall-cmd --zone=public --remove-masquerade  => to remove the rules

 

With firewall-offline-cmd

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by WordPress | Theme: Looks Blog by Crimson Themes.