ConceptsFirewallD is frontend controller for iptables used to implement persistent network traffic rules. It provides command line and graphical interfaces and is available in the repositories of most Linux distributions. Working with FirewallD has two main differences compared to directly controlling iptables:
FirewallD is a wrapper for iptables to allow easier management of iptables rules–it is not an iptables replacement. While iptables commands are still available to FirewallD, it’s recommended to use only FirewallD commands with FirewallD. firewalld has a two layer design: The core layer and the D-Bus layer on top. The core layer is responsible for handling the configuration and the back ends like iptables, ip6tables, ebtables, ipset and the module loader. The firewalld D-Bus interface is the primary way to alter and create the firewall configuration. The interface is used by all firewalld provided online tools, like for example firewall-cmd, firewallctl, firewall-config and firewall-applet. firewall-offline-cmd is not talking to firewalld, but altering and creating firewalld config files directly using the firewalld core with the IO handlers. firewall-offline-cmd can be used while firewalld is running, but it is not recommended as it is only able to alter the permanent configuration that are visible in firewall after about five seconds. A firewall zone defines the trust level for a connection, interface or source address binding. This is a one to many relation, which means that a connection, interface or source can only be part of one zone, but a zone can be used for many network connections, interfaces and sources. A firewalld service can be a list of local ports and destinations and additionally also a list of firewall helper modules automatically loaded if a service is enabled. The use of predefined services makes it easier for the user to enable and disable access to a service. An ipset can be used to group several IP or MAC addresses together. An ipset for IP addresses is either usable for IPv4 or IPv6. This is defined by the family setting of the ipset. It can be either inet (the default) or inet6.With the use of ipsets, the number of rules for black or white listing for example is reduced to only a few rules for a long list of addresses in the ipset. The number of needed rules depends on the use case . The Internet Control Message Protocol (ICMP) is used to exchange information and also error messages in the Internet Protocol (IP). ICMP types can be used in firewalld to limit the exchange of these messages. firewalld does not depend on NetworkManager, but the use is recommended. If NetworkManager is not used, there are some limitations: firewalld will not get notified about network device renames. If firewalld gets started after the network is already up, the connections and manually created interfaces are not bound to a zone. You can add them to a zone with |
---|
Configuration directories
Firewalld is configured with XML files. Except for very specific configurations, you won’t have to deal with them and firewall-cmd should be used instead.
Configuration files are located in two directories:
/usr/lib/FirewallD
holds default configurations like default zones and common services. Avoid updating them because those files will be overwritten by each firewalld package update.
/etc/firewalld
holds system configuration files. These files will overwrite a default configuration.
/etc/firewalld/ | The system or user configuration stored in /etc/firewalld is either created by the system administrator or by customization with the configuration interface of firewalld or by hand. The files will overload the default configuration files. |
---|---|
|– firewalld.conf | If there is no /etc/firewalld directory of if it there is no configuration in there, firewalld will start using the default configuration and default settings for firewalld.conf .
|
|– icmptypes | |
|– lockdown-whitelist.xml | |
|– services | |
\– zones
|– public.xml \– public.xml.old |
/usr/lib/firewalld/ | The directory /usr/lib/firewalld contains the default and fallback configuration provided by firewalld for icmptypes, services and zones. The files provided with the firewalld package should not get changed and the changes are gone with an update of the firewalld package. Additional icmptypes, services and zones can be provided with packages or by creating files. |
---|---|
|– icmptypes
| |– destination-unreachable.xml | |– echo-reply.xml | |– echo-request.xml | |– parameter-problem.xml | |– redirect.xml | |– router-advertisement.xml | |– router-solicitation.xml | |– source-quench.xml | |– time-exceeded.xml | |– timestamp-reply.xml | `– timestamp-request.xml |
example icmptypes:
|
|– ipsets
| `– README |
|
|– services
| |– amanda-client.xml | |– amanda-k5-client.xml | |– bacula-client.xml | |– bacula.xml | |– ceph-mon.xml | |– ceph.xml | |– dhcpv6-client.xml | |– dhcpv6.xml | |– dhcp.xml | |– dns.xml | |– docker-registry.xml | |– dropbox-lansync.xml | |– freeipa-ldaps.xml | |– freeipa-ldap.xml | |– freeipa-replication.xml | |– ftp.xml | |– high-availability.xml | |– https.xml | |– http.xml | |– imaps.xml | |– imap.xml | |– ipp-client.xml | |– ipp.xml | |– ipsec.xml | |– iscsi-target.xml | |– kadmin.xml | |– kerberos.xml | |– kpasswd.xml | |– ldaps.xml | |– ldap.xml | |– libvirt-tls.xml | |– libvirt.xml | |– mdns.xml | |– mosh.xml | |– mountd.xml | |– ms-wbt.xml | |– mysql.xml | |– nfs.xml | |– ntp.xml | |– openvpn.xml | |– pmcd.xml | |– pmproxy.xml | |– pmwebapis.xml | |– pmwebapi.xml | |– pop3s.xml | |– pop3.xml | |– postgresql.xml | |– privoxy.xml | |– proxy-dhcp.xml | |– ptp.xml | |– pulseaudio.xml | |– puppetmaster.xml | |– radius.xml | |– RH-Satellite-6.xml | |– rpc-bind.xml | |– rsyncd.xml | |– samba-client.xml | |– samba.xml | |– sane.xml | |– smtps.xml | |– smtp.xml | |– snmptrap.xml | |– snmp.xml | |– squid.xml | |– ssh.xml | |– synergy.xml | |– syslog-tls.xml | |– syslog.xml | |– telnet.xml | |– tftp-client.xml | |– tftp.xml | |– tinc.xml | |– tor-socks.xml | |– transmission-client.xml | |– vdsm.xml | |– vnc-server.xml | |– wbem-https.xml | |– xmpp-bosh.xml | |– xmpp-client.xml | |– xmpp-local.xml | `– xmpp-server.xml |
You can get more details about each of these services by looking at their associated .xml file within the /usr/lib/firewalld/services directory.For instance, the SSH service is defined like this: --------------------------------------------- /usr/lib/firewalld/services/ssh.xml
Opening a Port for your Zones Defining a Service
|
|– xmlschema
| |– check.sh | |– icmptype.xsd | |– ipset.xsd | |– service.xsd | `– zone.xsd |
|
`– zones
|– block.xml |– dmz.xml |– drop.xml |– external.xml |– home.xml |– internal.xml |– public.xml |– trusted.xml `– work.xml |
The firewalld daemon manages groups of rules using entities called “zones“. Zones are basically sets of rules dictating what traffic should be allowed depending on the level of trust you have in the networks your computer is connected to. Network interfaces are assigned a zone to dictate the behavior that the firewall should allow.In order from least trusted to most trusted, the predefined zones within firewalld are:
To use the firewall, we can create rules and alter the properties of our zones and then assign our network interfaces to whichever zones are most appropriate. |
Configuration utilities
firewalld-cmd
Check the firewall status | firewall-cmd --state |
---|---|
We can see which zone is currently selected as the default by typing | firewall-cmd --get-default-zone |
We can see active zones by typing | firewall-cmd --get-active-zones |
We can print out the default zone’s configuration by typing |
firewall-cmd --list-all |
To get a list of the available zones, type | firewall-cmd --get-zones |
We can see the specific configuration associated with a zone by typing | firewall-cmd --zone=home --list-all |
You can output all of the zone definitions by using |
|
You can transition an interface between zones during a session by using |
Whenever you are transitioning an interface to a new zone, be aware that you are probably modifying the services that will be operational. |
You can change the default zone with |
|
To get a list of the available services, type |
|
Adding a service to specific zone |
You can leave out the |
See added services of specific zone |
|
Adding a port to specific zone |
|
Removing a port from specific zone | firewall-cmd --zone=public (--permanent) --remove-port=12345/tcp |
See added ports of specific zone |
|
By default, firewall-cmd
commands apply to runtime configuration but using the --permanent
flag will establish a persistent configuration.Add the rule to both the permanent and runtime sets.
1 | firewall-cmd --zone=public --add-service=http --permanent
|
---|---|
2 | firewall-cmd --zone=public --add-service=http --permanent firewall-cmd --reload |
Adding run time configurations to permanent configurations |
|
Creating Your Own Zones
While the predefined zones will probably be more than enough for most users, it can be helpful to define your own zones that are more descriptive of their function.
For instance, you might want to create a zone for your web server, called “publicweb”. However, you might want to have another zone configured for the DNS service you provide on your private network. You might want a zone called “privateDNS” for that.
When adding a zone, you must add it to the permanent firewall configuration. You can then reload to bring the configuration into your running session.
Creating a new zone |
|
---|
Now, you can begin assigning the appropriate services and ports to your zones. It’s usually a good idea to adjust the active instance and then transfer those changes to the permanent configuration after testing.
Port Forwarding
To forward a port to the same server | firewall-cmd --zone=" public" (--permanent) --add-forward-port=port=80:proto=tcp:toport=12345 |
---|---|
To forward a port to a different server | firewall-cmd --zone=public --add-masquerade
|