Firewalld

Basic Concepts in Firewalld

Zones: The firewalld daemon manages groups of rules using entities called “zones”

predefined zones:

drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.

Rule Permanence: In firewalld, rules can be designated as either permanent or immediate. Most firewall-cmd operations can take the "--permanent" flag

Commands

Install

Install and Enable Your Firewall to Start at Boot

$ sudoyum install firewalld  Install
$ sudo systemctl enable firewalld
$ sudo reboot

Show Status(Information)

verify the service is running and reachable by typing:

$ sudo firewall-cmd --state
output:  running

Current Firewall Rules( which zone is currently selected as the default)

firewall-cmd --get-default-zone
output:
   publicPrint currently active zones

Print currently active zones

firewall-cmd --get-active-zones
output:
 privateDNS
   interfaces: eth1
 publicweb
   interfaces: eth0

list of the available zone

$ sudo firewall-cmd --get-zones
output:
block dmz drop external home internal public trusted work

see the specific configuration associated with a zone

$ sudo firewall-cmd --zone=home --list-all
output :
home
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

see the specific configuration associated with all zone

sudo firewall-cmd --list-all-zones

list of the available services

firewall-cmd --get-services
output
   RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

list services

sudo firewall-cmd --zone=public --list-all
sudo firewall-cmd --zone=public --list-services

List of ports

sudo firewall-cmd --zone=public --list-ports

 

Modify

Changing the Zone of an Interface

sudo firewall-cmd --zone=home --change-interface=eth0
output
success

Adjusting the Default Zone

sudo firewall-cmd --set-default-zone=home

allow http/https traffic in our “public” zone

sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --add-service=http  --permanent
sudo firewall-cmd --zone=public --add-service=https
sudo firewall-cmd --zone=public --permanent --add-service=https

Opening a Port for your Zones

sudo firewall-cmd --zone=public --add-port=5000/tcp
sudo firewall-cmd --zone=public --add-port=4990-4999/udp
sudo firewall-cmd --zone=public --permanent --add-port=5000/tcp
sudo firewall-cmd --zone=public --permanent --add-port=4990-4999/udp
sudo firewall-cmd --zone=public --permanent --list-ports

change interface over zones

sudo firewall-cmd --zone=public --change-interface=eth0

 

URL

راه اندازی سرور DNS در دبیان9

در آموزش زیر :
    آدرس شبکه :10.0.20.0/24
    نام دامنه: MyDomain.it
    سرور دی ان اس: 10.0.20.240
    سرورد دی ان اس برای فوروارد:192.168.100.12

$ sudo apt install bind9 bind9utils dnsutils resolvconf

$ sudo vim /etc/bind/named.conf.options

​​options {
    directory "/var/cache/bind";
    listen-on port 53 {localhost;10.0.20.0/24;192.168.40.0/24; };
    allow-query {localhost;10.0.20.0/24;192.168.40.0/24;};
    recursion yes;
    forwarders {
        192.168.100.12;
        8.8.8.8;
    };
    dnssec-validation auto;
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
};

$ sudo vim /etc/bind/named.conf.local

    zone "MyDomain.it" IN {
        type master;
        file "MyDomain.it";
    };

$ vim /var/cache/bind/domain.ir

    $TTL 86400
@    IN    SOA             ns1.MyDomain.it. root.MyDomain.it(
        20191214           ;Serial
        3600               ;Refresh
        900                ;Retry
        604800             ;Expired
        86400              ;Minimum TTL
)

;name servers: NS records
    IN    NS       ns1.MyDomain.it.
    IN    A        192.168.40.40
    IN    MX 10    mail.MyDomain.it.

;name servers: A records
ns1.MyDomain.it.         IN    A    192.168.40.40
dns.MyDomain.it.         IN    A    192.168.40.40
root.MyDomain.it.        IN    A    192.168.40.40
MyDomain.it.             IN    A    192.168.40.40
chat.MyDomain.it.        IN    A    192.168.40.41
mail.MyDomain.it.        IN    A    192.168.40.42
email.MyDomain.it.       IN    A    192.168.40.42
pop3.MyDomain.it.        IN    A    192.168.40.42
smtp.MyDomain.it.        IN    A    192.168.40.42
imap.MyDomain.it.        IN    A    192.168.40.42
behrooz.MyDomain.it.     IN    A    192.168.40.48

• لاگ افتادن تمام کوئری‌هایی که به سرور DNS زده می‌شود(دستور زیر را در سرور وارد نمایید):

# rndc querylog on

• دستور زیر برای چک شدن named.conf و موارد included های آن است

$ sudo named-checkconf

• دستور زیر برای چک شدن زون‌ها می‌باشد

# /usr/sbin/named-checkzone my.net /var/cache/bind/my.net.zone

• در systemctl سرویس را در حالت اجرای اتوماتیک بعد از ریست قرار میدهیم

$ sudo systemctl enable bind9
$ sudo systemctl start  bind9

• نکته: برای استفاده از فایل /etc/resolv.conf باید برنامه resolvconf نصب شده باشد

  URL

  URL