Basic Concepts in Firewalld
Zones: The firewalld daemon manages groups of rules using entities called “zones”
predefined zones:
drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.
Rule Permanence: In firewalld, rules can be designated as either permanent or immediate. Most firewall-cmd operations can take the "--permanent" flag
Commands
Install
Install and Enable Your Firewall to Start at Boot
$ sudoyum install firewalld Install $ sudo systemctl enable firewalld $ sudo reboot
Show Status(Information)
verify the service is running and reachable by typing:
$ sudo firewall-cmd --state output: running
Current Firewall Rules( which zone is currently selected as the default)
firewall-cmd --get-default-zone output: publicPrint currently active zones
Print currently active zones
firewall-cmd --get-active-zones output: privateDNS interfaces: eth1 publicweb interfaces: eth0
list of the available zone
$ sudo firewall-cmd --get-zones output: block dmz drop external home internal public trusted work
see the specific configuration associated with a zone
$ sudo firewall-cmd --zone=home --list-all output : home interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
see the specific configuration associated with all zone
sudo firewall-cmd --list-all-zones
list of the available services
firewall-cmd --get-services output RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
list services
sudo firewall-cmd --zone=public --list-all sudo firewall-cmd --zone=public --list-services
List of ports
sudo firewall-cmd --zone=public --list-ports
Modify
Changing the Zone of an Interface
sudo firewall-cmd --zone=home --change-interface=eth0 output success
Adjusting the Default Zone
sudo firewall-cmd --set-default-zone=home
allow http/https traffic in our “public” zone
sudo firewall-cmd --zone=public --add-service=http sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --add-service=https sudo firewall-cmd --zone=public --permanent --add-service=https
Opening a Port for your Zones
sudo firewall-cmd --zone=public --add-port=5000/tcp sudo firewall-cmd --zone=public --add-port=4990-4999/udp sudo firewall-cmd --zone=public --permanent --add-port=5000/tcp sudo firewall-cmd --zone=public --permanent --add-port=4990-4999/udp sudo firewall-cmd --zone=public --permanent --list-ports
change interface over zones
sudo firewall-cmd --zone=public --change-interface=eth0