Firewalld notes

From Wiki
Jump to: navigation, search

Zone Management

All network interfaces can be located in the same default zone or divided into different ones according to the levels of trust defined.

To assign the eth0 network interface permanently to the internal zone (a file called internal.xml is created in the /etc/firewalld/zones directory), type:

firewall-cmd --permanent --zone=internal --change-interface=eth0

List zones with assigned interfaces:

firewall-cmd --get-active-zones

List available zones:

firewall-cmd --get-zones

Show zones assigned to an interface:

firewall-cmd --get-zone-of-interface=eth0

Add IP to trusted zone.

firewall-cmd --permanent --zone=trusted --add-source=<IP1>/24
firewall-cmd --permanent --zone=trusted --add-service=ssh

After the service is added to the trusted zone you can remove it from the public zone. This will block access from any IPs that are *not* in the trusted zone.

firewall-cmd --zone=public --remove-service=ssh 

Reload the firewall to apply changes.

firewall-cmd --reload

Service Management

Services can also be assigned to a zone or multiple zones.

Add service:

firewall-cmd --permanent --zone=internal --add-service=http

Remove service:

firewall-cmd --permanent --zone=public --remove-service=http

List services in a zone:

firewall-cmd --list-services --zone=public

Service Configuration

Custom services can be defined using an XML file in the /etc/firewalld/services directory. For example, to define haproxy as a service using the following xml.

<?xml version="1.0" encoding="utf-8"?>
 <description>HAProxy load-balancer</description>
 <port protocol="tcp" port="80"/>

Assign the correct SELinux context and file permissions to the haproxy.xml file:

# cd /etc/firewalld/services
# restorecon haproxy.xml
# chmod 640 haproxy.xml

Add the HAProxy service to the default zone permanently and reload the firewall configuration:

# firewall-cmd --permanent --add-service=haproxy
# firewall-cmd --reload

Port Management

Port management follows the same model as service management.

To allow the 443/tcp port temporary in the internal zone, type:

# firewall-cmd --permanent --zone=internal --add-port=443/tcp
# firewall-cmd --reload

To remove the port enter:

firewall-cmd --permanent --zone=internal --remove=port=443/tcp

To get the list of ports open in the internal zone, type:

# firewall-cmd --zone=internal --list-ports

Blocking ICMP

firewall-cmd --add-icmp-block=echo-reply
firewall-cmd --add-icmp-block=echo-request

To unblock enter:

firewall-cmd --remove-icmp-block=echo-reply
firewall-cmd --remove-icmp-block=echo-request

Allow access for a specific host

The simplest way to accomplish this is to create a zone for the host that you want to allow access. This zone will then allow traffic from the source host on the defined ports.

firewall-cmd --permanent --new-zone=special
firewall-cmd --permanent --zone=special --add-source=
firewall-cmd --permanent --zone=special --add-port=2222/tcp
firewall-cmd --reload