How to manage firewallD (on CentOS 7 and all the other distro)
 
          A firewall is a security system used to control network traffic going in and out of computers. Today we might take it for granted, however the firewall still remains one of the most important security devices in our systems. Historically, the Linux firewall par excellence has always been IPtables, however its rules are quite difficult to master, hence the need for something new, more manageable. FirewallD is a relatively new system firewall employed by a crescent number of distributions, mainly Red Hat-based ones, to secure, log and manage network access, on top of that, it aims to ease firewall management.
FirewallD and IPtables, which is better?
One of the most common concerns about FirewallD is how it compares with the other big player in the field: Iptables. The answer is pretty simple: they don’t.
Both firewalls are built to perform the same actions in different ways, but under the hood FirewallD interfaces with Iptables, both of them ultimately connect to the Linux module NetFilter. So there’s really no reason to prefer one or the other if we exclude manageability.
Writing an IPtables rule is a difficult task for many Linux administrators, and mastering IPtables rules takes more than just skimming a manual. FirewallD on the other hand is easy to use and comes with many different improvements over IPtables. Getting started with the former takes a matter of minutes, for easy tasks there’s no need to know any complicated rule-set.
Getting to know FirewallD
Although FirewallD was born to simplify firewall management compared to raw IPtables rules, taking a look at it might look intimidating at first:
- Services
- Ports
- Zones
- Interfaces
- Sources
- and more…
You will soon realize there is more to it than meets the eye. That is because FirewallD is modular and enables complex configurations using a predefined set of commands. But fear not, to get started you will only need a few commands, nearing the end of the guide you will find advanced topics such as zones, interfaces and sources.
FirewallD management: starting
FirewallD, as you might guess from the last character is a daemon, a persistent service that runs on Linux. In order to manage it using the commands described in this guide you will need to start FirewallD, in most distribution this will be handled by systemD, in case you’re using a different manager please refer to your distribution documentation. In case you’re using systemD (e.g. on CentOS 7) you can simply do:
# systemctl start firewalld
This will start the firewall, to verify it is now started you can do:
# firewall-cmd --state running
Now that it is started you will be able to use firewall-cmd to manage it.
Reloading the firewall
The most common operation you will perform, excluding rule management, is reloading the firewall:
# firewall-cmd --reload
Stopping the firewall
Again, this operation is usually managed by systemD, if you’re using a different manager please refer to your distribution documentation.
# systemctl stop firewalld
Enabling the firewall (start at boot)
Again, this operation is usually managed by systemD, if you’re using a different manager please refer to your distribution documentation.
# systemctl enable firewalld
Into the CLI firewall jungle: firewall-cmd
Although FirewallD can be managed using graphical tools, it is mostly managed using the CLI through the firewall-cmd command. By using firewall-cmd you can tweak everything related to the firewall, from ports to zones.
In order to preserve the rule across reboots, you can add the –permanent flag:
# firewal-cmd --add-service http --permanent
However, a rule applied using the –permanent flag will not be active immediately and will not figure in the current firewall configuration. In order to “activate” it you can either repeat the same command without –permanent or do:
# firewall-cmd --reload
This command will reload the firewall and load the rules set with the –permanent flag.
Using services
The most common entity you’ll be dealing with when using FirewallD is the service. Services are convenient wrappers around ports. Remembering http rather than port 80 is better, isn’t it? Well, maybe most of you know that http uses port 80/tcp; but what about samba? Kerberos? There are countless programs using countless ports, for the most common ones FirewallD has services to quickly enable/disable network access.
Adding services
In order to open the ports associated with http you can simply do:
# firewall-cmd --add-service=http
Easy right? But what about complex services like samba?
# firewall-cmd --add-service=samba
Although samba uses many ports, one simple command will take care of this for you.
Removing services
What about removing services? Not a big deal:
# firewall-cmd --remove-service=samba
Listing active (enabled) services
In order to take a look at enabled services simply do:
# firewall-cmd --list-services dhcpv6-client ssh
In this example ssh and DHCPv6 (what’s IPv6?) are enabled.
Listing available services (available, but not necessarily enabled)
If you’re wondering about what services are installed (not enabled) you can us the following command to get a comprehensive list of services:
# firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
All the listed services can be used with precedent commands.
Managing ports
If the application you’re trying to enable is not defined in a service, you can use ports just like any other firewall. Ports are defined using a number and a protocol.
Opening ports
To open a port you can simply do:
# firewall-cmd --add-port=80/tcp
This will open port 80 using TCP.
Closing ports
The procedure to close a port is similar:
# firewall-cmd --remove-port=80/tcp
Listing open ports
To list open ports simply do:
# firewall-cmd --list-ports
Port forwarding
Port forwarding isn’t a common setting for a firewall, it is far more popular in routers, nevertheless it comes in handy sometimes (especially if your Linux machine is a router). Port forwarding allows an administrator to direct the traffic to a specific port to another port.
Adding forwarded ports
# firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2022
On the opposite of other common operations, port forwarding is a bit counterintuitive. Let’s break down the command:
- –add-forward-port= is the actual command, ignore the = sign to avoid confusion.
- port=22: is the port you want to direct from, the colon is just a divisor within the command.
- proto=tcp: is the protocol of the port from which the packets will be forwarded, again notice the colon that delimits the end of the proto statement.
- toport=2022 this is the port where all the traffic will be sent to, notice the absence of the colon since this is the last statement.
Removing forwarded ports
Removing a forwarded port is just as difficult as it is adding one: you should rewrite the statement using a different command:
# firewall-cmd --remove-forward-port=port=22:proto=tcp:toport=2022
The only thing that is changed is the –add-forward-port= which becomes –remove-forward-port.
FirewallD zones, sources and interfaces (advanced)
One peculiar entity in firewalld is the zone. Generally speaking Zones are a set of services, ports, interfaces, sources and rules. All the rules, ports and services defined using the previously described commands used the default zone: public.
Understanding zones
Zones are a fundamental concept within the firewall, to understand how they work imagine a real-world scenario:
You’re in your home, of course your home is private, only a few people can access them hence it is internal, then you suddenly have to go outside to buy milk.
You head out in the streets which is a public place so you have to follow different rules compared to your own home.
Finally you reach the supermarket which is another zone with different rules, since they had many robberies no one can enter and you can’t buy milk.
Zones are abstractions made to simplify management of multiple networks, when a packet enters the machine it is sorted into a particular zone, and only then the rules associated with the zone are applied.
Managing zones
To get around using zones, you first need to know which zones are defined in your system:
# firewall-cmd --get-zones
This will list all the zones defined in your system. But what’s important here is to know which rules are defined within the zones:
# firewall-cmd --list-all-zones
The previous command will list everything in all the zones available, but that’s a bit too much information. What’s most important is to know what rules, interfaces and sources are defined within a defined zone. To do so you can simply do:
# firewall-cmd --list-all --zone=public
Where public is the zone you want to inspect.
Understanding interfaces
Whenever a packet enters the machine, it must be sorted into a zone. Interfaces are a convenient way to sort all packets coming from/to an interface to flow into a zone. Interfaces use the same name as network card names (e.g. eth0).
Adding an interface to a zone
Let’s say you want to move your eth0 interface to the trusted zone (which allows all traffic by default):
# firewall-cmd --change-zone=eth0 --zone=trusted
Now the traffic coming in from eth0 will be accepted by default without any filtering. Remember that you must use –permanent to make this change available after a reboot.
Listing interfaces assigned to a zone
Although the –list-all command previously described will include interfaces, you can get only the interfaces by issuing:
# firewall-cmd --list-interfaces --zone=public
This will print all the interfaces assigned to the public zone.
Listing the zone to which an interfaces is assigned
In order to know which zone is a given interface you can do:
# firewall-cmd --get-zone-of-interface=eth0
Where eth0 is the name of the interface you want to know about.
Understanding sources
Interfaces are a good way to direct all the traffic through a set of rule but, sometimes most of the times, that will be too broad. Sources represent IP addresses that can be used to filter or allow packets through the zone. It is important to understand that sources, just like interfaces, are just a mean to decide what zone will the packet be sorted into. Both sources and interfaces do not decide whether to filter or allow a package.
Adding a source to a zone
In order to add an IP to a zone simply do:
# firewall-cmd --add-source=192.168.1.0/24 --zone=trusted
This will place all the packages coming from 192.168.1.0/24 into the trusted zone.
Listing sources of a zone
Although the –list-all command previously described will include sources, you can get only the sources by issuing:
# firewall-cmd --list-sources --zone=public
This will print all the interfaces assigned to the public zone.
Removing sources from a zone
In order to remove an IP from a zone simply do:
# firewall-cmd --remove-source=192.168.1.0/24 --zone=trusted
From now on all the packages coming from 192.168.1.0/24 will no longer be placed in the trusted zone, although it may happen depending on interfaces.
- 2020 A year in review for Marksei.com - 30 December 2020
- Red Hat pulls the kill switch on CentOS - 16 December 2020
- OpenZFS 2.0 released: unified ZFS for Linux and BSD - 9 December 2020
 
																			 
																			 
																			 
																											 
																											 
																											 
																											 
																											
Recent Comments