Search This Blog

2015-04-22

Using Firewalld

Why use Firewalld

We can see that by default iptables is not enabled on RHEL/CentOS 7.0 anymore

# systemctl list-unit-files | grep ipta
iptables.service disabled
# systemctl list-unit-files | grep firewa
firewalld.service enabled


You can modify rules using iptables commands still, but running a service iptables save will not save the configuration rules permanently. So when the device reboots your rules will be lost.

This is due to the fact that the iptables service is not even running on bootup anymore.

Firewalld Basic Operation


Learning firewalld isn't too hard firewall rules are specified on a "per zone" basis, and will be configured using the command firewall-cmd

Using firewalld without specifying a zone will configure the rule to apply on the default zone. So to find the default zone we can use

firewall-cmd --get-default-zone
public


Meaning whenever we create a rule it will be created by default on the public zone.

To see where the public zone applies:

# firewall-cmd --zone=public --list-all
public (default, active)
interfaces: br0 eno2-2-001 eno3-3-001 eno4-4-001
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:


To get all other active zones on the system:

# firewall-cmd --get-active-zones
public
interfaces: br0 eno2-2-001 eno3-3-001 eno4-4-001


Adding Firewalld Rules

In this example I will add a range of tcp ports in firewalld and make it a permanent rule so it persists after reboot using the --permanent flag.

firewall-cmd --permanent --add-port=2001-2999/tcp


Removing Firewalld Rules

In this example I will remove a range of tcp ports in firewalld and make it a permanent rule so it persists after reboot using the --permanent flag.

firewall-cmd --remove-port=2999-5900/tcp


Then we reload the rules for changes to take effect:

firewall-cmd --reload


Validating Firewalld Rules

To validate rules and list everything

firewall-cmd --list-all-zones


List Services:

# firewall-cmd --zone=public --list-services
dhcpv6-client ssh


List ports:

# firewall-cmd --zone=public --list-ports
2001-2999/tcp


More information:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Configuring_the_Firewall

No comments:

Post a Comment