Firewalld Basic
Concept
Some basic concepts for firewalld to understand the commands
- NIC
Different NIC can have different zone assigned usingnmcli
command, if not specified, it is using default zone. - Zone
By default, default zone is calleddefault
, this can be changed using firewalld command temporarily.
To assign the default zoon to the zone that isn't nameddefault
, usingnmcli
command is required. - Service
- Port
Start/Stop
# systemctl start firewalld
# systemctl enable firewalld
Default zone
Default zone is public
when option --zone
is not specified in command line.
Display the default zone
# firewall-cmd --get-default-zone
public
Display current settings
# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Display all zones defined by default
# firewall-cmd --list-all-zones
block
interfaces:
sources:
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
.....
.....
Display allowed services on a specific zone
# firewall-cmd --list-service --zone=external
ssh
Change default zone
# firewall-cmd --set-default-zone=external
success
Change zone for an interface
Note: it's not changed permanently with "change-interface" even if added "--permanent" option
# firewall-cmd --change-interface=eth1 --zone=external
success
# firewall-cmd --list-all --zone=external
external (active)
interfaces: eth1
sources:
services: ssh
ports:
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
To change permanently, use nmcli like follows
# nmcli c mod eth1 connection.zone external
# firewall-cmd --get-active-zone
external
interfaces: eth1
public
interfaces: eth0
Services
Display services
# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
Service definition files are XML files in /usr/lib/firewalld/services
# ls /usr/lib/firewalld/services
amanda-client.xml ipp-client.xml mysql.xml rpc-bind.xml
bacula-client.xml ipp.xml nfs.xml samba-client.xml
bacula.xml ipsec.xml ntp.xml samba.xml
dhcpv6-client.xml kerberos.xml openvpn.xml smtp.xml
dhcpv6.xml kpasswd.xml pmcd.xml ssh.xml
dhcp.xml ldaps.xml pmproxy.xml telnet.xml
dns.xml ldap.xml pmwebapis.xml tftp-client.xml
ftp.xml libvirt-tls.xml pmwebapi.xml tftp.xml
high-availability.xml libvirt.xml pop3s.xml transmission-client.xml
https.xml mdns.xml postgresql.xml vnc-server.xml
http.xml mountd.xml proxy-dhcp.xml wbem-https.xml
imaps.xml ms-wbt.xml radius.xml
Add or remove services temporarily.
# firewall-cmd --add-service=http
success
# firewall-cmd --list-service
dhcpv6-client http ssh
...
...
# firewall-cmd --remove-service=http
success
# firewall-cmd --list-service
dhcpv6-client ssh
Add or remove services permanently
Note: Reload the Firewalld is required to enable the change
# firewall-cmd --add-service=http --permanent
success
# firewall-cmd --reload
success
# firewall-cmd --list-service
dhcpv6-client http ssh
Ports
Add or remove ports temporarily.
# firewall-cmd --add-port=465/tcp
success
# firewall-cmd --list-port
465/tcp
# firewall-cmd --remove-port=465/tcp
success
# firewall-cmd --list-port
Add or remove ports permanently
# firewall-cmd --add-port=465/tcp --permanent
success
# firewall-cmd --reload
success
# firewall-cmd --list-port
465/tcp
ICMP
Add or remove ICMP types.
# firewall-cmd --add-icmp-block=echo-request
success
# firewall-cmd --list-icmp-blocks
echo-request
# firewall-cmd --remove-icmp-block=echo-request
success
# firewall-cmd --list-icmp-blocks
Display ICMP types
# firewall-cmd --get-icmptypes
destination-unreachable echo-reply echo-request parameter-problem redirect
router-advertisement router-solicitation source-quench time-exceeded