Firewalld
Info
A firewall is similar to a gatekeeper that prevents unwanted traffic from the outside network from reaching your system. The firewall rules decide which traffic to allow in or out. In Linux firewalls, there is a concept called zones. Sysadmins can configure each zone with its own firewall rules, which allow or deny incoming traffic into the system. Imagine a home security system that states which person should be allowed to visit which rooms inside your house.
Zones List
Block : In this zone, any incoming connections are rejected with an icmp-host-prohibited message, and only connections initiated from within the system are allowed. DMZ : For systems that need limited internal network connections, it accepts only selected incoming connections. Also known as a demilitarized zone. Drop : Connections are dropped without any notifications. Outgoing connections are possible. Public : This zone is used for devices on the untrusted public network. Trusted : All network connections are accepted.
Install
RedHat Base Systems : ➜ ~ sudo yum install firewalld
➜ ~ sudo dnf install firewalld
Debian base Systems :
➜ ~ sudo apt install firewalld
Status
➜ ~ sudo systemctl enable firewalld
➜ ~ sudo systemctl status firewalld.service
➜ ~ sudo systemctl restart firewalld
List
➜ ~ sudo firewall-cmd --list-all
➜ ~ sudo firewall-cmd --zone=external --list-all
➜ ~ sudo firewall-cmd --list-all-zones
➜ ~ sudo firewall-cmd --get-default-zone
➜ ~ sudo firewall-cmd --list-services
➜ ~ sudo firewall-cmd --list-ports
Allow and deny by service
➜ ~ sudo firewall-cmd --zone=public --add-service=http
➜ ~ sudo firewall-cmd --zone=public --add-service=ftp
➜ ~ sudo firewall-cmd --zone=public --add-service=ssh
➜ ~ sudo firewall-cmd --zone=external --list-services ftp ssh
To ensure that our new rule persists, we need to add the --permanent option. The new command is:
➜ ~ sudo firewall-cmd --permanent --zone=public --add-service=http
➜ ~ sudo firewall-cmd --permanent --zone=public --add-service=ssh
To remove a service, we make one small change to the syntax
➜ ~ sudo firewall-cmd --zone=public --remove-service=ssh
➜ ~ sudo firewall-cmd --zone=public --remove-service=ftp
➜ ~ sudo firewall-cmd --permanent --zone=external --remove-service=ftp
➜ ~ sudo firewall-cmd --permanent --zone=external --remove-service=ssh
Allow and deny by port
➜ ~ sudo firewall-cmd --add-port=2222/tcp
➜ ~ sudo firewall-cmd --permanent --zone=external --add-port=60001/udp
➜ ~ sudo firewall-cmd --permanent --add-port=2222/tcp
**check the allowed ports with the following command :
➜ ~ sudo firewall-cmd --zone=external --list-ports 60001/udp
to remove the port
➜ ~ sudo firewall-cmd --permanent --zone=external --remove-port=60001/udp
Reload
➜ ~ sudo firewall-cmd --reload
Rich rules in firewalld
We can also use rich rules, which have some advanced filtering capabilities in firewalld. The syntax for these is below. These rich rules are helpful when we want to block or allow a particular IP address or address range. Use the following command to display the current rich rule settings:
➜ ~ sudo firewall-cmd --list-rich-rules
We can control a particular IP of the host and ports using rich rules. The following rule accepts SSH connections only from the host with IP 10.1.111.21 and drops other connections:
➜ ~ `sudo firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.1.111.21/24 service name=ssh log prefix="SSH Logs" level="notice" accept'
This example rejects ping requests from all hosts with an error message:
➜ ~ sudo firewall-cmd --add-rich-rule='rule protocol value=icmp reject'
The following rule rejects requests coming from IP 172.92.10.90/32 port 21 and accepts every other connection:
➜ ~ sudo firewall-cmd --add-rich-rule='rule family=ipv4 source address=172.92.10.90/32 port port=21 protocol=tcp reject'
Last updated