Working with Firewalld

Need Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on. View Plans

FirewallD is frontend controller for iptables that is used to filter network traffic. FirewalldD is not an iptables replacement, but it is a wrapper for iptables that is used to manage iptables rules. FirewallD provides an easy way to configure dynamic firewall rules that can be applied instantly without restarting any services. FirewallD provides both command line and graphical interfaces, and is available in most linux distributions.

Features:

Supports most linux distributions. Load kernel modules automatically. Easily integrates with Puppet. Provides both command-line and graphical user interface. Supports IPv4, IPv6 and NAT. Predefined list of services and zones.

In this tutorial, we will learn how to setup firewalld and see some useful firewalld rules to configure your server using command line.

#Requirements

A server running CentOS-7 operating system.

A Non-root user account with sudo privilege set up on your server.

Installing FirewallD

The firewalld package is installed by default in CentOS-7. If not installed, you can easily install it by running the following command:

sudo yum install firewalld

Once firewalld is installed, you will need to stop iptables service, if it is running. You can stop and mask the iptables service with the following command:

sudo systemctl stop iptables

sudo systemctl mask iptables

Now, start the firewalld service and start it on boot by running the following command:

sudo systemctl start firewalld

sudo systemctl enable firewalld

You can check the firewalld status with the following command:

sudo firewall-cmd --state

or

sudo systemctl status firewalld

You should see the following output:

● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2016-09-23 19:13:16 IST; 7min ago Main PID: 572 (firewalld) CGroup: /system.slice/firewalld.service └─572 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Sep 23 19:13:12 centOS-7 systemd[1]: Starting firewalld - dynamic firewall daemon... Sep 23 19:13:16 centOS-7 systemd[1]: Started firewalld - dynamic firewall daemon.

Zone Management

The firewalld manages groups of rules using zones. Firewalld zones are predefined rulesets for various trust levels for a specific location. Once you have enabled firewalld first time, Public will be the default zone. You can apply zones to different network interface such as internal network and internet.

To view the default zone, run the following command:

sudo firewall-cmd --get-default-zone

Output:

public

To get the active list of zones, run:

sudo firewall-cmd --get-active-zones

Output:

public interfaces: eth0

To get all the details about public zone, run:

sudo firewall-cmd --zone=public --list-all

Output:

public (default, active) interfaces: eth0 sources: services: dhcpv6-client ssh ports: 3000/tcp 80/tcp 3000/udp 8888/tcp 8080/tcp masquerade: no forward-ports: icmp-blocks: rich rules:

To change the default zone, run:

sudo firewall-cmd --set-default-zone=internal

To get the list of all the available zones, run:

sudo firewall-cmd --get-zones

Output:

block dmz drop external home internal public trusted work

To get all configurations for all zones, run:

sudo firewall-cmd --list-all-zones

Output:

block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: dmz interfaces: sources: services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: drop interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: external interfaces: sources: services: ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: home interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: internal (default, active) interfaces: eth0 sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: public interfaces: sources: services: dhcpv6-client ssh ports: 3000/tcp 80/tcp 3000/udp 8888/tcp 8080/tcp masquerade: no forward-ports: icmp-blocks: rich rules: trusted interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: work interfaces: sources: services: dhcpv6-client ipp-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:

You can also assign specific network interface to a temporary or permanent way.

To assign the eth0 network interface temporary to the internal zone, run:

sudo firewall-cmd --zone=internal --change-interface=eth0

To assign the eth0 network interface permanently to the internal zone, run:

sudo firewall-cmd --permanent --zone=internal --change-interface=eth0

To know which zone is associated with the eth0 interface, run:

sudo firewall-cmd --get-zone-of-interface=eth0

Output:

internal

It is also possible to create your own zone. It can be useful to define your own zones that are more descriptive of their function.

For example, create a zone for your web server called webzone by running the following command:

sudo firewall-cmd --permanent --new-zone=webzone

Now, reload firewalld to bring the configuration into your running session.

sudo firewall-cmd --reload

Now, run the following command to get a list of newly created zone:

sudo firewall-cmd --get-zones

Output:

block dmz drop external home internal public trusted webzone work

Now, assign some services such as http, https and ftp to webzone:

sudo firewall-cmd --permanent --zone=webzone --add-service=ftp

sudo firewall-cmd --permanent --zone=webzone --add-service=http

sudo firewall-cmd --permanent --zone=webzone --add-service=https

Now, run the following command to get a list of services assign to webzone:

sudo firewall-cmd --zone=webzone --list-all

Output:

webzone interfaces: sources: services: ftp http https ports: masquerade: no forward-ports: icmp-blocks: rich rules:

Service Management

Firewalld allows traffic based on predefined rules for specific network services. You can create your own custom service rules and add them to any zone.

To get a list of the default available services, run:

sudo firewall-cmd --get-services

Output:

RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

You can also add services to each zone. For example, to allow the http service permanently in the internal zone, run the following command:

sudo firewall-cmd --permanent --zone=internal --add-service=http

Now, reload the firewalld service to effect these changes:

sudo firewall-cmd --reload

To get the list of services in the default zone, run:

sudo firewall-cmd --list-services

Output:

dhcpv6-client http ipp-client mdns samba-client ssh

Service Firewall Configuration

The firewall configuration of the main services such as httpd, ftp, dhcp, etc comes in the /usr/lib/firewalld/services directory. It is also possible to add your own custom services to /etc/firewalld/services directory.

For example, HAProxy service is not available in the /usr/lib/firewalld/services directory. You can create your own haproxy service by creating /etc/firewalld/services/haproxy.xml file.

sudo nano /etc/firewalld/services/haproxy.xml

Add the following lines:





HAProxy HAProxy load-balancer

Now, add the HAProxy service to the default zone permanently and reload the firewall configuration:

sudo firewall-cmd --permanent --add-service=haproxy

sudo firewall-cmd --reload

Port Management

Port management follows the same concept as service management.

If you want to allow the 53/tcp port temporary in the internal zone, run:

sudo firewall-cmd --zone=internal --add-port=53/tcp

If you want to allow the 53/tcp port permanantly in the internal zone, run:

sudo firewall-cmd --permanent --zone=internal --add-port=53/tcp

Now, reload the firewalld service to effect these changes:

sudo firewall-cmd --reload

To get the list of ports open in the internal zone, run:

sudo firewall-cmd --zone=internal --list-ports

If you want to deny port 53/tcp, run the following command:

sudo firewall-cmd --permanent --zone=internal --remove-port=53/tcp

Masquerading

IP masquerading is a form of network address translation (NAT) that allows internal computers to communicate to the outside network.

First, check whether Masquerade enabled for external zone or not by running the following command:

sudo firewall-cmd --zone=external --query-masquerade

If it’s not enabled, you can enable it by following command.

sudo firewall-cmd --zone=external --add-masquerade

If you want to remove masquerading, run the following command:

sudo firewall-cmd --zone=external --remove-masquerade

If you want all packets intended for port 22 to be now forwarded to port 2200, run the following command:

sudo firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2200

You can also define the destination IP by running the following command:

sudo firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2200:toaddr=192.168.43.100

Now get all the information about external zone, run:

sudo firewall-cmd --zone=external --list-all

Output:

external interfaces: sources: services: ssh ports: masquerade: yes forward-ports: port=22:proto=tcp:toport=2200:toaddr=192.168.43.100 port=22:proto=tcp:toport=2200:toaddr= icmp-blocks: rich rules:

Block Incoming and Outgoing Packets

You can use "panic on" mode to block incomming and outgoing connections. For example, to block any established connection on the running system, run the following command:

sudo firewall-cmd --panic-on

Once panic mode is enabled, try to ping hostpresto.com and check whether the panic mode is ON using ‘–query-panic‘ option as listed below.

ping hostpresto.com

Output:

Unknown host hostpresto.com

sudo firewall-cmd --query-panic

Now try to disable the panic mode then once again ping and check.

sudo firewall-cmd --panic-off

ping hostpresto.com.com

Now this time, there will be a ping request from hostpresto.com.

Adding & Blocking IP Addresses

You can also add specific IP address to trusted public zone.

For example, add IP address (192.168.43.20) to public zone run the following command:

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.43.20" accept'

Now, list all the trusted public zone rules with the following command:

sudo firewall-cmd --zone=public --list-all

Output:

public interfaces: sources: services: dhcpv6-client ssh ports: 3000/tcp 80/tcp 3000/udp 8888/tcp 8080/tcp masquerade: no forward-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.43.20" accept

To remove added rule with the following command:

sudo firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.43.20" accept'

If you want to reject or drop a IP address from the public zones, run the following command:

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.43.20" reject'

Now, list again all trusted public zone rules with the following command:

sudo firewall-cmd --zone=public --list-all

Output:

public interfaces: sources: services: dhcpv6-client ssh ports: 3000/tcp 80/tcp 3000/udp 8888/tcp 8080/tcp masquerade: no forward-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.43.20" reject

Conclusion

I hope now that you should have a very good knowledge of how to configure and use firewalld service on your system. You can also use firewalld in your virtual lab environment to test firewalld with all parameters.