A concise guide to firewall D on Linux

Firewall D is the front-end controller of iptables, which is used to implement persistent network traffic rules.

It provides command line and graphical interfaces, which are available in the repositories of most Linux distributions. There are two main differences between using firewall D and controlling iptables directly:

  1. Firewall D uses zones and services instead of chain rules.
  2. It dynamically manages rule sets, allowing rules to be updated without breaking existing sessions and connections.

Firewall D is an encapsulation of iptables, which makes it easier for you to manage iptables rules

  • It's not an alternative to iptables. Although the iptables command can still be used with firewall D, it is recommended that you use only the firewall D command when using firewall D.

This guide will introduce you to the concept of firewall D's zones and services, as well as some basic configuration steps.

Install and manage firewall D

CentOS 7 and Fedora 20 + already contain firewall D, but it is not activated by default. It can be controlled like other systemd units.

  • Start the service and start it at system boot:
    sudo systemctl start firewalld
    sudo systemctl enable firewalld
  • To stop and disable:

    sudo systemctl stop firewalld
    sudo systemctl disable firewalld
  • Check firewall status. The output should be running or not running.

    sudo firewall-cmd --state
  • To view the status of the firewall D daemons:
    sudo systemctl status firewalld

Sample output

firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
Active: active (running) since Wed 2015-09-02 18:03:22 UTC; 1min 12s ago
Main PID: 11954 (firewalld)
CGroup: /system.slice/firewalld.service
└─11954 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
  • Reload firewall D configuration:
    sudo firewall-cmd --reload

Configure firewall D

Firewall D is configured using XML. Unless it's a very special configuration, you don't have to deal with them, you should use firewall-cmd instead.
The configuration file is located in two directories:

  • /Save the default configuration under usr / lib / firewall D, such as the default zone and public service. Avoid modifying them because they are overwritten every time the firewall package is updated.
  • /Save the system configuration file under etc/firewalld. These files override the default configuration.

config set

Firewall D uses two configuration sets: runtime and persistent. When the system restarts or restarts firewall D, the runtime configuration changes are not preserved, and the changes to the persistent configuration set are not applied to the running system.
By default, the firewall CMD command is available for run-time configuration, but using the -- permanent flag will save to the persistent configuration. To add and activate persistence rules, you can use one of two methods.

  1. Add rules to both persistent and runtime rule sets.

    sudo firewall-cmd --zone=public --add-service=http --permanent
    sudo firewall-cmd --zone=public --add-service=http
  2. Add the rule to the persistent rule set and reload firewall D.
    sudo firewall-cmd --zone=public --add-service=http --permanent
    sudo firewall-cmd --reload

The reload command deletes all runtime configurations and applies permanent configuration.
Because firewalld dynamically manages the ruleset, it does not break existing connections and sessions.

Area of firewall

A zone is a pre built rule set for various levels of trust that a given location or scenario (such as home, public, trusted, etc.) may have. Different regions allow different types of network services and inbound traffic, while rejecting any other traffic. When firewall D is first enabled, public will be the default zone.
Zones can also be used for different network interfaces. For example, to separate the interface between the internal network and the Internet, you can allow DHCP on the internal area, but only HTTP and SSH on the external area. Any interface that is not explicitly set to a specific zone will be added to the default zone.

  • To find the default area:

    sudo firewall-cmd --get-default-zone
  • To modify the default area:

    sudo firewall-cmd --set-default-zone=internal
  • To see the areas your network interface uses:

    sudo firewall-cmd --get-active-zones
  • Sample output:

    interfaces: eth0
  • To get all the configuration for a specific area:

    sudo firewall-cmd --zone=public --list-all
  • Sample output:

    public (default, active)
    interfaces: ens160
    services: dhcpv6-client http ssh
    ports: 12345/tcp
    masquerade: no
    rich rules:
  • To get the configuration for all areas:

    sudo firewall-cmd --list-all-zones
  • Sample output:
    masquerade: no
    rich rules:
    services: dhcpv6-client ipp-client ssh
    masquerade: no
    rich rules:

Use with services

FirewallD can allow traffic based on predefined rules for a specific network service. You can create your own custom system rules and add them to any area.
The configuration file of the default supported service is located in / usr/lib /firewalld/services, and the service file created by the user is in / etc/firewalld/services.

  • To view the default available services:

    sudo firewall-cmd --get-services
  • For example, to enable or disable the HTTP service:

    sudo firewall-cmd --zone=public --add-service=http --permanent
    sudo firewall-cmd --zone=public --remove-service=http --permanent
  • Allow or deny any port / protocol
    For example, allow or disable TCP traffic on port 12345.

    sudo firewall-cmd --zone=public --add-port=12345/tcp --permanent
    sudo firewall-cmd --zone=public --remove-port=12345/tcp --permanent
  • Port forwarding
    The following is to forward the traffic of port 80 to port 12345 on the same server.

    sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345
  • To forward a port to another server:
    1. Activate the masquerade in the desired area.
      sudo firewall-cmd --zone=public --add-masquerade
  1. Add forwarding rules. In the example, the traffic of port 80 is forwarded to port 8080 on the remote server with the IP address of 123.456.78.9.
    sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9
  • To delete a rule, replace -- add with -- remove. For example:
    sudo firewall-cmd --zone=public --remove-masquerade

Building rule set with firewall D

For example, here's how to use firewall d to configure the basic rules for your server (if you're running a web server).

  1. Set the default locale for eth0 to dmz. Of the default zones provided, dmz (demilitarized zone) is the most appropriate for this program because it only allows SSH and ICMP.

    sudo firewall-cmd --set-default-zone=dmz
    sudo firewall-cmd --zone=dmz --add-interface=eth0
  2. Add HTTP and HTTPS to the dmz zone for permanent service rules:

    sudo firewall-cmd --zone=dmz --add-service=http --permanent
    sudo firewall-cmd --zone=dmz --add-service=https --permanent
  3. Reload firewall D for rules to take effect immediately:
    sudo firewall-cmd --reload

If you run firewall CMD -- zone = DMZ -- list all, you get the following output:

dmz (default)
interfaces: eth0
services: http https ssh
masquerade: no
rich rules:

This tells us that the dmz area is our default area and is used for the source address and port of all networks in the eth0 interface. Allow incoming HTTP (port 80), HTTPS (Port 443), and SSH (port 22) traffic, and because there are no IP version control restrictions, these apply to IPv4 and IPv6. IP spoofing and port forwarding are not allowed. We don't have ICMP blocks, so ICMP traffic is fully allowed. There are no rules to allow all outbound traffic.
Advanced configuration
Services and ports are suitable for basic configurations, but may be more limited for advanced scenarios.
Rules and Direct interfaces allow you to add fully customized firewall rules to any zone for any port, protocol, address, and operation.
Rich rules
There are many rules rich grammars, but they are completely recorded in firewalld.richlanguage(5) In the manual page (or in the terminal, man firewalld.richlanguage ). Use the -- add rich rule, -- List rich rule, -- remove rich rule, and firewall CMD commands to manage them.

Here are some common examples:

  • Allow all IPv4 traffic from host

    sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address= accept'
  • TCP traffic from port to port 22 of IPv4 is denied.

    sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="" port port=22 protocol=tcp reject'
  • Allow TCP traffic from hosts to port 80 for IPv4 and forward traffic to port 6532.

    sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address= forward-port port=80 protocol=tcp to-port=6532'
  • Forward the IPv4 traffic of port 80 on host to port 8080 (masquerade needs to be activated on the zone).

    sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr='
  • List your current rich rules:
    sudo firewall-cmd --list-rich-rules

Direct interface of iptables
For the most advanced use, or for iptables experts, firewall D provides a direct interface that allows you to pass raw iptables commands to it. Direct interface rules are not persistent unless you use -- permanent.
To view all custom chains or rules added to firewall D:

firewall-cmd --direct --get-all-chains
firewall-cmd --direct --get-all-rules


#firewall-cmd --zone=public --add-port=3000/tcp --permanent
#firewall-cmd --zone=public --add-port=6379/tcp --permanent
#firewall-cmd --reload

Keywords: Linux firewall sudo iptables network

Added by 01706 on Thu, 28 May 2020 07:10:56 +0300