Firewall D is the front-end controller of iptables, which is used to implement persistent network traffic rules.
It provides command line and graphical interfaces, which are available in the repositories of most Linux distributions. There are two main differences between using firewall D and controlling iptables directly:
- Firewall D uses zones and services instead of chain rules.
- It dynamically manages rule sets, allowing rules to be updated without breaking existing sessions and connections.
Firewall D is an encapsulation of iptables, which makes it easier for you to manage iptables rules
- It's not an alternative to iptables. Although the iptables command can still be used with firewall D, it is recommended that you use only the firewall D command when using firewall D.
This guide will introduce you to the concept of firewall D's zones and services, as well as some basic configuration steps.
Install and manage firewall D
CentOS 7 and Fedora 20 + already contain firewall D, but it is not activated by default. It can be controlled like other systemd units.
- Start the service and start it at system boot:
sudo systemctl start firewalld sudo systemctl enable firewalld
-
To stop and disable:
sudo systemctl stop firewalld sudo systemctl disable firewalld
-
Check firewall status. The output should be running or not running.
sudo firewall-cmd --state
- To view the status of the firewall D daemons:
sudo systemctl status firewalld
Sample output
firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled) Active: active (running) since Wed 2015-09-02 18:03:22 UTC; 1min 12s ago Main PID: 11954 (firewalld) CGroup: /system.slice/firewalld.service └─11954 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
- Reload firewall D configuration:
sudo firewall-cmd --reload
Configure firewall D
Firewall D is configured using XML. Unless it's a very special configuration, you don't have to deal with them, you should use firewall-cmd instead.
The configuration file is located in two directories:
- /Save the default configuration under usr / lib / firewall D, such as the default zone and public service. Avoid modifying them because they are overwritten every time the firewall package is updated.
- /Save the system configuration file under etc/firewalld. These files override the default configuration.
config set
Firewall D uses two configuration sets: runtime and persistent. When the system restarts or restarts firewall D, the runtime configuration changes are not preserved, and the changes to the persistent configuration set are not applied to the running system.
By default, the firewall CMD command is available for run-time configuration, but using the -- permanent flag will save to the persistent configuration. To add and activate persistence rules, you can use one of two methods.
-
Add rules to both persistent and runtime rule sets.
sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --add-service=http
- Add the rule to the persistent rule set and reload firewall D.
sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --reload
The reload command deletes all runtime configurations and applies permanent configuration.
Because firewalld dynamically manages the ruleset, it does not break existing connections and sessions.
Area of firewall
A zone is a pre built rule set for various levels of trust that a given location or scenario (such as home, public, trusted, etc.) may have. Different regions allow different types of network services and inbound traffic, while rejecting any other traffic. When firewall D is first enabled, public will be the default zone.
Zones can also be used for different network interfaces. For example, to separate the interface between the internal network and the Internet, you can allow DHCP on the internal area, but only HTTP and SSH on the external area. Any interface that is not explicitly set to a specific zone will be added to the default zone.
-
To find the default area:
sudo firewall-cmd --get-default-zone
-
To modify the default area:
sudo firewall-cmd --set-default-zone=internal
-
To see the areas your network interface uses:
sudo firewall-cmd --get-active-zones
-
Sample output:
public interfaces: eth0
-
To get all the configuration for a specific area:
sudo firewall-cmd --zone=public --list-all
-
Sample output:
public (default, active) interfaces: ens160 sources: services: dhcpv6-client http ssh ports: 12345/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
-
To get the configuration for all areas:
sudo firewall-cmd --list-all-zones
- Sample output:
block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: ... work interfaces: sources: services: dhcpv6-client ipp-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
Use with services
FirewallD can allow traffic based on predefined rules for a specific network service. You can create your own custom system rules and add them to any area.
The configuration file of the default supported service is located in / usr/lib /firewalld/services, and the service file created by the user is in / etc/firewalld/services.
-
To view the default available services:
sudo firewall-cmd --get-services
-
For example, to enable or disable the HTTP service:
sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --remove-service=http --permanent
-
Allow or deny any port / protocol
For example, allow or disable TCP traffic on port 12345.sudo firewall-cmd --zone=public --add-port=12345/tcp --permanent sudo firewall-cmd --zone=public --remove-port=12345/tcp --permanent
-
Port forwarding
The following is to forward the traffic of port 80 to port 12345 on the same server.sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=12345
- To forward a port to another server:
- Activate the masquerade in the desired area.
sudo firewall-cmd --zone=public --add-masquerade
- Activate the masquerade in the desired area.
- Add forwarding rules. In the example, the traffic of port 80 is forwarded to port 8080 on the remote server with the IP address of 123.456.78.9.
sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9
- To delete a rule, replace -- add with -- remove. For example:
sudo firewall-cmd --zone=public --remove-masquerade
Building rule set with firewall D
For example, here's how to use firewall d to configure the basic rules for your server (if you're running a web server).
-
Set the default locale for eth0 to dmz. Of the default zones provided, dmz (demilitarized zone) is the most appropriate for this program because it only allows SSH and ICMP.
sudo firewall-cmd --set-default-zone=dmz sudo firewall-cmd --zone=dmz --add-interface=eth0
-
Add HTTP and HTTPS to the dmz zone for permanent service rules:
sudo firewall-cmd --zone=dmz --add-service=http --permanent sudo firewall-cmd --zone=dmz --add-service=https --permanent
- Reload firewall D for rules to take effect immediately:
sudo firewall-cmd --reload
If you run firewall CMD -- zone = DMZ -- list all, you get the following output:
dmz (default) interfaces: eth0 sources: services: http https ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
This tells us that the dmz area is our default area and is used for the source address and port of all networks in the eth0 interface. Allow incoming HTTP (port 80), HTTPS (Port 443), and SSH (port 22) traffic, and because there are no IP version control restrictions, these apply to IPv4 and IPv6. IP spoofing and port forwarding are not allowed. We don't have ICMP blocks, so ICMP traffic is fully allowed. There are no rules to allow all outbound traffic.
Advanced configuration
Services and ports are suitable for basic configurations, but may be more limited for advanced scenarios.
Rules and Direct interfaces allow you to add fully customized firewall rules to any zone for any port, protocol, address, and operation.
Rich rules
There are many rules rich grammars, but they are completely recorded in firewalld.richlanguage(5) In the manual page (or in the terminal, man firewalld.richlanguage ). Use the -- add rich rule, -- List rich rule, -- remove rich rule, and firewall CMD commands to manage them.
Here are some common examples:
-
Allow all IPv4 traffic from host 192.168.0.14.
sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=192.168.0.14 accept'
-
TCP traffic from port 192.168.1.10 to port 22 of IPv4 is denied.
sudo firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject'
-
Allow TCP traffic from hosts 10.1.0.3 to port 80 for IPv4 and forward traffic to port 6532.
sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=10.1.0.3 forward-port port=80 protocol=tcp to-port=6532'
-
Forward the IPv4 traffic of port 80 on host 172.31.4.2 to port 8080 (masquerade needs to be activated on the zone).
sudo firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.31.4.2'
- List your current rich rules:
sudo firewall-cmd --list-rich-rules
Direct interface of iptables
For the most advanced use, or for iptables experts, firewall D provides a direct interface that allows you to pass raw iptables commands to it. Direct interface rules are not persistent unless you use -- permanent.
To view all custom chains or rules added to firewall D:
firewall-cmd --direct --get-all-chains firewall-cmd --direct --get-all-rules
Tips:
#firewall-cmd --zone=public --add-port=3000/tcp --permanent #firewall-cmd --zone=public --add-port=6379/tcp --permanent #firewall-cmd --reload