Firewall firewalld learning summary for RHEL Linux 7

 

This paper describes firewalld, a firewall configuration tool under RHEL 7.Before RHEL 7, we generally used iptables firewall management tools. In fact, neither iptables nor firewalld are real firewalls. They are just firewall management tools used to define firewall policies, or they are just a service or program.The iptables service handles the configured firewall policy to the kernel-level netfilter network filter, while the firewalld service handles the configured firewall policy to the kernel-level nftables packet filtering framework.

 

Firealld (Dynamic Firewall Manager of Linux systems, Dynamic Firewall Manager of Linux system), the default firewall configuration management tool under RHLE 7, has two management methods based on CLI (command line interface firewalld-cmd) and GUI (graphical user interface firewalld-config).Compared with traditional firewall management configuration tools, firewalld supports dynamic update technology and incorporates the concept of zone.Simply put, a zone is firewalld that prepares several sets of firewall policy collections (policy templates) so that users can choose the appropriate set of policies for different production scenarios, thereby enabling quick switching between firewall policies.It has support for IP V4 and IP V6 firewall settings.

 

Everything in a firewall is associated with one or more zones, which are described below:

 

Zone                                    Description 

-----------------------------------------------------

drop (immutable)             Deny all incoming connections, outgoing ones are accepted. 

block (immutable)            Deny all incoming connections, with ICMP host prohibited messages issued. 

trusted (immutable)          Allow all network connections 

public                       Public areas, do not trust other computers

external                     For computers with masquerading enabled, protecting a local network 

dmz                          For computers publicly accessible with restricted access.  

work                         For trusted work areas 

home                         For trusted home network connections 

internal                     For internal network, restrict incoming connections

 

drop (discard)

Any packets that flow into the network are discarded, no response is made, and only outgoing network connections are allowed.Even if certain services, such as http, are open, their data is not allowed to pass through.

 

block (restriction)

Any incoming network connection is rejected and an icmp-host-prohibited message for IPv4 or an icmp6-adm-prohibited message for IPv6 is returned.Only network connections initiated by the system are allowed.

 

trusted

Accept all network connections.Allow all network connections, even if no services are open, traffic using this zone passes through (all green lights)

 

Public (public)

When used in a public area, you cannot trust that other computers in the network will not harm your computer. You can only receive selected connections.

 

External (external)

In particular, external networks with masquerading enabled for routers.You can't trust other calculations from the network. You can't trust that they won't harm your computer. You can only receive selected connections.

 

dmz (Non-Military Zone)

Used to allow computers in isolated zones (dmz) to be accessed by external networks with limited access, allowing only selected services to pass through.

 

work

For workspaces.You can basically trust that other computers on the network will not harm your computer.Only selected services are allowed to pass through.

 

home (family)

For home networks.You can basically trust other computers in your network to not harm your computer.Only selected services are allowed to pass through.

 

Internal (internal)

For internal networks.You can basically trust other computers in your network to not threaten your computer.Only selected services are allowed to pass through.

 

 

 

 

 

Check Firewall Tools

 

If you want to determine whether RHEL 7 uses iptables or firewalld, you can tell by command

 

In the case of iptables:

 

# systemctl status iptables.service

● iptables.service

   Loaded: not-found (Reason: No such file or directory)

   Active: inactive (dead)

 

Without iptables

 

 

# systemctl status iptables.service

Unit iptables.service could not be found.

 

 

Of course, the easiest way is to use the following commands to distinguish

 

# systemctl is-active firewalld

active

# systemctl is-active iptables

inactive

# systemctl is-active ip6tables

inactive

# systemctl is-active ebtables

inactive

 

 

 

View firewall status

 

    # systemctl status firewalld

    # firewall-cmd --state

 

[root@mylnx ~]# systemctl status firewalld

● firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

   Active: active (running) since Wed 2018-03-07 11:46:34 HKT; 1 day 4h ago

 Main PID: 124126 (firewalld)

   CGroup: /system.slice/firewalld.service

           └─124126 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Mar 07 11:46:34 mylnx systemd[1]: Starting firewalld - dynamic firewall daemon...

Mar 07 11:46:34 mylnx systemd[1]: Started firewalld - dynamic firewall daemon.

# firewall-cmd --state

running

 

 

Start the firewall service:

 

 

# systemctl start firewalld

or

# systemctl start firewalld.service

 

 

Restart firewall service:

 

# systemctl restart firewalld.service

 

or

 

# systemctl restart firewalld

 

 

Turn off the firewall:

 

systemctl stop firewalld

 

 

[root@mylnx ~]# systemctl stop firewalld

[root@mylnx ~]# systemctl status firewalld

● firewalld.service - firewalld - dynamic firewall daemon

   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

   Active: inactive (dead) since Thu 2018-03-08 16:35:17 HKT; 6s ago

  Process: 124126 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)

 Main PID: 124126 (code=exited, status=0/SUCCESS)

Mar 07 11:46:34 mylnx systemd[1]: Starting firewalld - dynamic firewall daemon...

Mar 07 11:46:34 mylnx systemd[1]: Started firewalld - dynamic firewall daemon.

Mar 08 16:35:16 mylnx systemd[1]: Stopping firewalld - dynamic firewall daemon...

Mar 08 16:35:17 mylnx systemd[1]: Stopped firewalld - dynamic firewall daemon.

[root@mylnx ~]# 

 

 

Disable & Enable Firewall:

 

Enable & Disable Firewall on Startup

 

# systemctl disable firewalld

Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.

# systemctl enable firewalld

Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.

Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.

 

 

firewall-cmd help information

 

# firewall-cmd --help

 

 

 

Configure Firewall

 

 

Fireall-cmd has both temporary and permanent settings, which are restored after reload ing or restarting the server, whereas permanent settings are not.The parameter--permanent represents a permanent setting.If a parameter is specified below--permanent represents a permanent setting.

 

 

 

1: List the current number of zones

 

 

[root@mylnx ~]# firewall-cmd --get-zones

block dmz drop external home internal public trusted work

[root@mylnx ~]#

 

 

2: View the currently active zone

 

[root@mylnx ~]# firewall-cmd --get-active-zones

public

  interfaces: eth0

[root@mylnx ~]#

 

3: View the current default zone

 

[root@mylnx ~]# firewall-cmd --get-default-zone

public

 

 

4: Set the current default zone

 

[root@mylnx ~]# firewall-cmd --set-default-zone=public

Warning: ZONE_ALREADY_SET: public

success

 

5: View firewalld-supported services.

 

[root@mylnx ~]# firewall-cmd --get-service   

RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

 

 

6: Check for services that will be activated after the next overload.

 

[root@mylnx ~]# firewall-cmd --get-service --permanent

RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https

 

 

7: List regional open ports

 

[root@mylnx ~]# firewall-cmd --zone=public --list-ports

8123/tcp 8124/tcp 8217/tcp 80/tcp 443/tcp 3306/tcp 10050/tcp

 

 

8: List setup information for the specified area

 

[root@mylnx ~]# firewall-cmd --zone=public --list-all

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: ens160

  sources: 

  services: dhcpv6-client ssh

  ports: 8123/tcp 8124/tcp 8217/tcp 80/tcp 443/tcp 3306/tcp 10050/tcp

  protocols: 

  masquerade: no

  forward-ports: 

  source-ports: 

  icmp-blocks: 

  rich rules:

 

 

9: Open a specific port number for a specified area

 

 

For example, we need to open port number 8123

 

# firewall-cmd --zone=public --add-port=8123/tcp --permanent

success

# firewall-cmd --reload #Update firewall rules

 

--zone #scope

--add-port=8123/tcp #Add a port in the format Port/Communication Protocol

--permanent # is permanently valid and will not work until this parameter is restarted

 

Note: There is no difference between the--reload option:

 

[root@mylnx ~]# firewall-cmd --zone=public --add-port=8124/tcp --permanent 

success

[root@mylnx ~]# firewall-cmd --zone=public --list-ports

8123/tcp

[root@mylnx ~]# firewall-cmd --reload

success

[root@mylnx ~]# firewall-cmd --zone=public --list-ports

8123/tcp 8124/tcp

 

Also note the difference between--reload and--complete-reload:

 

# firewall-cmd --reload

# firewall-cmd --complete-reload

 

The difference is that the first one doesn't need to be disconnected, is one of the firewalld features that dynamically adds rules, and the second one needs to be disconnected, similar to restarting a service

 

 

 

 

How do I open multiple ports at once?There are two ways to do this, which can be summarized as follows:

 

Method 1: Add multiple ports in a loop using a shell script.

 

#!/bin/bash

for i in 22  21 1337 3306 31337

do

  firewall-cmd --zone=public --add-port=${i}/tcp

done

 

Method 2: If the port is an interval segment, you can use the following command:

 

# firewall-cmd --zone=public --add-port=6001-6020/tcp --permanent

success

# firewall-cmd --reload

success

# firewall-cmd --zone=public --list-ports

8123/tcp 8124/tcp 8217/tcp 80/tcp 443/tcp 3306/tcp 10050/tcp 6001-6020/tcp

 

 

 

 

10: Delete open ports

 

 

firewall-cmd --zone= public --remove-port=80/tcp --permanent

 

 

 

Remove the port number of an interval segment:

 

# firewall-cmd --zone=public --remove-port=6001-6020/tcp --permanent

success

 

# firewall-cmd  --reload

success

 

 

11: See what services are available to open.

 

 

# firewall-cmd --get-services

 

 

12: Open a service

 

# firewall-cmd --add-service=zabbix-agent --permanent

success

 

# firewall-cmd --zone=public --add-service=zabbix-agent --permanent

success

 

 

 

13: Close a service

 

# firewall-cmd --remove-service=zabbix-agent --permanent

success

# firewall-cmd --reload

success

 

 

 

14: See which services are currently open

 

 

# firewall-cmd --list-services

dhcpv6-client ssh

 

# firewall-cmd --zone=public --list-services

dhcpv6-client ssh

 

 

Query whether a service is open

 

# firewall-cmd --query-service ftp

no

# firewall-cmd --query-service ssh

yes

 

15: Some unusual emergency commands

 

firewall-cmd --panic-on         # Deny all traffic, remote connection will be disconnected immediately, only local can log on 

firewall-cmd --panic-off        # Cancel emergency mode, but need to restart firewalld before remote ssh 

firewall-cmd --query-panic         # See if it's emergency mode

 

16:Set some IP s to allow access to a service

 

 

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.0.4/24" service name="ssh" accept"

firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" source address="192.168.0.4/24" service name="ssh" accept"

 

 

 

 

 

 

 

firewall profile

 

Here are some default files.Such as default zones and public services.Avoid modifying them because they will be overwritten every time the firewall package is updated

 

 

$ ls -lrt /usr/lib/firewalld

total 16

drwxr-xr-x. 2 root root  224 Feb 18 11:03 helpers

drwxr-xr-x. 2 root root   20 Feb 18 11:03 ipsets

drwxr-xr-x. 2 root root 4096 Feb 18 11:03 icmptypes

drwxr-xr-x. 2 root root 8192 Feb 18 11:03 services

drwxr-xr-x. 2 root root  163 Feb 18 11:03 zones

 

 

User-defined data is stored here

 

$ ls -lrt /etc/firewalld

total 8

drwxr-x---. 2 root root   46 Feb  5 00:29 zones

drwxr-x---. 2 root root    6 Feb  5 00:29 services

-rw-r--r--. 1 root root  272 Feb  5 00:29 lockdown-whitelist.xml

drwxr-x---. 2 root root    6 Feb  5 00:29 ipsets

drwxr-x---. 2 root root    6 Feb  5 00:29 icmptypes

drwxr-x---. 2 root root    6 Feb  5 00:29 helpers

-rw-r--r--. 1 root root 2006 Feb  5 00:29 firewalld.conf

 

 

Fireall commands are very rich, flexible, limited in size and experience, and can't cover all of them. Here is just a summary of some common and simple commands.Subsequently, I encountered some special needs in my work, and I continue to learn and improve.