Introduction<\/p>\n
\u2013 A packet filtering firewall reads incoming network packets and filters (allows or denies) each data packet based on the header information in the packet. The Linux kernel has built-in packet filtering functionality called Netfilter.
\n\u2013 Two services are available in RHEL 7 to create, maintain, and display the rules stored by Netfilter:
\n1. firewalld
\n2. iptables
\n\u2013 In RHEL 7, the default firewall service is firewalld.
\n\u2013 firewalld is a dynamic firewall manager which supports firewall (network) zones.
\n\u2013 The firewalld service has support for IPv4, IPv6, and for Ethernet bridges.
\n\u2013 The firewalld service also provides a D-BUS interface. Services or applications already using D-BUS can add or request changes to firewall rules directly through the D-BUS interface.<\/p>\n
Advantages over iptables<\/p>\n
firewalld has the following advantages over iptables :
\n1. Unlike the iptables command, the firewall-cmd command does not restart the firewall and disrupt established TCP connections.
\n2. firewalld supports dynamic zones.
\n3. firewalld supports D-Bus for better integration with services that depend on firewall configuration.<\/p>\n
Configuration options<\/p>\n
The firewalld service has two types of configuration options:
\n1. Runtime: Changes to firewall settings take effect immediately but are not permanent. Changes made in runtime configuration mode are lost when the firewalld service is restarted.
\n2. Permanent: Changes to firewall settings are written to configuration files. These changes are applied when the firewalld service restarts.<\/p>\n
Configuration files<\/p>\n
Configuration files for firewalld exist in two directories:
\n\/usr\/lib\/firewalld: Contains default configuration files. Do not make changes to these files. An upgrade of the firewalld package overwrites this directory.
\n\/etc\/firewalld: Changes to the default configuration files are stored in this directory.Files in this directory overload the default configuration files.<\/p>\n
firewalld zones<\/p>\n
The firewalld service allows you to separate networks into different zones based on the level of trust you want to place on the devices and traffic within a specific network. For each zone you can define the following features:
\nServices: Predefined or custom services to trust. Trusted services are a combination of ports and protocols that are accessible from other systems and networks.
\nPorts: Additional ports or port ranges and associated protocols that are accessible from other systems and networks.
\nMasquerading: Translate IPv4 addresses to a single external address. With masquerading enabled, addresses of a private network are mapped to and hidden behind a public address.
\nPort Forwarding: Forward inbound network traffic from a specific port or port range to an alternative port on the local system, or to a port on another IPv4 address.
\nICMP Filter: Block selected Internet Control Message Protocol messages.
\nRich Rules: Extend existing firewalld rules to include additional source and destination addresses and logging and auditing actions.
\nInterfaces: Network interfaces bound to the zone. The zone for an interface is specified with the ZONE=option in the \/etc\/sysconfig\/network-scripts\/ifcfg file. If the option is missing, the interface is bound to the default zone.<\/p>\n
Predefined firewalld Zones<\/p>\n
The firewalld software package includes a set of predefined network zones in the following directory:<\/p>\n
# ls -lrt \/usr\/lib\/firewalld\/zones\/
\ntotal 36
\n-rw-r—– 1 root root 342 Sep 15 2015 work.xml
\n-rw-r—– 1 root root 162 Sep 15 2015 trusted.xml
\n-rw-r—– 1 root root 315 Sep 15 2015 public.xml
\n-rw-r—– 1 root root 415 Sep 15 2015 internal.xml
\n-rw-r—– 1 root root 400 Sep 15 2015 home.xml
\n-rw-r—– 1 root root 304 Sep 15 2015 external.xml
\n-rw-r—– 1 root root 291 Sep 15 2015 drop.xml
\n-rw-r—– 1 root root 293 Sep 15 2015 dmz.xml
\n-rw-r—– 1 root root 299 Sep 15 2015 block.xml
\nThe zone files contain preset settings, which can be applied to a network interface. For example:<\/p>\n
# grep \u2013i service \/usr\/lib\/firewalld\/zones\/public.xml A brief explanation of each zone follows: Setting the Default firewalld Zone<\/p>\n After an initial installation, the public zone is the default zone as specified in the configuration file, \/etc\/firewalld\/firewalld.conf.<\/p>\n # grep \u2013i defaultzone \/etc\/firewalld\/firewalld.conf # firewall-cmd –get-active-zone # firewall-cmd –set-default-zone=work firewalld Services<\/p>\n \u2013 A firewalld service is a combination of local ports and protocols and destination addresses. # # ls -lrt \/usr\/lib\/firewalld\/zones\/ Start firewalld<\/p>\n To start firewalld:<\/p>\n # systemctl start firewalld # systemctl enable firewalld # systemctl status firewalld The firewall-cmd Utility<\/p>\n The command-line tool firewall-cmd is part of the firewalld application, which is installed by default. To get help on the firewall-cmd command:<\/p>\n # firewall-cmd –help # firewall-cmd –list-all-zones public (default, active) # firewall-cmd –zone=public –add-service=http # firewall-cmd –zone=work –list-services # systemctl restart firewalld # firewall-cmd –permanent –zone=public –add-service=http # systemctl restart firewalld Introduction<\/p>\n \u2013 A packet filtering firewall reads incoming network packets and filters (allows or denies) each data packet based on the header information in the packet. The Linux kernel has built-in packet filtering functionality called Netfilter. \u2013 Two services are available in RHEL 7 to create, maintain, and display the rules stored by Netfilter: 1. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6704"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6704"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6704\/revisions"}],"predecessor-version":[{"id":6705,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6704\/revisions\/6705"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6704"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6704"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6704"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n
\n
\nIn this example, network interfaces bound to the public zone trust only two services, ssh and dhcpv6-client.<\/p>\n
\ndrop: Any incoming network packets are dropped, there is no reply. Only outgoing
\nnetwork connections are possible.
\nblock: Any incoming network connections are rejected with an icmp-host- prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
\nhome: For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
\npublic: For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
\nwork: For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
\ndmz: For computers in your demilitarized zone that are publicly accessible with limited access to your internal network. Only selected incoming connections are accepted.
\nexternal: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
\ninternal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
\ntrusted: All network connections are accepted.<\/p>\n
\nDefaultZone=public
\nNetwork interfaces are bound to the default zone unless specified with ZONE=[zone] in the ifcfg file. The following command shows the interfaces that are bound to the public zone:<\/p>\n
\npublic
\n interfaces: eth0 eth1
\nYou can use the firewall-cmd command to change the default zone:<\/p>\n
\nsuccess
\nYou can also use the firewall-config GUI to change the default zone. From the menu bar, select Options->Change Default Zone, and then select a zone from a pop-up list.<\/p>\n
\n\u2013 A firewalld service can also include Netfilter kernel modules that are automatically loaded when a service is enabled.
\n\u2013 The firewalld software package includes a set of predefined services in the following directory:<\/p>\n
\ntotal 36
\n-rw-r—– 1 root root 342 Sep 15 2015 work.xml
\n-rw-r—– 1 root root 162 Sep 15 2015 trusted.xml
\n-rw-r—– 1 root root 315 Sep 15 2015 public.xml
\n-rw-r—– 1 root root 415 Sep 15 2015 internal.xml
\n-rw-r—– 1 root root 400 Sep 15 2015 home.xml
\n-rw-r—– 1 root root 304 Sep 15 2015 external.xml
\n-rw-r—– 1 root root 291 Sep 15 2015 drop.xml
\n-rw-r—– 1 root root 293 Sep 15 2015 dmz.xml
\n-rw-r—– 1 root root 299 Sep 15 2015 block.xml
\n\u2013 Services can be enabled for a zone in Runtime mode.
\n\u2013 Service definitions can only be edited in Permanent mode.<\/p>\n
\nTo ensure firewalld starts at boot time:<\/p>\n
\nTo check if firewalld is running:<\/p>\n
\n# firewall-cmd –state
\nThree methods to configure the firewalld service:
\n\u2013 firewall-cmd : Command-line interface
\n\u2013 firewall-config : Graphical user interface
\n\u2013 Edit various XML configuration files.<\/p>\n
\nThe firewall-cmd command offers categories of options such as General, Status, Permanent, Zone, IcmpType, Service, Adapt and Query Zones, Direct, Lockdown, Lockdown Whitelist, and Panic. To list information for all zones:<\/p>\n
\n interfaces: eth0 eth1
\n sources:
\n services: dhcpv6-client ssh
\n ports:
\n …
\nTo permit access by HTTP clients for the public zone:<\/p>\n
\nsuccess
\nTo list services that are allowed for the public zone:<\/p>\n
\n dhcpv6-client http ssh
\nUsing this command only changes the Runtime configuration and does not update the configuration files.
\nThe configuration changes made in Runtime configuration mode are lost when the firewalld service is restarted:<\/p>\n
\n# firewall-cmd –zone=work –list-services dhcpv6-client ssh
\nTo make changes permanent, use the \u2013permanent option. Example:<\/p>\n
\nsuccess
\nChanges made in Permanent configuration mode are not implemented immediately. However, changes made in Permanent configuration are written to configuration files. Restarting the firewalld service reads the configuration files and implements the changes. Example:<\/p>\n
\n# firewall-cmd –zone=work –list-services
\ndhcpv6-client http ssh<\/p>\n","protected":false},"excerpt":{"rendered":"