Firewalld

About

Firewalld is a firewall wrapper around the iptables firewall provided by the Linux kernel.

Firewalld was introduced on Centos 7 as the default firewall

Howto's

This page is a cheatsheet page that lists the major command. You will find howto's such as country or subnet filtering around firewalld on this page Firewalld - Howto's.

Firewalld OS Service

Conf

cat /etc/firewalld/firewalld.conf
# firewalld config file

# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=public

# Minimal mark
# Marks up to this minimum are free for use for example in the direct 
# interface. If more free marks are needed, increase the minimum
# Default: 100
MinimalMark=100

# Clean up on exit
# If set to no or false the firewall configuration will not get cleaned up
# on exit or stop of firewalld
# Default: yes
CleanupOnExit=yes

# Lockdown
# If set to enabled, firewall changes with the D-Bus interface will be limited
# to applications that are listed in the lockdown whitelist.
# The lockdown whitelist file is lockdown-whitelist.xml
# Default: no
Lockdown=no

# IPv6_rpfilter
# Performs a reverse path filter test on a packet for IPv6. If a reply to the
# packet would be sent via the same interface that the packet arrived on, the 
# packet will match and be accepted, otherwise dropped.
# The rp_filter for IPv4 is controlled using sysctl.
# Default: yes
IPv6_rpfilter=yes

# IndividualCalls
# Do not use combined -restore calls, but individual calls. This increases the
# time that is needed to apply changes and to start the daemon, but is good for
# debugging.
# Default: no
IndividualCalls=no

# LogDenied
# Add logging rules right before reject and drop rules in the INPUT, FORWARD
# and OUTPUT chains for the default rules and also final reject and drop rules
# in zones. Possible values are: all, unicast, broadcast, multicast and off.
# Default: off
LogDenied=all

# AutomaticHelpers
# For the secure use of iptables and connection tracking helpers it is
# recommended to turn AutomaticHelpers off. But this might have side effects on
# other services using the netfilter helpers as the sysctl setting in
# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
# With the system setting, the default value set in the kernel or with sysctl
# will be used. Possible values are: yes, no and system.
# Default: system
AutomaticHelpers=system

# AllowZoneDrifting
# Older versions of firewalld had undocumented behavior known as "zone
# drifting". This allowed packets to ingress multiple zones - this is a
# violation of zone based firewalls. However, some users rely on this behavior
# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
# desire such behavior. It's disabled by default for security reasons.
# Note: If "yes" packets will only drift from source based zones to interface
# based zones (including the default zone). Packets never drift from interface
# based zones to other interfaces based zones (including the default zone).
# Possible values; "yes", "no". Defaults to "yes".
AllowZoneDrifting=yes

Start / Stop

# init
service firewalld start
service firewalld stop
# or systemd
systemctl firewalld start
systemctl firewalld stop
Redirecting to /bin/systemctl start  firewalld.service

Status

# init
service firewalld status
# systemd
systemctl firewalld status
Redirecting to /bin/systemctl status  firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2018-02-09 09:41:17 UTC; 58s ago
     Docs: man:firewalld(1)
 Main PID: 3963 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─3963 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Feb 09 09:41:17 HI-INFA-BDM-01 systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 09 09:41:17 HI-INFA-BDM-01 systemd[1]: Started firewalld - dynamic firewall daemon.

Log

log-denied

Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones.

firewall-cmd --get-log-denied
off
firewall-cmd --set-log-denied=<value>
  • value may be one of: all, unicast, broadcast, multicast, or off

debug

https://firewalld.org/documentation/man-pages/firewalld.html

Set the debug level for firewalld to level. The range of the debug level is 1 (lowest level) to 10 (highest level). The debug output will be written to the firewalld log file /var/log/firewalld.

log file

/var/log/firewalld

Reload

firewall-cmd --reload        
firewall-cmd  --complete-reload    

State

  • Return and print firewalld state
firewall-cmd --state

Zone

The zones are:

  • connected to Network interfaces
  • and/or assigned a range of source addresses.
  • a sets of rules dictating what traffic should be allowed.

You can see it in the zone properties.

They ⁠separate networks interface into different level of trust.

Get

Firewalld comes with predefined rules. Doc

firewall-cmd --get-zones
block dmz drop external home internal public trusted work

from least trusted to most trusted, the predefined zones are:

  • drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
  • block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
  • public (default): Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
  • external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
  • internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
  • dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
  • work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
  • home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
  • trusted: Trust all of the machines in the network.

Configuration

The predefined zones are stored in the /usr/lib/firewalld/zones/ directory and can be instantly applied to any available network interface. These files are copied to the /etc/firewalld/zones/ directory only after they are modified.

Example:

cat /usr/lib/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
</zone>

Active

To be active a zone should be assigned to an zone and network interface.

firewall-cmd --get-active-zones

Default Zone

The default zone is the zone used in every command if the zone is not specified.

  • Get (By default public)
firewall-cmd --get-default-zone
  • Set
sudo firewall-cmd --set-default-zone=public

On the file system, it is defined in the service configuration file

DefaultZone=public

Zone and Network Interface

  • Set a zone to a network interface
firewall-cmd --permanent --zone=public --change-interface=interfaceName
# example
firewall-cmd --permanent --zone=public --change-interface=eth0
# reload
systemctl reload firewalld
  • List
firewall-cmd --get-active-zones
public
  interfaces: eth0

Zone Properties

firewall-cmd --list-all
  • List the properties of a specified zone
firewall-cmd --zone=public --list-all
  • List all zones
firewall-cmd --list-all-zones
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client
  ports: 80/tcp 9999/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
..............
..............
..............

Zone Target

A target defines the firewall behavior for incoming packets.

firewall-cmd --zone=zone-name --permanent --set-target=<default|ACCEPT|REJECT|DROP>
Name Rejection
Response
Send
Description
default Hardcoded value that is basically the same as REJECT (may eventually fallback to the INPUT chain)
ACCEPT Accept all incoming packets except those disabled by a specific rule
REJECT Yes Reject all incoming packets except those accepted by a specific rule
DROP No Same as reject

IpSet

An IPset is a set of ip under a name that you can use an ipset in every source source field with the ipset: prefix.

Example:

--add-source=ipset:ipsetName

To make the new setting effective in the runtime environment, reload firewalld

IpSet Type

The ipset-type defines the store. ie

  • its file format type (hash, …) that has an impact on the execution time (linear or not)
  • and the syntax of its content (ie IP or subnet that has an impact on its size)

The ipset type determine then the memory size of the set.

Syntax:

method:data_type

where:

  • method is one of bitmap, hash, and list
  • data type is:
    • ip - one line, one ip
    • net - one line, one subnet
    • mac - one line, one mac
    • port - one line, one port
    • iface

See the details at Ipset netfilter)

firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net

List Ipset

firewall-cmd --permanent --get-ipsets

Add IpSet

  • new for ipv4
firewall-cmd --permanent --new-ipset=ipSetName --type=hash:net
  • new for ipv6
firewall-cmd --permanent --new-ipset=ipSetName --type=hash:net --option=family=inet6

Delete IpSet

firewall-cmd --permanent --delete-ipset=ipSetName

Info IpSet

  • info - entyr and option
firewall-cmd --permanent --info-ipset=ipSetName
# the option are the begining in case of a big list
firewall-cmd --permanent --info-ipset=ipSetName | head
# memory size
  • With ipset
ipset -t list ipsetName
Name: nl
Type: hash:ip
Revision: 4
Header: family inet hashsize 32768 maxelem 65536
Size in memory: 1444728
References: 0
Number of entries: 65536

Add Entry Ipset

  • add Entry manually
firewall-cmd --permanent --ipset=ipSetName --add-entry=192.168.0.1
  • add entry from a file
# add
firewall-cmd --permanent --ipset=ipSetName --add-entries-from-file=iplist.txt

Remove Entry Ipset

  • remove Entry manually
firewall-cmd --permanent --ipset=ipSetName --remove-entry=192.168.0.1
  • remove entry from a file
# add
firewall-cmd --permanent --ipset=ipSetName --remove-entries-from-file=iplist.txt

Remove Ipset

firewall-cmd \
    --permanent \
    --ipset=ipSetName \
    --remove-entries-from-file=iplist.txt

Services

Services are pre-configured firewall properties (ie port) for known service. You can use them in place of port. It's a naming functionality in place of using port number.

  • List all known services
firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
  • Get their properties
ll /usr/lib/firewalld/services/
# and for one specific
cat /usr/lib/firewalld/services/ssh.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="22"/>
</service>
# default
firewall-cmd --list-services
# given a zone
firewall-cmd --list-services --zone=public
dhcpv6-client ssh
firewall-cmd --add-service=kerberos --permanent
firewall-cmd --remove-service=kerberos --permanent
  • Add or remove a service with the zone defined
firewall-cmd --add-service=ssh --zone=home --permanent
firewall-cmd --remove-service=kerberos --zone=public --permanent
  • List services
firewall-cmd --zone=public --list-services

Port

Port are also available by name with the notion of service.

It the service is not known, you can add the port manually.

Add a port

  • firewall cmd
firewall-cmd --zone=public --add-port=5000/tcp --permanent
- name: "Open the web console port"
  become: yes
  firewalld:
    port: 8443/tcp
    permanent: yes
    state: enabled
  notify: firewalld reload
  • Handler to restart ie firewall-cmd –reload
- name: "firewalld reload"
  systemd:
    state: restarted
    name: firewalld

List Port

firewall-cmd --zone=public --list-ports

Remove Port

firewall-cmd --zone=public --remove-port=22/tcp --permanent

Permanent

  • List of permanent services
firewall-cmd --zone=public --permanent --list-services
  • Make runtime to permanent
firewall-cmd --runtime-to-permanent

Rich Rule

The reference can be found in the man page (firewalld.richlanguage) or online for the latest

man firewalld.richlanguage

Rich rule is a line of text with a list of options that terminates by an action (accept|reject|drop|mark)

If a packet matches the options of the rich rule, the action is taken.

When you add, update or remove a rich rule, the whole rule line should be used.

Example are available on this page: Firewalld - Howto's

Rich Rule Priority

Before priority was available, rich rules execution were sorted and executed on their rule action.

With priority, if the rule priority is provided, it can be in the range of -32768 to 32767 where lower values have higher precendence.

The default priority of a rich rule is 0 (?). Ordering for rules with the same priority value is undefined.

Add Rich Rule

  • Permanent
firewall-cmd 
   --permanent \
  --zone=home \
  --add-rich-rule='rule family="ipv4" source address="192.168.78.76/32" port port="8080" protocol="tcp" accept'
  • Temporary
firewall-cmd 
  --zone=home \
  --add-rich-rule='rule family="ipv4" source address="192.168.78.76/32" port port="8080" protocol="tcp" accept'

List Rich Rule

# permanent rule
firewall-cmd --permanent --list-rich-rule
# temporary rule (deleted at restart) 
firewall-cmd --list-rich-rule
rule family="ipv4" source NOT ipset="nl" service name="ssh" drop

Remove Rich Rule

firewall-cmd --permanent --remove-rich-rule 'rule ....'

Documentation / Reference


Powered by ComboStrap