Firewalld

Firewalld is a firewall wrapper around the iptables firewall provided by the Linux kernel.

Firewalld was introduced on Centos 7 as the default firewall

This page is a cheatsheet page that lists the major command. You will find howto's such as country or subnet filtering around firewalld on this page Firewalld - Howto's.

cat /etc/firewalld/firewalld.conf

# firewalld config file

# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=public

# Minimal mark
# Marks up to this minimum are free for use for example in the direct 
# interface. If more free marks are needed, increase the minimum
# Default: 100
MinimalMark=100

# Clean up on exit
# If set to no or false the firewall configuration will not get cleaned up
# on exit or stop of firewalld
# Default: yes
CleanupOnExit=yes

# Lockdown
# If set to enabled, firewall changes with the D-Bus interface will be limited
# to applications that are listed in the lockdown whitelist.
# The lockdown whitelist file is lockdown-whitelist.xml
# Default: no
Lockdown=no

# IPv6_rpfilter
# Performs a reverse path filter test on a packet for IPv6. If a reply to the
# packet would be sent via the same interface that the packet arrived on, the 
# packet will match and be accepted, otherwise dropped.
# The rp_filter for IPv4 is controlled using sysctl.
# Default: yes
IPv6_rpfilter=yes

# IndividualCalls
# Do not use combined -restore calls, but individual calls. This increases the
# time that is needed to apply changes and to start the daemon, but is good for
# debugging.
# Default: no
IndividualCalls=no

# LogDenied
# Add logging rules right before reject and drop rules in the INPUT, FORWARD
# and OUTPUT chains for the default rules and also final reject and drop rules
# in zones. Possible values are: all, unicast, broadcast, multicast and off.
# Default: off
LogDenied=all

# AutomaticHelpers
# For the secure use of iptables and connection tracking helpers it is
# recommended to turn AutomaticHelpers off. But this might have side effects on
# other services using the netfilter helpers as the sysctl setting in
# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
# With the system setting, the default value set in the kernel or with sysctl
# will be used. Possible values are: yes, no and system.
# Default: system
AutomaticHelpers=system

# AllowZoneDrifting
# Older versions of firewalld had undocumented behavior known as "zone
# drifting". This allowed packets to ingress multiple zones - this is a
# violation of zone based firewalls. However, some users rely on this behavior
# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
# desire such behavior. It's disabled by default for security reasons.
# Note: If "yes" packets will only drift from source based zones to interface
# based zones (including the default zone). Packets never drift from interface
# based zones to other interfaces based zones (including the default zone).
# Possible values; "yes", "no". Defaults to "yes".
AllowZoneDrifting=yes

# init
service firewalld start
service firewalld stop
# or systemd
systemctl firewalld start
systemctl firewalld stop

Redirecting to /bin/systemctl start  firewalld.service

# init
service firewalld status
# systemd
systemctl firewalld status

Redirecting to /bin/systemctl status  firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2018-02-09 09:41:17 UTC; 58s ago
     Docs: man:firewalld(1)
 Main PID: 3963 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─3963 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Feb 09 09:41:17 HI-INFA-BDM-01 systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 09 09:41:17 HI-INFA-BDM-01 systemd[1]: Started firewalld - dynamic firewall daemon.

Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones.

firewall-cmd --get-log-denied

off

firewall-cmd --set-log-denied=<value>

• value may be one of: all, unicast, broadcast, multicast, or off

https://firewalld.org/documentation/man-pages/firewalld.html

Set the debug level for firewalld to level. The range of the debug level is 1 (lowest level) to 10 (highest level). The debug output will be written to the firewalld log file /var/log/firewalld.

/var/log/firewalld

• Reload firewall and keep state information

firewall-cmd --reload        

• Reload firewall and lose state information

firewall-cmd  --complete-reload    

• Return and print firewalld state

firewall-cmd --state

The zones are:

• connected to Network interfaces
• and/or assigned a range of source addresses.
• a sets of rules dictating what traffic should be allowed.

You can see it in the zone properties.

They ⁠separate networks interface into different level of trust.

Firewalld comes with predefined rules. Doc

firewall-cmd --get-zones

block dmz drop external home internal public trusted work

from least trusted to most trusted, the predefined zones are:

• drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
• block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
• public (default): Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
• external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
• internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
• dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
• work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
• home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
• trusted: Trust all of the machines in the network.

The predefined zones are stored in the /usr/lib/firewalld/zones/ directory and can be instantly applied to any available network interface. These files are copied to the /etc/firewalld/zones/ directory only after they are modified.

Example:

cat /usr/lib/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
</zone>

To be active a zone should be assigned to an zone and network interface.

firewall-cmd --get-active-zones

The default zone is the zone used in every command if the zone is not specified.

• Get (By default public)

firewall-cmd --get-default-zone

• Set

sudo firewall-cmd --set-default-zone=public

On the file system, it is defined in the service configuration file

DefaultZone=public

• Set a zone to a network interface

firewall-cmd --permanent --zone=public --change-interface=interfaceName
# example
firewall-cmd --permanent --zone=public --change-interface=eth0
# reload
systemctl reload firewalld

• List

firewall-cmd --get-active-zones

public
  interfaces: eth0

• List the default zone properties

firewall-cmd --list-all

• List the properties of a specified zone

firewall-cmd --zone=public --list-all

• List all zones

firewall-cmd --list-all-zones

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client
  ports: 80/tcp 9999/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
..............
..............
..............

A target defines the firewall behavior for incoming packets.

firewall-cmd --zone=zone-name --permanent --set-target=<default|ACCEPT|REJECT|DROP>

An IPset is a set of ip under a name that you can use an ipset in every source source field with the ipset: prefix.

Example:

--add-source=ipset:ipsetName

The ipset-type defines the store. ie

• its file format type (hash, …) that has an impact on the execution time (linear or not)
• and the syntax of its content (ie IP or subnet that has an impact on its size)

The ipset type determine then the memory size of the set.

Syntax:

method:data_type

where:

• method is one of bitmap, hash, and list
• data type is:
  • ip - one line, one ip
  • net - one line, one subnet
  • mac - one line, one mac
  • port - one line, one port
  • iface

See the details at Ipset netfilter)

firewall-cmd --get-ipset-types

hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net

firewall-cmd --permanent --get-ipsets

• new for ipv4

firewall-cmd --permanent --new-ipset=ipSetName --type=hash:net

• new for ipv6

firewall-cmd --permanent --new-ipset=ipSetName --type=hash:net --option=family=inet6

firewall-cmd --permanent --delete-ipset=ipSetName

• info - entyr and option

firewall-cmd --permanent --info-ipset=ipSetName
# the option are the begining in case of a big list
firewall-cmd --permanent --info-ipset=ipSetName | head
# memory size

• With ipset

ipset -t list ipsetName

Name: nl
Type: hash:ip
Revision: 4
Header: family inet hashsize 32768 maxelem 65536
Size in memory: 1444728
References: 0
Number of entries: 65536

• add Entry manually

firewall-cmd --permanent --ipset=ipSetName --add-entry=192.168.0.1

• add entry from a file

# add
firewall-cmd --permanent --ipset=ipSetName --add-entries-from-file=iplist.txt

• remove Entry manually

firewall-cmd --permanent --ipset=ipSetName --remove-entry=192.168.0.1

• remove entry from a file

# add
firewall-cmd --permanent --ipset=ipSetName --remove-entries-from-file=iplist.txt

firewall-cmd \
    --permanent \
    --ipset=ipSetName \
    --remove-entries-from-file=iplist.txt

Services are pre-configured firewall properties (ie port) for known service. You can use them in place of port. It's a naming functionality in place of using port number.

• List all known services

firewall-cmd --get-services

RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

• Get their properties

ll /usr/lib/firewalld/services/
# and for one specific
cat /usr/lib/firewalld/services/ssh.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="22"/>
</service>

• List the services configured in the default zone

# default
firewall-cmd --list-services
# given a zone
firewall-cmd --list-services --zone=public

dhcpv6-client ssh

• Add or remove a service from the default zone

firewall-cmd --add-service=kerberos --permanent
firewall-cmd --remove-service=kerberos --permanent

• Add or remove a service with the zone defined

firewall-cmd --add-service=ssh --zone=home --permanent
firewall-cmd --remove-service=kerberos --zone=public --permanent

• List services

firewall-cmd --zone=public --list-services

Port are also available by name with the notion of service.

It the service is not known, you can add the port manually.

• firewall cmd

firewall-cmd --zone=public --add-port=5000/tcp --permanent

• Ansible - Ansible command line

- name: "Open the web console port"
  become: yes
  firewalld:
    port: 8443/tcp
    permanent: yes
    state: enabled
  notify: firewalld reload

• Handler to restart ie firewall-cmd –reload

- name: "firewalld reload"
  systemd:
    state: restarted
    name: firewalld

firewall-cmd --zone=public --list-ports

firewall-cmd --zone=public --remove-port=22/tcp --permanent

• List of permanent services

firewall-cmd --zone=public --permanent --list-services

• Make runtime to permanent

firewall-cmd --runtime-to-permanent

The reference can be found in the man page (firewalld.richlanguage) or online for the latest

man firewalld.richlanguage

Rich rule is a line of text with a list of options that terminates by an action (accept|reject|drop|mark)

If a packet matches the options of the rich rule, the action is taken.

When you add, update or remove a rich rule, the whole rule line should be used.

Example are available on this page: Firewalld - Howto's

Before priority was available, rich rules execution were sorted and executed on their rule action.

With priority, if the rule priority is provided, it can be in the range of -32768 to 32767 where lower values have higher precendence.

The default priority of a rich rule is 0 (?). Ordering for rules with the same priority value is undefined.

• Permanent

firewall-cmd 
   --permanent \
  --zone=home \
  --add-rich-rule='rule family="ipv4" source address="192.168.78.76/32" port port="8080" protocol="tcp" accept'

• Temporary

firewall-cmd 
  --zone=home \
  --add-rich-rule='rule family="ipv4" source address="192.168.78.76/32" port port="8080" protocol="tcp" accept'

# permanent rule
firewall-cmd --permanent --list-rich-rule
# temporary rule (deleted at restart) 
firewall-cmd --list-rich-rule

rule family="ipv4" source NOT ipset="nl" service name="ssh" drop

firewall-cmd --permanent --remove-rich-rule 'rule ....'

• https://firewalld.org/documentation/
• Firewall doc
• https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7
• https://docs.ansible.com/ansible/latest/modules/firewalld_module.html