Thursday, July 7, 2016

How To Configure FirewallD on RHEL 7 or CentOS 7

Overview

Firewall provides basic security for the server. It is responsible for denying traffic to every port on server with exceptions for ports/services is granted / approved for communication.

One of the major features of firewall is block unwanted traffic. This can be done on fly without server being reboot and without disrupting current connections.

Firewalld uses Zones and services instead of chains and rules.

Rulesets can be managed dynamically, it also allows modifying rules without breaking existing sessions and connections.

Applies To

CentOS 7, RHEL 7

Firewall Rules – Configuration Methods

Online Configurator

To configure the firewall rules when the firewall is running / active state, execute the command with appropriate attributes “firewall-cmd

Online
firewall-cmd
To be executed when the firewall is running state

Offline Configurator

To configure the firewall rules when the firewall is not running / not active state, execute the command with appropriate attributes “firewall-cmd

Offline
firewall-offline-cmd
To be executed when the firewall is turned off state

Firewall Service Daemon Management – Commands

Firewalld service daemon controls firewall state.

Service start

Start the firewall daemon on the server, start the firewall daemon run the command;

systemctl start firewalld

Service Stop

Stop the firewall daemon on the server, run the command;

systemctl stop firewalld

Service Restart

Stop the firewall daemon on the server, run the command;

systemctl restart firewalld


Service Status

To check the current status of the daemon, to know the current status of the firewall daemon run the command;

systemctl status firewalld


Service Disable

Disable the firewall daemon to restrict starting of service automatically at system boot up, run the command to disable the service;

systemctl disable firewalld


Service Enable

Enable the firewall daemon to start automatically at OS boot up, run the command ;

systemctl enable firewalld

Service Mask

Mask the firewall daemon, which disable so that the service can’t be started manually as well. To mask the firewalld service run the command;

systemctl mask firewalld

Service Unmask

To unmask the firewall daemon, to revoke masking of the service. To unmask the firewalld service run the command;

systemctl unmask firewalld


Daemon Action
Purpose
systemctl start firewalld
To start the daemon service
systemctl stop firewalld
To stop the daemon service
systemctl status firewalld
To check status the daemon service
systemctl enable firewalld
To enable daemon service at OS startup
systemctl disable firewalld
To disable daemon service at OS startup
systemctl mask firewalld
To mask daemon service to prohibits all kinds activation
systemctl unmask firewalld
To unmask daemon service to exclude prohibits activation

Configure Firewall Rules

Before you start configuring the firewall rules, you need to be aware of as to what type of service / port / protocol that you like to add / revoke from the rules.

Add Rule by Service Name

To add a permanent rule by service name, run the command below;

Firewall Rule
Purpose
firewall-cmd --permanent --add-service=ssh
open ssh service (port 22) access
firewall-cmd --permanent --add-service=smtp
open smtp service (port 25) access
firewall-cmd --permanent --add-service=http
open http service (port 80) access
firewall-cmd --permanent --add-service=https
open https service (port 443) access

Add Rule by Port

To add a permanent rule by port and protocol type, run the command as below:

Firewall Rule
Purpose
firewall-cmd --permanent --add-port=2222/tcp
Open TCP port 2222

Add Rule for Port Range

To add a permanent rule for a port range and protocol type, run the command as below:

Firewall Rule
Purpose
firewall-cmd --permanent --add-port=5901-5905/tcp
Open VNC access port for port range and protocol type

 

Remove Rule by Service Name

To remove an existing permanent rule by service name, run the below command;

Firewall Rule
Purpose
firewall-cmd --permanent --remove-service=smtp
Revoke smtp service access (port 25)

Remove Rule by Port

To remove an existing permanent rule by port and protocol type, run the below command.

Firewall Rule
Purpose
firewall-cmd --permanent --remove-port=2222/tcp
Revoke port access

Remove Rule for Port Range

To add a permanent rule for a port range and protocol type, run the command as below:

Firewall Rule
Purpose
firewall-cmd --permanent --remove-port=5901-5905/tcp
Open VNC access port for port range and protocol type

List Services – Firewall configurable

To get the services that can be configured by name on the server, run the below command.

Firewall Rule
Purpose
firewall-cmd --get-services
List services, can be configured by service name

List Zones – Firewall configurable

To get the zones that could be configured on the server, run the below command.

Firewall Rule
Purpose
firewall-cmd --get-zones
List zones, can be configured for the server

List ICMP – Firewall configurable

To get the ICMP that could be configured on the server, run the below command;

Firewall Rule
Purpose
firewall-cmd --get-icmp
List ICMP, can be configured for the server

List All Rules Configured

List all the firewall rules that are configured on the server.

Firewall Rule
Purpose
firewall-cmd --permanent --list-all
Listing Permanent rules



Reload Firewall Rules

Reloading firewall rules without changing the state of the firewall.

Firewall Rule
Purpose
firewall-cmd --reload
Reload firewall and keep state information

Note: Reloading of firewall rules is mandatory after making changes to the firewall rule(s). In order to activate the firewall rules that are modified.

Add Rich Rule – HTTP Accept

Rich firewall rules are configured for additional complexity. For example if you want to configure a firewall rule to open http access to a specific IP Range, wherein the application is hosted for specific departmental use.

Firewall Rule
Purpose
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.2.0/24" service name="http" accept"
Add rich rule for accessing http access for source IP range

Add Rich Rule – HTTP Reject

Configure a firewall rule to reject http access to a specific IP Range, wherein the application is hosted for specific departmental use.

Firewall Rule
Purpose
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.3.0/24" service name="http" reject"
Add rich rule for http access for source IP range to reject traffic

Remove Rich Rule – HTTP Reject

Configure a firewall rule to remove existing rich rule to a specific IP Range, wherein the application is hosted for specific departmental use.


Firewall Rule – Add ICMP Block

Add firewall rule to block ICMP traffic for echo reply. Run the command;

firewall-cmd --add-icmp-block=echo-reply

firewall-cmd --list-icmp-blocks


Firewall Rule – Remove ICMP Block

Revoke firewall rule blocking ICMP traffic for echo reply. Run the command;

firewall-cmd --zone=public --remove-icmp-block=echo-reply

firewall-cmd --list-icmp-blocks


Query ICMP Block

Query whether specific ICMP block type is enabled. To verify run the command;

firewall-cmd --zone=public --query-icmp-block=echo-reply

Firewall Rule – Get ICMP Block

To list the ICMP rules supported by firewall for ICMP traffic. Run the command;

firewall-cmd --get-icmp


Converting Runtime to Permanent Rules

To convert all existing runtime firewall rules to permanent rules, run the command;

firewall-cmd --runtime-to-permanent

firewall-cmd --reload


Examples of runtime and permanent firewall rules;

Rule Type
Command
Runtime Rule
firewall-cmd --add-service=ssh
Permanent Rule
firewall-cmd --permanent --add-service=ssh

Firewall Zones

Firewall zone defines the level of trust for network connections, interfaces and sources addresses bound to the zone.

The zone combines services, ports, masquerading, ICMP filters and rich rules. To list the zones that can be configured

Firewall Rule
Purpose
firewall-cmd --get-zones
To list of available zones that can be configured on the server
firewall-cmd --list-zones
To list of available zones that are configured on the server

Predefined Configurations

Firewalld services, which are stored in “/usr/lib/firewalld/services” folder.

Firewalld zones are stored in “/usr/lib/firewalld/zones” folder.

Firewalld icmptypes are stored in “/usr/lib/firewalld/icmptypes” folder.


Sample Firewalld Configuration Definition File

Shown below is the sample configuration file for DNS service.

cat /usr/lib/firewalld/services/dns.xml




SlideShare Information

Step by Step document uploaded.


No comments:

Post a Comment