Overview
Firewall provides basic security for the server. It is responsible
for denying traffic to every port on server with exceptions for ports/services
is granted / approved for communication.
One of the major features of firewall is block unwanted
traffic. This can be done on fly without server being reboot and without
disrupting current connections.
Firewalld uses Zones
and services instead of chains and
rules.
Rulesets can be managed dynamically, it also allows
modifying rules without breaking existing sessions and connections.
Applies To
CentOS 7, RHEL 7
Firewall Rules – Configuration Methods
Online Configurator
To configure the firewall rules when the firewall is running / active state, execute the command with appropriate
attributes “firewall-cmd”
Online
|
firewall-cmd
|
To be executed when the firewall is running state
|
Offline Configurator
To configure the firewall rules when the firewall is not running / not active state, execute the command with
appropriate attributes “firewall-cmd”
Offline
|
firewall-offline-cmd
|
To be executed when the firewall is turned off state
|
Firewall Service Daemon Management – Commands
Firewalld service daemon controls firewall state.
Service start
Start the firewall daemon on the server, start the firewall
daemon run the command;
systemctl start firewalld
Service Stop
Stop the firewall daemon on the server, run the command;
systemctl stop firewalld
Service Restart
Stop the firewall daemon on the server, run the command;
systemctl restart firewalld

Service Status
To check the current status of the daemon, to know the
current status of the firewall daemon run the command;
systemctl status firewalld
Service Disable
Disable the firewall daemon to restrict starting of service automatically
at system boot up, run the command to disable the service;
systemctl disable firewalld

Service Enable
Enable the firewall daemon to start automatically at OS boot
up, run the command ;
systemctl enable firewalld

Service Mask
Mask the firewall daemon, which disable so that the service can’t
be started manually as well. To mask the firewalld service run the command;
systemctl mask firewalld

Service Unmask
To unmask the firewall daemon, to revoke masking of the
service. To unmask the firewalld service run the command;
systemctl unmask firewalld

Daemon Action
|
Purpose
|
systemctl start firewalld
|
To start the
daemon service
|
systemctl stop firewalld
|
To stop the
daemon service
|
systemctl status firewalld
|
To check status
the daemon service
|
systemctl enable firewalld
|
To enable
daemon service at OS startup
|
systemctl disable firewalld
|
To disable daemon
service at OS startup
|
systemctl mask firewalld
|
To mask daemon
service to prohibits all kinds activation
|
systemctl unmask firewalld
|
To unmask
daemon service to exclude prohibits activation
|
Configure Firewall Rules
Before you start configuring the firewall rules, you need to
be aware of as to what type of service / port / protocol that you like to add /
revoke from the rules.
Add Rule by Service Name
To add a permanent rule by service name, run the command
below;
Firewall Rule
|
Purpose
|
firewall-cmd --permanent --add-service=ssh
|
open ssh service (port 22) access
|
firewall-cmd --permanent --add-service=smtp
|
open smtp service (port 25) access
|
firewall-cmd --permanent --add-service=http
|
open http service (port 80) access
|
firewall-cmd --permanent --add-service=https
|
open https service (port 443) access
|

Add Rule by Port
To add a permanent rule by port and protocol type, run the
command as below:
Firewall Rule
|
Purpose
|
firewall-cmd --permanent --add-port=2222/tcp
|
Open TCP port 2222
|

Add Rule for Port Range
To add a permanent rule for a port range and protocol type,
run the command as below:
Firewall Rule
|
Purpose
|
firewall-cmd
--permanent --add-port=5901-5905/tcp
|
Open VNC access port for port range and protocol type
|

Remove Rule by Service Name
Firewall Rule
|
Purpose
|
firewall-cmd --permanent --remove-service=smtp
|
Revoke smtp service access (port 25)
|
Remove Rule by Port
To remove an existing permanent rule by port and protocol
type, run the below command.
Firewall Rule
|
Purpose
|
firewall-cmd --permanent --remove-port=2222/tcp
|
Revoke port access
|
Remove Rule for Port Range
To add a permanent rule for a port range and protocol type,
run the command as below:
Firewall Rule
|
Purpose
|
firewall-cmd --permanent --remove-port=5901-5905/tcp
|
Open VNC access port for port range and protocol type
|
List Services – Firewall configurable
To get the services that can be configured by name on the
server, run the below command.
Firewall Rule
|
Purpose
|
firewall-cmd --get-services
|
List services, can be configured by service name
|
List Zones – Firewall configurable
To get the zones that could be configured on the server, run
the below command.
Firewall Rule
|
Purpose
|
firewall-cmd --get-zones
|
List zones, can be configured for the server
|
List ICMP – Firewall configurable
To get the ICMP that could be configured on the server, run
the below command;
Firewall Rule
|
Purpose
|
firewall-cmd --get-icmp
|
List ICMP, can be configured for the server
|
List All Rules Configured
List all the firewall rules that are configured on the
server.
Firewall Rule
|
Purpose
|
firewall-cmd --permanent --list-all
|
Listing Permanent rules
|
Reload Firewall Rules
Reloading firewall rules without changing the state of the
firewall.
Firewall Rule
|
Purpose
|
firewall-cmd --reload
|
Reload firewall
and keep state information
|
Note: Reloading
of firewall rules is mandatory after making changes to the firewall rule(s). In
order to activate the firewall rules that are modified.
Add Rich Rule – HTTP Accept
Rich firewall rules are configured for additional
complexity. For example if you want to configure a firewall rule to open http access to a specific IP
Range, wherein the application is hosted for specific departmental use.
Firewall Rule
|
Purpose
|
firewall-cmd
--permanent --zone=public --add-rich-rule="rule family="ipv4"
source address="192.168.2.0/24" service name="http" accept"
|
Add rich rule for accessing http access for source IP
range
|
Add Rich Rule – HTTP Reject
Configure a firewall rule to reject http access to a specific IP Range, wherein the application
is hosted for specific departmental use.
Firewall Rule
|
Purpose
|
firewall-cmd
--permanent --zone=public --add-rich-rule="rule family="ipv4"
source address="192.168.3.0/24" service name="http" reject"
|
Add rich rule for http access for source IP range to
reject traffic
|
Remove Rich Rule – HTTP Reject
Configure a firewall rule to remove existing rich rule to a specific IP Range, wherein the
application is hosted for specific departmental use.
Firewall Rule – Add ICMP Block
Add firewall rule to block ICMP traffic for echo reply. Run
the command;
firewall-cmd
--add-icmp-block=echo-reply
firewall-cmd --list-icmp-blocks

Firewall Rule – Remove ICMP Block
Revoke firewall rule blocking ICMP traffic for echo reply.
Run the command;
firewall-cmd --zone=public --remove-icmp-block=echo-reply
firewall-cmd --list-icmp-blocks

Query ICMP Block
Query whether specific ICMP block type is enabled. To verify
run the command;
firewall-cmd --zone=public
--query-icmp-block=echo-reply
Firewall Rule – Get ICMP Block
To list the ICMP rules supported by firewall for ICMP
traffic. Run the command;
firewall-cmd --get-icmp

Converting Runtime to Permanent Rules
To convert all existing runtime firewall rules to permanent
rules, run the command;
firewall-cmd
--runtime-to-permanent
firewall-cmd --reload
Examples of runtime and permanent firewall rules;
Rule Type
|
Command
|
Runtime Rule
|
firewall-cmd --add-service=ssh
|
Permanent Rule
|
firewall-cmd --permanent --add-service=ssh
|
Firewall Zones
Firewall zone defines the level of trust for network
connections, interfaces and sources addresses bound to the zone.
The zone combines services, ports, masquerading, ICMP filters
and rich rules. To list the zones that can be configured
Firewall Rule
|
Purpose
|
firewall-cmd --get-zones
|
To list of available zones that can be configured on the
server
|
firewall-cmd --list-zones
|
To list of available zones that are configured on the
server
|
Predefined Configurations
Firewalld services, which are stored in “/usr/lib/firewalld/services” folder.
Firewalld zones are stored in “/usr/lib/firewalld/zones”
folder.
Firewalld icmptypes are stored in “/usr/lib/firewalld/icmptypes”
folder.

Sample Firewalld Configuration Definition File
Shown below is the sample configuration file for DNS
service.
cat
/usr/lib/firewalld/services/dns.xml
No comments:
Post a Comment