CentOS Stream 9
Sponsored Link

Firewalld : Basic Operation2022/01/07

 
This is the Basic Operation of Firewalld.
The definition of services is set to zones on Firewalld.
To enable Firewall, associate a zone to a NIC with related commands.
[1] To use Firewalld, start the Service.
[root@dlp ~]#
systemctl enable --now firewalld

[2] By default, [public] zone is applied with a NIC, and cockpit, dhcpv6-client, ssh are allowed. When operating with [firewall-cmd] command, if you input the command without [--zone=***] specification, then, configuration is set to the default zone.
# display the default zone

[root@dlp ~]#
firewall-cmd --get-default-zone

public
# display current settings

[root@dlp ~]#
firewall-cmd --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# display all zones defined by default

[root@dlp ~]#
firewall-cmd --list-all-zones

block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
  .....
  .....

# display allowed services on a specific zone

[root@dlp ~]#
firewall-cmd --list-service --zone=external

ssh
# change default zone

[root@dlp ~]#
firewall-cmd --set-default-zone=external

success
# change zone for an interface

[root@dlp ~]#
firewall-cmd --change-interface=enp1s0 --zone=external

success
[root@dlp ~]#
firewall-cmd --list-all --zone=external

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources:
  services: ssh
  ports:
  protocols:
  forward: yes
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
[3] Display services defined by default.
[root@dlp ~]#
firewall-cmd --get-services

RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver kube-control-plane kube-controller-manager kube-scheduler kubelet-worker ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd netbios-ns nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wireguard wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

# definition files are placed under the directory like follows
# if you'd like to add your original definition, add XML file on there

[root@dlp ~]#
ls /usr/lib/firewalld/services

amanda-client.xml            mqtt.xml
amanda-k5-client.xml         mssql.xml
amqps.xml                    ms-wbt.xml
amqp.xml                     murmur.xml
apcupsd.xml                  mysql.xml
.....
.....
minidlna.xml                 xmpp-client.xml
mongodb.xml                  xmpp-local.xml
mosh.xml                     xmpp-server.xml
mountd.xml                   zabbix-agent.xml
mqtt-tls.xml                 zabbix-server.xml
[4] Add or Remove allowed services.
The change will be back after rebooting the system.
If you change settings permanently, add the [--permanent] or [--runtime-to-permanent] option.
# for example, add [http]

[root@dlp ~]#
firewall-cmd --add-service=http

success
[root@dlp ~]#
firewall-cmd --list-service

cockpit dhcpv6-client http ssh
# for example, remove [http]

[root@dlp ~]#
firewall-cmd --remove-service=http

success
[root@dlp ~]#
firewall-cmd --list-service

cockpit dhcpv6-client ssh
# permanent setting : [--permanent] - add setting to the permanent environment

[root@dlp ~]#
firewall-cmd --add-service=http --permanent

success
[root@dlp ~]#
firewall-cmd --list-service

cockpit dhcpv6-client ssh
# reload settings from the permanent environment to apply new setting

[root@dlp ~]#
firewall-cmd --reload

success
[root@dlp ~]#
firewall-cmd --list-service

cockpit dhcpv6-client http ssh
# permanent setting : [--runtime-to-permanent] - save the current runtime environment to the permanent environment

[root@dlp ~]#
firewall-cmd --add-service=http

success
[root@dlp ~]#
firewall-cmd --list-service

cockpit dhcpv6-client http ssh
[root@dlp ~]#
firewall-cmd --runtime-to-permanent

success
[5] Add or remove allowed ports.
If you change settings permanently, add the [--permanent] or [--runtime-to-permanent] option like the examples of [4].
# for example, add [TCP 465]

[root@dlp ~]#
firewall-cmd --add-port=465/tcp

success
[root@dlp ~]#
firewall-cmd --list-port

465/tcp
# for example, remove [TCP 465]

[root@dlp ~]#
firewall-cmd --remove-port=465/tcp

success
[root@dlp ~]#
firewall-cmd --list-port

 
[6] Add or remove prohibited ICMP types.
# for example, add [echo-request] to prohibit it

[root@dlp ~]#
firewall-cmd --add-icmp-block=echo-request

success
[root@dlp ~]#
firewall-cmd --list-icmp-blocks

echo-request
# for example, remove [echo-request]

[root@dlp ~]#
firewall-cmd --remove-icmp-block=echo-request

success
[root@dlp ~]#
firewall-cmd --list-icmp-blocks

 
# display available ICMP types

[root@dlp ~]#
firewall-cmd --get-icmptypes

address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
Matched Content