1. Introduction
1.1 INTRODUCTION
A firewall is a way to protect a machine from any unwanted external communication. It allows users to control the incoming network traffic on the host by defining a set of firewall rules. These rules are used to sort incoming traffic, either block it, or allow it to pass. firewalld is a firewall service daemon, which provides a dynamically customizable host based firewall with D-Bus interface. Because it is dynamic, it supports creating, changing, and deleting rules without restarting the firewall daemon every time the rule changes.
1.2 concept
Zones: the network zone defines the trust level of the network connection. This is a one to many relationship, which means that a connection can only be part of a region, and a region can be used for many connections. The predefined zones are stored in the / usr/lib/firewalld/zones / directory and can be applied immediately to any available network interface. These files will only be copied to the / etc/firewalld/zones / directory after modification. The following table describes the default settings for predefined areas:
| zone | Default policy rule |
|---|---|
| trusted | Allow all packets in and out |
| home | Reject incoming traffic, unless related to outgoing traffic; If the traffic is related to ssh, mdns, IPP client, AMBA client and DHCPv6 client services, it is allowed to enter |
| Internal | Equivalent to home area |
| work | Reject incoming traffic, unless related to outgoing traffic; If the traffic is related to ssh, IPP client and DHCPv6 client services, it is allowed to enter |
| public | Reject incoming traffic, unless related to outgoing traffic; If the traffic is related to ssh and DHCPv6 client services, it is allowed to enter |
| external | Reject incoming traffic, unless related to outgoing traffic; If the traffic is related to ssh service, it is allowed to enter |
| dmz | Reject incoming traffic, unless related to outgoing traffic; If the traffic is related to ssh service, it is allowed to enter |
| block | Reject incoming traffic, unless related to outgoing traffic |
| drop | Reject incoming traffic, unless related to outgoing traffic |
During installation, the default area, infrawall, is set to the public area. You can change the default area.
Predefined Services: a service can be a list of local ports, protocols, source ports and destinations, as well as a list of firewall help modules that are automatically loaded when the service is enabled.
Runtime and Permanent settings: in the runtime mode, changing the configuration will only take effect in the running state. After restarting, the configuration will restore the original configuration. The command will take effect permanently:
~]#firewall-cmd <other options> ~]#firewall-cmd --runtime-to-permanent
In Permanent mode, the change of configuration will not take effect before restart. It will take effect after restart. The command will take effect permanently:
~]#firewall-cmd --permanent <other options> ~]#firewall-cmd --reload
Tools: graphical interface tools: firewall config, command line tools: firewall CMD
2. Check the current status and configuration of firewalld
2.1 check the current status of firewalld
View service running status:
~]#firewall-cmd --state
For more information about service status, use the systemctl status subcommand:
~]#systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Sat 2021-11-20 19:34:29 CST; 2 months 19 days ago
Docs: man:firewalld(1)
Main PID: 3152 (firewalld)
Memory: 25.8M
CGroup: /system.slice/firewalld.service
└─3152 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Feb 09 09:47:01 izwz93vpnhvpoegtlnppbdz firewalld[3152]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed:
Feb 09 09:47:01 izwz93vpnhvpoegtlnppbdz firewalld[3152]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RE...' failed:
Feb 09 09:47:01 izwz93vpnhvpoegtlnppbdz firewalld[3152]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-ISOLATION-STAGE-1' failed:
Feb 09 09:47:01 izwz93vpnhvpoegtlnppbdz firewalld[3152]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -n -L DOCKER-USER' failed:
Feb 09 09:47:01 izwz93vpnhvpoegtlnppbdz firewalld[3152]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER-USER -j RETURN' failed:
Feb 09 09:47:01 izwz93vpnhvpoegtlnppbdz firewalld[3152]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -j DOCKER-USER' failed:
Feb 09 09:47:01 izwz93vpnhvpoegtlnppbdz firewalld[3152]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed:
Feb 09 09:47:01 izwz93vpnhvpoegtlnppbdz firewalld[3152]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -p tcp -d 0/0 --dport 3306 -j DNAT --to-...' failed:
Feb 09 09:47:01 izwz93vpnhvpoegtlnppbdz firewalld[3152]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER ! -i docker0 -o docker0 -p tcp -d 172...' failed:
Feb 09 09:47:01 izwz93vpnhvpoegtlnppbdz firewalld[3152]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -p tcp -s 172.18.0.2 -d 172.18.0.2 ...' failed:2.2} view the configuration of firewalld
To view the default zone configuration:
~]#firewall-cmd --list-all
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'docker' (see --get-active-zones)
You most likely need to use --zone=docker option.
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 3306/tcp 80/tcp 8080/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
Description:
Target: target icmp-block-inversion: ICMP Protocol type black and white list switch( yes/no) Interfaces: Associated network card interface sources: Source, can be IP Address, or mac address services: Allowed services ports: Allowed target ports, i.e. locally open ports protocols: Permitted agreement masquerade: Is camouflage allowed( yes/no),Rewritable source IP Address and mac address forward-ports: Ports that allow forwarding source-ports: Allowed source ports icmp-blocks: Can add ICMP Type, when icmp-block-inversion by no When these ICMP Type rejected; When icmp-block-inversion by yes When these ICMP Type is not allowed. rich rules: Rich rules, that is, more detailed firewall rules and policies, have the highest priority among all firewall policies.
To view the configuration of a specified region:
~]# firewall-cmd --zone=public --list-all
To view which services are allowed in the current region:
~]# firewall-cmd --list-services dhcpv6-client ssh
Port 22 can be found in the current service configuration, but it is not allowed to be found in ssh.
3. Start and stop firewall service firewalld
Unmask (corresponding to mask):
~]# systemctl mask firewalld
Start:
~]# systemctl start firewalld
Set startup and self startup:
~]# systemctl enable firewalld
Stop:
~]# systemctl stop firewalld
Turn off startup and self startup:
~]# systemctl disable firewalld
Mask the service (unable to start and stop, and set startup and self startup):
~]# systemctl mask firewalld
4. flow control
4.1 predefined services
You can use the firewall CMD and firewall offline CMD commands to add services, or you can directly add or modify xml files in the / etc/firewalld/services / directory. You can refer to the files in the / usr/lib/firewalld/services / directory as templates.
4.2 emergency mode
After the emergency mode is enabled, all network traffic will be prohibited, and the emergency mode command is enabled:
~]# firewall-cmd --panic-on
Emergency mode off command:
~]# firewall-cmd --panic-off
Query emergency mode on:
~]# firewall-cmd --query-panic
4.3 flow control using predefined services
The most direct way to control traffic is to add a predefined service to the firewall. This will open all necessary ports and modify other configurations according to the service definition file.
List all allowed services:
~]# firewall-cmd --list-services ssh dhcpv6-client
List all predefined services:
~]#firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry ... [Output truncation]
Add predefined services as allowed services:
~]#firewall-cmd --permanent --add-service=<service-name>
4.4 adding predefined services
New empty service:
~]#firewall-cmd --permanent --new-service=service-name
Add services using local files:
~]#firewall-cmd --permanent --new-service-from-file=service-name.xml
After changing the service settings, the updated copy of the service will be immediately placed in the / etc/firewalld/services / directory.
The root user can manually copy the service:
~]#cp /usr/lib/firewalld/services/service-name.xml /etc/firewalld/services/service-name.xml
5. Port control
List all allowed ports in the current zone:
~]# firewall-cmd --list-ports
Add an allowed port:
~]#firewall-cmd --permanent --add-port=port-number/port-type
The port type is tcp, udp, sctp or dccp. The type must match the type of network communication.
Close port:
~]#firewall-cmd --permanent --remove-port=port-number/port-type