1.2. View current status and settings firewalld
1.2. 1. View the current status firewalld
Firewall service firewalld is installed in the system by default. Use the firewalld CLI interface to check that the service is running.
[root@kittod ~]# firewall-cmd --state running
For more information about service status, use the systemctl status subcommand:
[root@kittod ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor pres> Active: active (running) since Thu 2021-12-09 18:19:14 CST; 1min 9s ago Docs: man:firewalld(1) Main PID: 2023 (firewalld) Tasks: 2 (limit: 23489) Memory: 31.2M CGroup: /system.slice/firewalld.service └─2023 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --no> Dec 09 18:19:14 kittod systemd[1]: Starting firewalld - dynamic firewall daemon... Dec 09 18:19:14 kittod systemd[1]: Started firewalld - dynamic firewall daemon. Dec 09 18:19:14 kittod firewalld[2023]: WARNING: AllowZoneDrifting is enabled. This>
1.2. 3. Use CLI to view firewalld settings
Using CLI clients may have different views of the current firewall settings-- The list all option displays the of firewalld settings
Complete overview.
firewalld uses zones to manage traffic. If the -- zone option does not specify an area, the command will be assigned to active network interfaces and connections
It is valid in the default area.
To list all relevant information about the default area:
[root@kittod ~]# firewall-cmd --list-all work (active) target: default icmp-block-inversion: no interfaces: ens160 ens192 sources: services: cockpit dhcpv6-client mysql ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
To specify the area of display settings, add the -- zone = zone name parameter to the firewall CMD -- list all command, for example:
[root@kittod ~]# firewall-cmd --list-all --zone=home home target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
To view which services are allowed in the current zone:
[root@kittod ~]# firewall-cmd --list-services cockpit dhcpv6-client mysql ssh
1.3. Use firewalld
1.3. 1. Disable all traffic for emergencies using CLI
In an emergency, such as a system attack, you can disable all network traffic and shut down the attacker.
To disable network traffic immediately, switch to panic mode:
[root@kittod ~]# firewall-cmd --panic-on
important
Enable panic mode to stop all network traffic. Therefore, it should only be used when you have physical access to the machine or log in using the serial port console.
Turning off panic mode will restore the firewall to its permanent settings. To turn off panic mode, enter:
[root@kittod ~]# firewall-cmd --panic-off
To see if panic mode is turned on or off, use:
[root@kittod ~]# firewall-cmd --query-panic no
1.3. 2. Use CLI to control the flow of predefined services
The easiest way to control traffic is to add predefined services to firewalld. This opens all required ports and modifies other settings according to the service definition file.
Check if the service has not been allowed:
[root@kittod ~]# firewall-cmd --list-services cockpit dhcpv6-client mysql ssh
List all predefined services:
[root@kittod ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https httptest imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
Add services to allowed services:
[root@kittod ~]# firewall-cmd --add-service=http success
Make new settings permanent
[root@kittod ~]# firewall-cmd --runtime-to-permanent success
1.3. 3. Add a new service
You can use the tools firewall CMD and firewall offline CMD to add and remove services. Alternatively, you can edit the XML file in / etc/firewalld/services /. If the user does not add or change services, the corresponding XML file is not found in / etc/firewalld/services /. If you want to add or change a service
The / usr/lib/firewalld/services / file can be used as a template.
be careful
The service name must be alphanumeric, and_ (underline) and - (horizontal line) characters.
Run the following command to add new and empty services:
[root@kittod ~]# firewall-cmd --new-service=httptest --permanent success
After changing the service settings, the updated copy of the service will be placed in / etc/firewalld/services /.
[root@kittod ~]# ll /etc/firewalld/services/ total 4 -rw-r--r--. 1 root root 60 Nov 9 14:06 httptest.xml
You can also directly use the command to copy the configuration file in / usr/lib/firewalld/services directory to / etc/firewalld/services / directory for configuration.
Firewalld loads files from / usr/lib/firewalld/services for the first time. If the files are placed in / etc/firewalld/services and they are valid, the matching files in / usr/lib/firewalld/services are overwritten. Once the matching file in / etc/firewalld/services is deleted or firewalld is required to load the default value of the service, the overwrite file in / usr/lib/firewalld/services will be used. This applies only to permanent environments. To get these fallbacks in the runtime environment, you need to reload.