Firewalld : Basic Operation2025/10/21 |
|
This is the Basic Operation of Firewalld.
The definition of services is set to zones on Firewalld. |
|
| [1] | To use Firewalld, start the Service. |
|
dlp:~ # systemctl enable --now firewalld |
| [2] | By default, [public] zone is applied with a NIC, and cockpit, dhcpv6-client, ssh are allowed. When operating with [firewall-cmd] command, if you input the command without [--zone=***] specification, then, configuration is set to the default zone. |
|
# display the default zone dlp:~ # firewall-cmd --get-default-zone public # display current settings dlp:~ # firewall-cmd --list-all public (default, active) target: default ingress-priority: 0 egress-priority: 0 icmp-block-inversion: no interfaces: enp1s0 enp7s0 sources: services: dhcpv6-client ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: # display all zones defined by default dlp:~ # firewall-cmd --list-all-zones block target: %%REJECT%% ingress-priority: 0 egress-priority: 0 icmp-block-inversion: no interfaces: sources: services: ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: ..... ..... # display allowed services on a specific zone dlp:~ # firewall-cmd --list-service --zone=external ssh # change default zone dlp:~ # firewall-cmd --set-default-zone=external success # change zone for an interface dlp:~ # firewall-cmd --change-interface=enp1s0 --zone=external success dlp:~ # firewall-cmd --list-all --zone=external external (default, active) target: default ingress-priority: 0 egress-priority: 0 icmp-block-inversion: no interfaces: enp1s0 enp7s0 sources: services: ssh ports: protocols: forward: yes masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: |
| [3] | Display services defined by default. |
|
dlp:~ # firewall-cmd --get-services 0-AD RH-Satellite-6 RH-Satellite-6-capsule afp alvr amanda-client amanda-k5-client amqp amqps anno-1602 anno-1800 apcupsd audit ausweisapp2 bacula bacula-client bareos-director bareos-filedaemon bareos-storage bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-exporter ceph-mon cfengine checkmk-agent civilization-iv civilization-v cockpit collectd condor-collector cratedb ctdb dds dds-multicast dds-unicast dhcp dhcpv6 dhcpv6-client distcc dns dns-over-quic dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server factorio finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git gpsd grafana gre http http3 https ident imap imaps ipfs ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver kube-control-plane kube-control-plane-secure kube-controller-manager kube-controller-manager-secure kube-nodeport-services kube-scheduler kube-scheduler-secure kube-worker kubelet kubelet-readonly kubelet-worker ldap ldaps libvirt libvirt-tls lightning-network llmnr llmnr-client llmnr-tcp llmnr-udp managesieve matrix mdns memcache minecraft minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd nebula need-for-speed-most-wanted netbios-ns netdata-dashboard nfs nfs3 nmea-0183 nrpe ntp nut opentelemetry openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus prometheus-node-exporter proxy-dhcp ps2link ps3netsrv ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane settlers-history-collection sip sips slp smtp smtp-submission smtps snmp snmptls snmptls-trap snmptrap spideroak-lansync spotify-sync squid ssdp ssh statsrv steam-streaming stellaris stronghold-crusader submission supertuxkart svdrp svn syncthing syncthing-gui syncthing-relay synergy syscomlan syslog syslog-tls telnet tentacle terraria tftp tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server vrrp warpinator wbem-http wbem-https wireguard ws-discovery ws-discovery-client ws-discovery-tcp ws-discovery-udp wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-java-gateway zabbix-server zabbix-trapper zabbix-web-service zero-k zerotier # definition files are placed under the directory like follows # if you'd like to add your original definition, add XML file on there dlp:~ # ls /usr/lib/firewalld/services 0-AD.xml freeipa-replication.xml mongodb.xml smtp-submission.xml RH-Satellite-6-capsule.xml freeipa-trust.xml mosh.xml smtp.xml RH-Satellite-6.xml ftp.xml mountd.xml smtps.xml afp.xml galera.xml mqtt-tls.xml snmp.xml alvr.xml ganglia-client.xml mqtt.xml snmptls-trap.xml amanda-client.xml ganglia-master.xml ms-wbt.xml snmptls.xml amanda-k5-client.xml git.xml mssql.xml snmptrap.xml amqp.xml gpsd.xml murmur.xml spideroak-lansync.xml amqps.xml grafana.xml mysql.xml spotify-sync.xml anno-1602.xml gre.xml nbd.xml squid.xml ..... ..... |
| [4] | Add or Remove allowed services. The change will be back after rebooting the system. If you change settings permanently, add the [--permanent] or [--runtime-to-permanent] option. |
|
# for example, add [http] dlp:~ # firewall-cmd --add-service=http success dlp:~ # firewall-cmd --list-service dhcpv6-client http ssh # for example, remove [http] dlp:~ # firewall-cmd --remove-service=http success dlp:~ # firewall-cmd --list-service dhcpv6-client ssh # permanent setting : [--permanent] - add setting to the permanent environment dlp:~ # firewall-cmd --add-service=http --permanent success dlp:~ # firewall-cmd --list-service dhcpv6-client ssh # reload settings from the permanent environment to apply new setting dlp:~ # firewall-cmd --reload success
dlp:~ #
firewall-cmd --list-service dhcpv6-client http ssh # permanent setting : [--runtime-to-permanent] - save the current runtime environment to the permanent environment dlp:~ # firewall-cmd --add-service=https success dlp:~ # firewall-cmd --list-service dhcpv6-client http https ssh dlp:~ # firewall-cmd --list-service --permanent dhcpv6-client http ssh dlp:~ # firewall-cmd --runtime-to-permanent success dlp:~ # firewall-cmd --list-service --permanent dhcpv6-client http https ssh |
| [5] | Add or remove allowed ports. If you change settings permanently, add the [--permanent] or [--runtime-to-permanent] option like the examples of [4]. |
|
# for example, add [TCP 465] dlp:~ # firewall-cmd --add-port=465/tcp success
dlp:~ #
firewall-cmd --list-port 465/tcp # for example, remove [TCP 465] dlp:~ # firewall-cmd --remove-port=465/tcp success dlp:~ # firewall-cmd --list-port |
| [6] | Add or remove prohibited ICMP types. |
|
# for example, add [echo-request] to prohibit it dlp:~ # firewall-cmd --add-icmp-block=echo-request success dlp:~ # firewall-cmd --list-icmp-blocks echo-request # for example, remove [echo-request] dlp:~ # firewall-cmd --remove-icmp-block=echo-request success dlp:~ # firewall-cmd --list-icmp-blocks # display available ICMP types dlp:~ # firewall-cmd --get-icmptypes address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad mld-listener-done mld-listener-query mld-listener-report mld2-listener-report neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option |
| Sponsored Link |
|
|