Explanation of Firewalld in Linux RHEL 7, or Centos 7 and how to work with it.

Similar to IPTables, firewalld is a user space utility program to manage Linux system firewall.

Firewalld and IPtables both use the same kernel module i.e. NetFilter.

As a result, only one firewall management utility can be used at a time either firewalld or IPTables.

In background, firewalld also works via the iptable command, however in foreground it provides a simpler way to manage Linux firewall configuration.

It is written in Python and supports both IPv4 and IPv6. (whereas in iptables we have to use different command i.e. ip6tables).

In IPTables, we used to create tables and then define rules inside those tables which makes use of different chains.

However in firewalld, a new concept of Zones is introduced known as firewall zones with different zone profiles.

We can switch between zones and zone profiles for different settings and hence it provides more flexibility over IPTables.

a. User Space Utility
# firewall-cmd

b. Module used: Netfilter

1. Zones
Zones contains a set of rules which determines how our system behaves in a particular network. What all packets to accept or reject, it all depends in which zone our system is running.

Network interfaces are assigned to a zone which is used to monitor the behavior what packets the firewall should allow.

Zones makes it flexible to change rules whenever we change our network. For example:- if you are using same laptop in your office, and your home, you can change the rules accordingly.


Pre-Defined Nine Zones of Firewalld

a. drop: Lowest level of trust. All incoming packets are dropped with no reply and only outgoing connections are allowed.

b. block: Similar to drop, however instead of dropping connections immediately, it rejects incoming requests with an icmp-host-prohibited or icmp6-adm-prohibited message.

c. public: Public i.e. open or untrusted networks. Don’t trust other computers in network but can allow some selected incoming connections on case-by-case basis.

d. external: This special zone is used to make our firewall as our gateway. It is configured in a way to make our internal network/system private & reachable and to configure NAT masquerading.

e. internal: Vice versa of external zone, used for the internal portion/network of a gateway. In a internal network, computers are somehow trustworthy and hence some additional services can also be made available.

f. dmz: Zone used for computers located in DMZ ( i.e. isolated hosts that don’t have access to the rest of our network). Only few incoming connections are allowed.

g. work: Zone designed for work area network machines. Machines in this zone trust most of the computers in network and some other services can also be allowed.

h. home: Zone for home PCs. Here we trust most of the other computers in our home network and many other services are allowed.

i. trusted: A unique zone which trust all the machines in network. It is most widely used zone as it is open network and allows all access, and we can add only custom rules as per our requirement.

#  ls -ltr /usr/lib/firewalld/zones/
total 36
-rw-r----- 1 root root 342 Dec 15  2018 work.xml
-rw-r----- 1 root root 162 Dec 15  2018 trusted.xml
-rw-r----- 1 root root 315 Dec 15  2018 public.xml
-rw-r----- 1 root root 415 Dec 15  2018 internal.xml
-rw-r----- 1 root root 400 Dec 15  2018 home.xml
-rw-r----- 1 root root 304 Dec 15  2018 external.xml
-rw-r----- 1 root root 291 Dec 15  2018 drop.xml
-rw-r----- 1 root root 293 Dec 15  2018 dmz.xml
-rw-r----- 1 root root 299 Dec 15  2018 block.xml

2. Setup Firewalld on our system

a. Install Firewall
# yum install firewalld

b. Enable Firewall
# systemctl enable firewalld
# init 6

c. Check Firewall Status
# sudo firewall-cmd --state

3. Get Default Firewalld Zone Details

a. Get default zone
# firewall-cmd --get-default-zone

b. Verify all active zones
# firewall-cmd --get-active-zones
  interfaces: eth0 eth1 eth2

c. Get zone configuration
# firewall-cmd --list-all
public (default, active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 eth1 eth2
  services: ssh dhcpv6-client
  masquerade: no
  rich rules: 

4. Working with Zones

a. Check out all zones available. 
# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

b. Check "home" zone configuration. 
# firewall-cmd --zone=home --list-all
  services: dhcpv6-client ipp-client mdns samba-client ssh
  masquerade: no
  rich rules:

c. Check all Zones configuration.
# firewall-cmd --list-all-zones
### You can grep a specific interface with zone name to know which zone governs what interface.

5. Modify Default Zone configuration.

a. Modifying zone of an interface.
# firewall-cmd --zone=home --change-interface=eth2

b. Verify the change
# firewall-cmd --get-active-zones
  interfaces: eth2
  interfaces: eth0 eth1

c. Changing default Zone
# firewall-cmd --set-default-zone=home

6. Check and add services in a zone

# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local

### Add service temporarily
# firewall-cmd --zone=public --add-service=ftp

### Add service permanently
# firewall-cmd --zone=public --permanent --add-service=ftp

7. Check and Open a port

### Open 4000 udp port
# firewall-cmd --zone=public --add-port=4000/udp

### List ports
# firewall-cmd --zone=public --list-ports

### Open range of ports from 4000 to 4100.
firewall-cmd --zone=public --add-port=4000-4100/udp

8. Define a new service.

### Copy a sample file of some other service say ssh.xml
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/new-service-ngelinux.xml

### Now edit the file and correct the port/service configuration.

### Now reload firewall to see your service.
# firewall-cmd --reload
# firewall-cmd --get-services

8. Create a new custom zone

### Add a new zone ngelinux-web
# firewall-cmd --permanent --new-zone=ngelinux-web

### get all zones
# firewall-cmd --permanent --get-zones
block dmz drop external home internal public trusted work ngelinux-web

### Add services to our new zone.
# firewall-cmd --zone=ngelinux-web --add-service=ssh
# firewall-cmd --zone=ngelinux-web --add-service=ftp
# firewall-cmd --zone=ngelinux-web --list-all

9. Firewalld Configuration Files

a. /etc/firewalld
Deafult configuration files are stored here.

b. /usr/lib/firewalld
Contains runtime configuration files.
Overwritten on each firewall change/update.
Hence not recommended to make any changes here.

Leave a Reply

Your email address will not be published.