Firewalls and Firewalld
In our series Linux for Network Engineers we have covered the aspect of setting firewall and routing rules on a host at least two ways: iptables and a utility called ufw (uncomplicated firewall).
If you haven’t realized that there are already multiple ways to skin a cat on Linux, we are adding another firewall utility to our pocket: firewalld.
Firewalld comes from the RHEL/CentOS universe but it’s available on Debian/Ubuntu as well. Both ufw and firewalld make iptables human-friendly and readable. Let’s see how it works with some examples.
Installation
It’s pretty straightforward to install with the following command:
The easy way to install it with the following:
apt install firewalld
Usage
One feature I like about firewalld is that it has the concept of “zones” inherent. A zone is another word for a collection of firewall rules that you want to group together.
For example, you can name a zone “home” and in that zone include rules that open certain ports (e.g. ssh), and another named “public” can include rules that block ssh (to prevent unwanted users trying to ssh to your machine) and you can obviously use it when in public unsecure networks.
Zones
Out of the box, here are the available zones:
netbeez$ firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: …
To see the current zone use:
netbeez$ firewall-cmd --get-default-zone public
Firewalld Services
Like ufw, firewalld has a list of predefined services that you can use to specify rules, and you can get a list of all supported services with:
netbeez$ firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry docker-swarm dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls managesieve mdns minidlna mosh mountd ms-wbt mssql murmur mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
As you can see, only ssh and the dhcp client are currently allowed.
HTTP service
As a first example, let’s enable http access on host with firewalld as follows:
netbeez$ firewall-cmd --zone=public --add-service=http success netbeez$ firewall-cmd --list-services ssh dhcpv6-client http
Now the http port 80 is allowed, but keep in mind that changes like these are not persistent if you restarter the firewalld daemon or reboot the system. Here is what services are listed if you restart the firewalld daemon:
netbeez$ systemctl restart firewalld netbeez$ firewall-cmd --list-services ssh dhcpv6-client
As you can see, http is not listed anymore. To make them permanent, you can do the following:
netbeez$ firewall-cmd --permanent --add-service=http success netbeez$ systemctl restart firewalld netbeez$ firewall-cmd --list-services ssh dhcpv6-client http
Remove a service
To remove a service use:
netbeez$ firewall-cmd --remove-service=http success netbeez$ firewall-cmd --list-services ssh dhcpv6-client
Custom rule
To allow a specific port you can use a rule like the following:
netbeez$ firewall-cmd --add-port=20018/tcp success netbeez$ firewall-cmd --list-ports 20018/tcp
Panic mode
One unique feature of firewalld is enabling panic mode. As the name suggests, if you are panicking that your system is compromised and you want to drop all connections, type:
netbeez$ firewall-cmd --panic-on
NOTE: if you are accessing the host remotely through ssh, enabling panic mode will also drop your ssh connection and you will lose access to it. To get access to the machine again you you’d have to reboot the host or get local access and disable panic mode with:
netbeez$ firewall-cmd --panic-off success
Conclusion
We’ve just scratched the surface of what you can do with firewalld. But in a nutshell, whatever you’d wish for in a firewall utility, you should be able to do it with firewalld. For more details and complete documentation just take a look at https://firewalld.org/documentation/.
