=====Linux Firewalld=====
excellent link to firewalld
[[https://www.certdepot.net/rhel7-get-started-firewalld/ | from cert depot firewalld]]
also good link from Redhat
[[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-configuring_firewalld | configuring Firewalld]]
====Checking the State====
You can see if the firewall is running by either querying the
**systemctl status firewalld**
or
firewall-cmd --state
you can also reload the firewall with the following command
firewall-cmd --reload
good for testing to ensure your rules are persistent
====Configuration sets====
Firewalld operates 2 configuration sets
**Runtime** the default configuration all changes are applied immediately and **NOT** kept after a reboot or a reload
**Permanent** this option needs to be applied to ensure that changes are kept and loaded after a reboot. To make changes permanent use the **--permanent** option on the command
====Zones===
Firewalld comes with several zzones available they are used to separate the traffic and can be applied to different Network interfaces
To see the default zone
firewall-cmd --get-default-zone
To change the default zone
firewall-cmd --set-default-zone=internal
To see what zones are currently active. It also shows you what nics are associated to each zone
firewall-cmd --get-active-zones
To get the configuration of a specific zone
firewall-cmd --zone=public --list-all
To see the configuration for all the zones including the inactive ones use
firewall-cmd --list-all-zones
====Adding Nics to specific Zones====
to associate each zone with only a specific nic use the following command
firewall-cmd --zone=public --add-interface=em1
you can also check what zone an interface is assigned
firewall-cmd --get-zone-of-interface=em1
====Working with Services====
Firewalld allows you to specify specific services or ports to be allowed or blocked. Ussually easier to just specify the service you want to allow or block
You can modify these services using the configuration files located at **/usr/lib/firewalld/services** you can also create your own service files and these should be stored in **/etc/firewalld/services**
To get a list of all the services
firewall-cmd --get-services
To enable or disable a service
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --remove-service=http --permanent
To get more details about a service vyou can try the info option
firewall-cmd --info-service=RH-Satellite-6
which gives back something like
[root@dub-firewall1 ~]# firewall-cmd --info-service=RH-Satellite-6
RH-Satellite-6
ports: 53/tcp 53/udp 67-69/udp 80/tcp 443/tcp 5000/tcp 5646-5647/tcp 5671/tcp 8000/tcp 8080/tcp 8140/tcp 9090/tcp
protocols:
source-ports:
modules:
destination:
====Working with specific ports====
You can also allow or block specific ports
firewall-cmd --zone=public --add-port=12345/tcp --permanent
firewall-cmd --zone=public --remove-port=12345/tcp --permanent
====Rich Rules====
Rich rules allow for more complex configurations. For example to allow all IPV4 traffic from a particular host
To manage rich rules you need to use
--add-rich-rule, --list-rich-rules and --remove-rich-rule
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=10.5.5.70 accept'
to list all your current Rich Rules use
firewall-cmd --list-rich-rules
====Checking status====
To check ports and services that are open
firewall-cmd --zone=external --list-ports
firewall-cmd --zone=external --list-services