Table of Contents

Linux Firewalld

excellent link to firewalld from cert depot firewalld

also good link from Redhat configuring Firewalld

Checking the State

You can see if the firewall is running by either querying the

systemctl status firewalld

or 

 firewall-cmd --state

you can also reload the firewall with the following command 

firewall-cmd --reload

good for testing to ensure your rules are persistent

Configuration sets

Firewalld operates 2 configuration sets

Runtime the default configuration all changes are applied immediately and NOT kept after a reboot or a reload

Permanent this option needs to be applied to ensure that changes are kept and loaded after a reboot. To make changes permanent use the –permanent option on the command

Zones

Firewalld comes with several zzones available they are used to separate the traffic and can be applied to different Network interfaces

To see the default zone 

 firewall-cmd --get-default-zone

To change the default zone 

 firewall-cmd --set-default-zone=internal

To see what zones are currently active. It also shows you what nics are associated to each zone 

 firewall-cmd --get-active-zones

To get the configuration of a specific zone 

 firewall-cmd --zone=public --list-all

To see the configuration for all the zones including the inactive ones use 

  firewall-cmd --list-all-zones

Adding Nics to specific Zones

to associate each zone with only a specific nic use the following command 

 firewall-cmd --zone=public --add-interface=em1

you can also check what zone an interface is assigned 

 firewall-cmd --get-zone-of-interface=em1

Working with Services

Firewalld allows you to specify specific services or ports to be allowed or blocked. Ussually easier to just specify the service you want to allow or block

You can modify these services using the configuration files located at /usr/lib/firewalld/services you can also create your own service files and these should be stored in /etc/firewalld/services

To get a list of all the services 

 firewall-cmd --get-services

To enable or disable a service 

 firewall-cmd --zone=public --add-service=http --permanent 
 firewall-cmd --zone=public --remove-service=http --permanent

To get more details about a service vyou can try the info option 

  firewall-cmd --info-service=RH-Satellite-6

which gives back something like 

[root@dub-firewall1 ~]#  firewall-cmd --info-service=RH-Satellite-6
RH-Satellite-6
  ports: 53/tcp 53/udp 67-69/udp 80/tcp 443/tcp 5000/tcp 5646-5647/tcp 5671/tcp 8000/tcp 8080/tcp 8140/tcp 9090/tcp
  protocols:
  source-ports:
  modules:
  destination:

Working with specific ports

You can also allow or block specific ports 

 firewall-cmd --zone=public --add-port=12345/tcp --permanent 
 firewall-cmd --zone=public --remove-port=12345/tcp --permanent

Rich Rules

Rich rules allow for more complex configurations. For example to allow all IPV4 traffic from a particular host

To manage rich rules you need to use 

 --add-rich-rule, --list-rich-rules and --remove-rich-rule
  firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address=10.5.5.70 accept'

to list all your current Rich Rules use 

 firewall-cmd --list-rich-rules

Checking status

To check ports and services that are open 

 firewall-cmd --zone=external --list-ports 
 firewall-cmd --zone=external --list-services