CSIA 430 – Firewalls and firewalld Commands

This page contains a summary of the commands presented in the firewall tutorial videos.

Installing firewall package

yum install firewalld

systemctl enable firewalld

Checking current status and settings

Checking whether firewalld is running

systemctl status firewalld

firewall-cmd --state

Zones

Displaying all available zones

firewall-cmd --get-zones

By default, firewalld comes with the following zones:

  • public: This is default zone, and it should be used for public environments where you do not trust other computers on the network. Only predefined connections (i.e. ports / services) are accepted.
  • work: For work environments. Usually, other computers are trusted on the same network. Only predefined connections are accepted.
  • home: For home use. The same applies as in the ‘work’ zone. Depending on your situation, the connections at work may be more secure than on your home network.
  • internal: For use with private networks. Computers on this network are usually trusted. Only predefined connections are accepted.
  • trusted: All connections are accepted.
  • drop: All incoming connections are rejected however outgoing connections are possible.
  • block: Like drop except incoming connections are denied with a message. This message varies by the type of incoming connection. For IPv4, the message is icmp-host-prohibited and for IPv6 icmp6-adm-prohibited. Outgoing connections are possible.
  • external: This is used when your firewall is external to your DMZ or internal network, and works as a gateway with NAT masquerading. In this case you don’t trust other computers on the external network and only preconfigured connections are accepted.
  • dmz: The computer is in the demilitarized zone. It should be isolated from the internal network so only specific connections should be accepted.

Displaying the default zone (probably public)

Default zone versus Active zone. The default zone will be active when system boots. The Active zone is the currently active zone for interface. This will be the default zone unless you explicitly change it.

firewall-cmd --get-default-zone

Displaying active zone (probably public)

This displays which zone is currently assigned an interface or NIC. There might be more than one NIC so the command can be either --get-active-zone or --get-active-zones

firewall-cmd --get-active-zone

Services

Displaying all available services

firewall-cmd --get-services

Listing services currently allowed on default zone

firewall-cmd --list-services

To check a different zone use:

firewall-cmd --zone=zoneName --list-services

Displaying All firewall settings

Displaying everything currently configured on default zone

firewall-cmd --list-all

To check a different zone use:

firewall-cmd --zone=zoneName --list-all

Listing everything currently configured on all zones

firewall-cmd --list-all-zones

This will produce a very long listing, so you probably want to pipe it to more or less

Changing Default and Active zones

Changing default zone

firewall-cmd --set-default-zone=newZone

Changing active zone

The active zone is the one that is currently assigned an interface or NIC. There’s not a --set-active-zone command, instead this is done using something like the following:

firewall-cmd --zone=zoneName --change-interface=eth1

or on the VM

firewall-cmd --zone=zoneName --change-interface=enp0s3

Changing Configuration – Current Configuration or Permanent Change

With firewalld you can make changes to the rules currently in use or you can change the firewalld configuration files used at start time which makes the changes permanent. However, you can’t do both in the same command. The instructions for making changes the current runtime configuration, or making changes to the configuration files used at startup are provided below.

Adding and Removing a service

If the zone isn’t specified, the service will be added to the default zone

Adding a service – simplest form,

firewall-cmd --add-service=serviceName

This will allow incoming packets through the firewall on service port, and outbound packets to a data port that originated from the service port. This doesn’t make the change permanent, so it’s good for testing.

To verify that the firewall is now allowing the service use:

firewall-cmd --get-services

Runtime changes vs. permanent changes

By default, adding (or removing) are service will affect firewalld’s runtime configuration, or the settings in memory for the currently running firewalld process. This means the change will only remain in effect until the firewall is restarted or system is rebooted. To change the configuration file that firewalld reads when it starts or reloads, and effectively make the change permanent you must add the –permanent option.

firewall-cmd --add-service=serviceName --permanent

But, while adding the –permanent option changes firewalld’s configuration file, it doesn’t change the runtime configuration. In fact, there’s no way to do this with a single command. If you want to change both the runtime configuration and make the change permanent it’s suggested that you use the following two commands. The first changes firewalld’s configuration file, and the second tells firewalld to reload its configuration from the file, essentially changing the runtime configuration.

firewall-cmd --permanent --add-service=serviceName

firewall-cmd --reload

Note – you could reboot the system or restart the firewalld with systemctl, but rebooting is obviously overkill and will impact all services. Restarting firewalld with systemctl will drop all current network connections, with a possible negative impact. Using the reload command allows firewalld to read the new settings but maintain its current connections eliminating the possibility of cutting off or interrupting any current network connections or network sessions.

Removing a service – simplest form,

firewall-cmd --remove-service=serviceName

This will stop packets through the firewall on service port, and outbound packets to a data port. This doesn’t make the change permanent, so it’s good for testing.

To verify that the firewall is now allowing the service use:

firewall-cmd --get-services

Just like adding a service, the --permanent option must be used to make the change permanent, and the --reload command must be used to get the firewalld to reread its configuration file.

Adding or removing a service in another zone

firewall-cmd --zone=zoneName --add-service=serviceName

Behind the scenes – what files are involved

The Service XML files are in the directory – /usr/lib/firewalld/services

The default Zone XML files are in the directory – /usr/lib/firewalld/zones

The Zone configuration files that are read when firewalld starts or reloads are in the directory – /etc/firewalld/zones

You can make changes to the firewall configuration by editing the file in /etc/firewalld/zones directly, and then using the --reload command


Advanced Operations

Opening a port.

This can be done when a service doesn’t have an XML file, or for testing with different ports.

firewall-cmd --add-port=portNumber/tcp

For example, to open port 8000

firewall-cmd --add-port=8000/tcp

And to make this permanent, as well as changing the runtime settings use:

firewall-cmd --add-port=portNumber/tcp --permanent

firewall-cmd --reload

To open a range of ports

firewall-cmd --add-port=startPortNumber- endPortNumber /tcp

For example, to open ports 8000 – 8100

firewall-cmd --add-port=8000-8100/tcp

Checking open ports.

firewall-cmd --list-ports

Closing ports

firewall-cmd --remove-port=portNumber/tcp

firewall-cmd --remove-port=startPortNumber- endPortNumber/tcp

Allowing a specific IP address

firewall-cmd --add-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.xxx" accept'

Where xxx.xxx.xxx.xxx is the IP Address that will be allowed to access the port (from the outside). Note that this should be entered on a single line. It’s wrapped here for readability only. Also note the use of nested quotes. There are single quotes around the outside of the entire rich rule, and double quotes around the values being set inside the rich rule.

To verify that the rule is set use:

firewall-cmd --list-all

Allowing An Entire Network

Entire networks can be allowed with rich rules. To do this, you must use the IP address with the associated network mask. The following example shows a class C network.

firewall-cmd --add-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.0/24" accept'

Blocking specific IP addresses

firewall-cmd --add-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.xxx" reject'

You can also block an entire network using

firewall-cmd --add-rich-rule="rule family='ipv4' source address='xxx.xxx.xxx.0/24' reject"

Removing Rich Rules for IP addresses

firewall-cmd --remove-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.xxx" accept'

Opening ports for a specific IP address

firewall-cmd --add-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.xxx" port protocol="tcp" port="portNumber" accept'

Where xxx.xxx.xxx.xxx is the IP Address that will be allowed to access the port (from the outside). Note the use of nested quotes. There are single quotes around the outside of the entire rich rule, and double quotes around the values being set inside the rich rule.