4.5. USING FIREWALLS
firewalld
provides
a dynamically managed firewall with support for network “zones” to
assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4
and IPv6
firewall
settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly.NOTE
firewalld
,
which in turn uses iptables
tool to communicate with Netfilterin
the kernel which implements packet filtering.firewall
and
then press Enter.
The firewall-config tool
appears. You will be prompted for an administrator password.firewalld
is
dynamic rather than static because changes to the configuration can be made at anytime and are immediately implemented, there is no need to save or apply the changes. No unintended disruption of existing network connections occurs as no part of the firewall
has to be reloaded.man
firewall-cmd(1)
. Permanent changes need to be made as explained in the firewalld(1)
man
page. Note that the firewall-cmd
command
can be run by the root
user
and also by an administrative user, in other words, a member of the wheel
group.
In the latter case the command will be authorized via the polkit mechanism.firewalld
is
stored in various XML files in /usr/lib/firewalld/
and /etc/firewalld/
.
This allows a great deal of flexibility as the files can be edited, written to, backed up, used as templates for other installations and so on.firewalld
using
D-bus.firewalld
and
the iptables
service are:
-
The iptables service stores configuration in
/etc/sysconfig/iptables
whilefirewalld
stores it in various XML files in/usr/lib/firewalld/
and/etc/firewalld/
. Note that the/etc/sysconfig/iptables
file does not exist asfirewalld
is installed by default on Red Hat Enterprise Linux. -
With the iptables service, every single change means flushing all the old rules and reading all the new rules from
/etc/sysconfig/iptables
while withfirewalld
there is no re-creating of all the rules; only the differences are applied. Consequently,firewalld
can change the settings during runtime without existing connections being lost.
firewalld
to
which zone an interface belongs. An interface's assigned zone can be changed byNetworkManager or
via the firewall-config tool
which can open the relevantNetworkManager window
for you./etc/firewalld/
are
a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:-
drop
-
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
-
block
-
Any incoming network connections are rejected with an icmp-host-prohibited message for
IPv4
and icmp6-adm-prohibited forIPv6
. Only network connections initiated from within the system are possible. -
public
-
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
-
external
-
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
-
dmz
-
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
-
work
-
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
-
home
-
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
-
internal
-
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
-
trusted
-
All network connections are accepted.
firewalld
is
set to be the public zone.Choosing a Network Zone
firewalld.service(5)
man
page. The services are specified by means of individual XML configuration files which are named in the following format: service-name.xml
.firewall
and
then pressEnter.
The firewall-config tool
appears. You will be prompted for an administrator password. You can now view the list of services under theServices tab.root
:
~]# ls /usr/lib/firewalld/services/
Files in /usr/lib/firewalld/services/
must
not be edited. Only the files in /etc/firewalld/services/
should
be edited.root
:
~]# ls /etc/firewalld/services/
/etc/firewalld/services/
.
If a service has not been added or changed by the user, then no corresponding XML file will be found in /etc/firewalld/services/
.
The files /usr/lib/firewalld/services/
can
be used as templates if you want to add or change a service. As root
,
issue a command in the following format:
~]# cp /usr/lib/firewalld/services/[service].xml /etc/firewalld/services/[service].xml
You may then edit the newly created file. firewalld
will
prefer files in /etc/firewalld/services/
but
will fall back to /usr/lib/firewalld/services/
should
a file be deleted, but only after a reload.firewalld
has
a so called “direct
interface”, which enables directly passing rules to iptables, ip6tables and ebtables.
It is intended for use by applications and not users. It is dangerous to use the direct interface if you are not very familiar with iptables as
you could inadvertently cause a breach in the firewall. firewalld
still
tracks what has been added, so it is still possible to query firewalld
and
see the changes made by an application using the direct interface mode. The direct interface is used by adding the --direct
option
to the firewall-cmd
command.--permanent
option
using the firewall-cmd
--permanent --direct
command or by modifying /etc/firewalld/direct.xml
.
If the rules are not made permanent then they need to be applied every time after receiving the start, restart, or reload message from firewalld
using
D-BUS.firewalld
is
installed by default. If required, to ensure that it is, enter the following command as root
:
~]# yum install firewalld
root
:
~]# yum install firewall-config
Stopping firewalld
firewalld
,
enter the following command as root
:
~]# systemctl stop firewalld
To prevent firewalld
from
starting automatically at system start, issue the following command as root
:
~]# systemctl disable firewalld
Starting firewalld
firewalld
,
enter the following command as root
:
~]# systemctl start firewalld
To ensure firewalld
starts
automatically at system start, enter the following command as root
:
~]# systemctl enable firewalld
Checking if firewalld is Running
firewalld
is
running, enter the following command:
~]$ systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sat 2013-04-06 22:56:59 CEST; 2 days ago
Main PID: 688 (firewalld)
CGroup: name=systemd:/system/firewalld.service
~]$ firewall-cmd --state
running
firewalld
,
can be configured using the graphical user interface tool firewall-config,
using the command line interface tool firewall-cmd,
and by editing XML configuration files. These methods will be described in order.firewall
and
then press Enter.
Thefirewall-config tool
appears. You will be prompted for an administrator password.root
user:
~]# firewall-config
The Firewall
Configuration window opens. Note, this command can be run as normal user but you will then be prompted for an administrator password from time to time.
firewalld
.
Note that the ICMP
Types, Direct
Configuration, and Lockdown
Whitelisttabs are only visible after being selected from the View drop-down
menu.NOTE
IPv4
or IPv6
).IPv4
addresses
to a single external address, start the firewall-config tool
and select the network zone whose addresses are to be translated. Select the Masquerading tab
and select the check box to enable the translation of IPv4
addresses
to a single address.IPv4
address,
select the Forward
to another port check box. Enter the destination IP address and port or port range. The default is to send to the same port if the port field is left empty. Click OK to
apply the changes.ICMP
filter,
start the firewall-config tool
and select the network zone whose messages are to be filtered. Select the ICMP
Filtertab and select the check box for each type of ICMP
message
you want to filter. Clear the check box to disable a filter. This setting is per direction and the default allows everything.ICMP
type,
start the firewall-config tool
and then select mode
from the drop-down selection menu labeledConfiguration.
Additional icons appear at the bottom of the window.firewalld
application
which is installed by default. You can verify that it is installed by checking the version or displaying the help output. Enter the following command to check the version:
~]$ firewall-cmd --version
Enter the following command to view the help output:
~]$ firewall-cmd --help
man
firewall-cmd(1)
man page.NOTE
--permanent
option
to all commands apart from the --direct
commands
(which are by their nature temporary). Note that this not only means the change will be permanent but that the change will only take effect after firewall reload, service restart, or after system reboot. Settings made with firewall-cmd without
the --permanent
option
take effect immediately, but are only valid till next firewall reload, system boot, or firewalld
service
restart. Reloading the firewall does not in itself break connections, but be aware you are discarding temporary changes by doing so.--permanent
and
once without. This is because a firewall reload takes more time than just repeating a command because it has to reload all configuration files and recreate the whole firewall configuration. While reloading, the policy for built-in chains is set to DROP for
security reasons and is then reset to ACCEPT at the end. Service disruption is therefore possible during the reload.IMPORTANT
--permanent
--add-interface
option is supposed to be used only for interfaces that are not managed by theNetworkManager utility.
This is because NetworkManager,
or the legacy network service, adds interfaces into zones automatically according to the ZONE=
directive
in the ifcfg
interface
configuration file. See the Red Hat
Enterprise Linux 7 Networking Guide for information on NetworkManager and
working with ifcfg
files.firewalld
,
enter the following command:
~]$ firewall-cmd --state
~]$ firewall-cmd --get-active-zones
public
interfaces: em1
~]$ firewall-cmd --get-zone-of-interface=em1
public
root
:
~]# firewall-cmd --zone=public --list-interfaces
em1 wlan0
This information is obtained from NetworkManager and
only shows interfaces, not connections.root
:
~]# firewall-cmd --zone=public --list-all
public
interfaces:
services: mdns dhcpv6-client ssh
ports:
forward-ports:
icmp-blocks: source-quench
root
:
~]# firewall-cmd --get-services
cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba dhcpv6-client dns openvpn imaps samba-client http https ntp vnc-server telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp libvirt-tls
This will list the names of the predefined services loaded from /usr/lib/firewalld/services/
as
well as any custom services that are currently loaded. Note that the configuration files themselves are named service-name.xml
.~]# firewall-cmd --permanent --get-services
This will list all services, including custom services configured in /etc/firewalld/services/
,
even if they are not yet loaded.root
:
~]# firewall-cmd --panic-on
All incoming and outgoing packets will be dropped. Active connections will be terminated after a period of inactivity; the time taken depends on the individual session time out values.root
:
~]# firewall-cmd --panic-off
After disabling panic mode, established connections might work again if panic mode was enabled for a short period of time.~]$ firewall-cmd --query-panic
yes
with
exit status 0
if
enabled and no
with
exit status 1
otherwise.root
:~]# firewall-cmd --reload
root
:~]# firewall-cmd --complete-reload
public
zone),
enter the following command as root
:~]# firewall-cmd --zone=public --add-interface=em1
--permanent
option.ifcfg-em1
configuration
file (for example, to add em1 to the work
zone),
add the following line to ifcfg-em1
as root
:ZONE=work
ZONE
option,
or use ZONE=
,
or ZONE=''
,
then the default zone will be used.root
,
open /etc/firewalld/firewalld.conf
and
edit the file as follows:# default zone # The default zone used if an empty zone string is used. # Default: public DefaultZone=home
root
:~]# firewall-cmd --reload
public
,
for example), enter the following command as root
:~]# firewall-cmd --set-default-zone=public
dmz
,
for example), enter the following command as root
:~]# firewall-cmd --zone=dmz --list-ports
--add-services
command.TCP
traffic
to port 8080
to
the dmz
zone),
enter the following command as root
:~]# firewall-cmd --zone=dmz --add-port=8080/tcp
--permanent
option.5060
to 5061
to
the public
zone,
enter the following command as root
:~]# firewall-cmd --zone=public --add-port=5060-5061/udp
--permanent
option.SMTP
to
the work
zone),
enter the following command as root
:~]# firewall-cmd --zone=work --add-service=smtp
--permanent
option.SMTP
from
the work
zone),
enter the following command as root
:~]# firewall-cmd --zone=work --remove-service=smtp
--permanent
option.
This change will not break established connections. If that is your intention, you can use the --complete-reload
option,
but this will break all established connections—not just for the service you have removed.root
:~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
/etc/firewalld/zones/
directory.root
:~]# ls /etc/firewalld/zones/
external.xml public.xml public.xml.old
work
zone
file does not exist. To add the work zone file, enter the following command as root
:~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
/etc/firewalld/zones/
directory.
If you delete the file, firewalld
will
fall back to using the default file in /usr/lib/firewalld/zones/
.SMTP
to
the work
zone),
add the following line to the /etc/firewalld/zones/work.xml
file
as root
:<service name="smtp"/>
root
privileges
is required to edit the XML zone files. To view the files for previously configured zones, enter the following command asroot
:~]# ls /etc/firewalld/zones/
external.xml public.xml work.xml
SMTP
from
the work
zone),
use an editor with root
privileges
to edit the /etc/firewalld/zones/work.xml
file
to remove the following line:<service name="smtp"/>
work.xml
file,
it can be removed and firewalld
will
use the default /usr/lib/firewalld/zones/work.xml
configuration
file after the next reload or system boot.external
zone,
for example), enter the following command as root
:~]# firewall-cmd --zone=external --query-masquerade
yes
with
exit status 0
if
enabled. It prints no
with
exit status 1
otherwise.
If zone
is
omitted, the default zone will be used.root
:~]# firewall-cmd --zone=external --add-masquerade
--permanent
option.root
:~]# firewall-cmd --zone=external --remove-masquerade
--permanent
option.external
,
for example), by entering the following command as root
:~]# firewall-cmd --zone=external --add-masquerade
root
:~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753
22
are
now forwarded to port 3753
.
The original destination port is specified with the port
option.
This option can be a port or port range, together with a protocol. The protocol, if specified, must be one of either tcp
or udp
.
The new local port (the port or range of ports to which the traffic is being forwarded to) is specified with the toport
option.
To make this setting persistent, repeat the commands adding the --permanent
option.IPv4
address,
usually an internal address, without changing the destination port, enter the following command as root
:~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55
22
are
now forwarded to the same port at the address given with the toaddr
.
The original destination port is specified with the port
option.
This option can be a port or port range, together with a protocol. The protocol, if specified, must be one of either tcp
or udp
.
The new destination port (the port or range of ports to which the traffic is being forwarded to) is specified with the toport
option.
To make this setting persistent, repeat the command adding the --permanent
option.IPv4
address,
usually an internal address, enter the following command as root
:~]#firewall-cmd --zone=external /
--add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55
22
are
now forwarded to port 2055
at
the address given with the toaddr
option.
The original destination port is specified with the port
option.
This option can be a port or port range, together with a protocol. The protocol, if specified, must be one of either tcp
or udp
.
The new destination port, the port or range of ports to which the traffic is being forwarded to, is specified with the toport
option.
To make this setting persistent, repeat the command adding the --permanent
option./etc/firewalld/
directory.
Do not edit the files in the /usr/lib/firewalld/
directory
(the files define the default settings). You will need root
user
permissions to view and edit the XML files. The XML files are explained in three man pages:
-
firewalld.icmptype(5)
man page — Describes XML configuration files forICMP
filtering.
-
firewalld.service(5)
man page — Describes XML configuration files for firewalld service.
-
firewalld.zone(5)
man page — Describes XML configuration files forfirewalld
zone configuration.
--direct
option
with the firewall-cmd tool.
A few examples are presented here, see the firewall-cmd(1)
man
page for more information.--permanent
option
using the firewall-cmd
--permanent --direct
command or by modifying /etc/firewalld/direct.xml
.
See man firewalld.direct(5)
for
information on the /etc/firewalld/direct.xml
file.root
:~]#firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
--permanent
option
to make the setting persistent.root
:~]#firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
--permanent
option
to make the setting persistent.root
:~]# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
--get-rules
option)
only lists rules previously added using the --add-rule
option.
It does not list existing iptables rules
added by other means.root
.
The format of the command to add a rule is as follows:firewall-cmd [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
s
(seconds), m
(minutes),
or h
(hours)
to specify the unit of time. The default is seconds.firewall-cmd [--zone=zone] --remove-rich-rule='rule'
firewall-cmd [--zone=zone] --query-rich-rule='rule'
yes
with
exit status 0
if
enabled. It prints no
with
exit status 1
otherwise.
If the zone is omitted, the default zone is used.rule [family="rule family"] [ source address="address" [invert="True"] ] [ destination address="address" [invert="True"] ] [ element ] [ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ] [ audit ] [ action ]
-
family
-
If the rule family is provided, either
ipv4
oripv6
, it limits the rule toIPv4
orIPv6
respectively. If the rule family is not provided, the rule is added for bothIPv4
andIPv6
. If source or destination addresses are used in a rule, then the rule family needs to be provided. This is also the case for port forwarding.
Source and Destination Addresses
-
source
-
By specifying the source address the origin of a connection attempt can be limited to the source address. A source address or address range is either an IP address or a network IP address with a mask for
IPv4
orIPv6
. The network family (IPv4
orIPv6
) will be automatically discovered. ForIPv4
, the mask can be a network mask or a plain number. ForIPv6
the mask is a plain number. The use of host names is not supported. It is possible to invert the sense of the source address command by addinginvert
="true" orinvert
="yes"; all but the supplied address will match. -
destination
-
By specifying the destination address the target can be limited to the destination address. The destination address uses the same syntax as the source address. The use of source and destination addresses is optional and the use of a destination addresses is not possible with all elements. This depends on the use of destination addresses, for example in service entries.
Elements
service
, port
, protocol
, masquerade
, icmp-block
and forward-port
.-
service
-
The service element is one of the firewalld provided services. To get a list of the predefined services, issue the following command:
~]$
If a service provides a destination address, it will conflict with a destination address in the rule and will result in an error. The services using destination addresses internally are mostly services using multicast. The command takes the following form:firewall-cmd --get-services
service name=service_name
-
port
-
The port element can either be a single port number or a port range, for example,
5060-5062
, followed by the protocol, either astcp
orudp
. The command takes the following form:port port=number_or_range protocol=protocol
-
protocol
-
The protocol value can be either a protocol ID number or a protocol name. For allowed protocol entries, see
/etc/protocols
. The command takes the following form:protocol value=protocol_name_or_ID
-
icmp-block
-
Use this command to block one or more
ICMP
types. TheICMP
type is one of theICMP
types firewalld supports. To get a listing of supportedICMP
types, issue the following command:~]$
Specifying an action is not allowed here.firewall-cmd --get-icmptypes
icmp-block
uses the actionreject
internally. The command takes the following form:icmp-block name=icmptype_name
-
masquerade
-
Turns on IP masquerading in the rule. A source address can be provided to limit masquerading to this area, but not a destination address. Specifying an action is not allowed here.
-
forward-port
-
Forward packets from a local port with protocol specified as
tcp
orudp
to either another port locally, to another machine, or to another port on another machine. Theport
andto-port
can either be a single port number or a port range. The destination address is a simple IP address. Specifying an action is not allowed here. Theforward-port
command uses the actionaccept
internally. The command takes the following form:forward-port port=number_or_range protocol=protocol /
to-port=number_or_range to-addr=address
Logging
-
log
-
Log new connection attempts to the rule with kernel logging, for example in syslog. You can define a prefix text that will be added to the log message as a prefix. Log level can be one of
emerg
,alert
,crit
,error
,warning
,notice
,info
ordebug
. The use of log is optional. It is possible to limit logging as follows:
The rate is a natural positive number [1, ..], the duration oflog [prefix=prefix text] [level=log level] limit value=rate/duration
s
,m
,h
,d
.s
means seconds,m
minutes,h
hours andd
days. The maximum limit value is1/d
which means at maximum one log entry per day. -
audit
-
Audit provides an alternative way for logging using audit records sent to the service
auditd
. The audit type can be one ofACCEPT
,REJECT
orDROP
but it is not specified after the commandaudit
as the audit type will be automatically gathered from the rule action. Audit does not have its own parameters, but limit can be added optionally. The use of audit is optional.
Action
-
accept|reject|drop
-
An action can be one of
accept
,reject
ordrop
. The rule can only contain an element or a source. If the rule contains an element, then new connections matching the element will be handled with the action. If the rule contains a source, then everything from the source address will be handled with the action specified.accept | reject [type=reject type] | drop
Withaccept
all new connection attempts will be granted. Withreject
they will be rejected and their source will get a reject message. The reject type can be set to use another value. Withdrop
all packets will be dropped immediately and no information is sent to the source.
deny
chain
in order to have proper ordering. The rules or parts of them are placed in separate chains, according to the action of the rule, as follows:zone_log zone_deny zone_allow
reject
and drop
rules
will be placed in the “zone_deny” chain,
which will be parsed after the log chain. All accept
rules
will be placed in the“zone_allow” chain,
which will be parsed after the deny
chain.
If a rule contains log
and
also deny
or allow
actions,
the parts of the rule that specify these actions are placed in the matching chains.IPv4
and IPv6
connections
for authentication header protocol AH
:
rule protocol value="ah" accept
IPv4
and IPv6
connections
for protocol FTP
and
log 1 per minute using audit:
rule service name="ftp" log limit value="1/m" audit accept
IPv4
connections
from address 192.168.0.0/24
for
protocol TFTP
and
log 1 per minute using syslog:
rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept
IPv6
connections
from 1:2:3:4:6::
for
protocol RADIUS
are
all rejected and logged at a rate of 3 per minute. New IPv6
connections
from other sources are accepted:
rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject rule family="ipv6" service name="radius" accept
IPv6
packets
received from 1:2:3:4:6::
on
port 4011 with protocol TCP
to 1::2:3:4:7
on
port 4012.
rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
root
(for
example, libvirt).
With this feature, the administrator can lock the firewall configuration so that either no applications, or only applications that are added to the lockdown whitelist, are able to request firewall changes. The lockdown settings default to disabled. If enabled,
the user can be sure that there are no unwanted configuration changes made to the firewall by local applications or services.root
,
add the following line to the /etc/firewalld/firewalld.conf
file
as follows:
Lockdown=yesReload the firewall using the following command as
root
:~]# firewall-cmd --reload
imaps
service
in the default zone using the following command as an administrative user (a user in the wheel
group;
usually the first user on the system). You will be prompted for the user password:~]$ firewall-cmd --add-service=imaps
Error: ACCESS_DENIED: lockdown is enabled
root
:~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/firewall-cmd*'
--permanent
option
if you want to make it persistent.root
:~]# firewall-cmd --reload
imaps
service
again in the default zone by entering the following command as an administrative user. You will be prompted for the user password:~]$ firewall-cmd --add-service=imaps
root
:
~]# firewall-cmd --query-lockdown
Prints yes
with
exit status 0
,
if lockdown is enabled, prints no
with
exit status 1
otherwise.root
:
~]# firewall-cmd --lockdown-on
root
:
~]# firewall-cmd --lockdown-off
~]$ ps -e --context
That command returns all running applications. Pipe the output through thegrep tool
to get the application of interest. For example:
~]$ ps -e --context | grep example_program
root
:
~]# firewall-cmd --list-lockdown-whitelist-commands
root
:
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
root
:
~]# firewall-cmd --remove-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
root
:
~]# firewall-cmd --query-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
Prints yes
with
exit status 0
,
if true, prints no
with
exit status 1
otherwise.root
:
~]# firewall-cmd --list-lockdown-whitelist-contexts
root
:
~]# firewall-cmd --add-lockdown-whitelist-context=context
Add the --permanent
option
to make it persistent.root
:
~]# firewall-cmd --remove-lockdown-whitelist-context=context
Add the --permanent
option
to make it persistent.root
:
~]# firewall-cmd --query-lockdown-whitelist-context=context
Prints yes
with
exit status 0
,
if true, prints no
with
exit status 1
otherwise.root
:
~]# firewall-cmd --list-lockdown-whitelist-uids
root
:
~]# firewall-cmd --add-lockdown-whitelist-uid=uid
Add the --permanent
option
to make it persistent.root
:
~]# firewall-cmd --remove-lockdown-whitelist-uid=uid
Add the --permanent
option
to make it persistent.~]$ firewall-cmd --query-lockdown-whitelist-uid=uid
Prints yes
with
exit status 0
,
if true, prints no
with
exit status 1
otherwise.root
:
~]# firewall-cmd --list-lockdown-whitelist-users
root
:
~]# firewall-cmd --add-lockdown-whitelist-user=user
Add the --permanent
option
to make it persistent.root
:
~]# firewall-cmd --remove-lockdown-whitelist-user=user
Add the --permanent
option
to make it persistent.~]$ firewall-cmd --query-lockdown-whitelist-user=user
Prints yes
with
exit status 0
,
if true, prints no
with
exit status 1
otherwise.<?xml version="1.0" encoding="utf-8"?> <whitelist> <selinux context="system_u:system_r:NetworkManager_t:s0"/> <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/> <user id="0"/> </whitelist>
firewall-cmd
utility,
for a user called user whose user ID is 815
:
<?xml version="1.0" encoding="utf-8"?> <whitelist> <command name="/usr/bin/python -Es /bin/firewall-cmd*"/> <selinux context="system_u:system_r:NetworkManager_t:s0"/> <user id="815"/> <user name="user"/> </whitelist>In this example we have shown both
user
id
and user
name
but only one is required. Python is the interpreter and therefore prepended to the command line. You can also use a very specific command, for example:
/usr/bin/python /bin/firewall-cmd --lockdown-on
In that example only the --lockdown-on
command
will be allowed.
NOTE
/usr/bin/
and
the /bin/
directory
is sym-linked to the /usr/bin/
directory.
In other words, although the path for firewall-cmd
when
run as root
might
resolve to /bin/firewall-cmd
, /usr/bin/firewall-cmd
can
now be used. All new scripts should use the new location but be aware that if scripts that run as root
have
been written to use the /bin/firewall-cmd
path
then that command path must be whitelisted in addition to the /usr/bin/firewall-cmd
path
traditionally used only for non-root
users.iptables
and ip6tables
services
instead of firewalld
,
first disable firewalld
by
running the following command as root
:
~]#systemctl disable firewalld
~]#systemctl stop firewalld
root
:
~]# yum install iptables-services
The iptables-services package contains the iptables
service
and the ip6tables
service.iptables
and ip6tables
services,
run the following commands as root
:
~]#To enable the services to start on every system start, enter the following commands:systemctl start iptables
~]#systemctl start ip6tables
~]#systemctl enable iptables
~]#systemctl enable ip6tables
~]#The set is created as follows:iptables -A INPUT -s 10.0.0.0/8 -j DROP
~]#iptables -A INPUT -s 172.16.0.0/12 -j DROP
~]#iptables -A INPUT -s 192.168.0.0/16 -j DROP
~]#The set is then referenced in an iptables command as follows:ipset create my-block-set hash:net
~]#ipset add my-block-set 10.0.0.0/8
~]#ipset add my-block-set 172.16.0.0/12
~]#ipset add my-block-set 192.168.0.0/16
~]# iptables -A INPUT -m set --set my-block-set src -j DROP
If the set is used more than once a saving in configuration time is made. If the set contains many entries a saving in processing time is made.ipset
.
You can add permanent direct rules with the /etc/firewalld/direct.xml
file.Procedure 4.1. Configuring a Custom Service for an IP Set
-
Using an editor running as
root
, create a file as follows:~]#
vi /etc/systemd/system/ipset_name.service
[Unit] Description=ipset_name Before=firewalld.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/bin/ipset_name.sh start ExecStop=/usr/local/bin/ipset_name.sh stop [Install] WantedBy=basic.target -
Use the IP set permanently in firewalld:
~]# vi
/etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?> <direct> <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set --match-set <replaceable>ipset_name</replaceable> src -j DROP</rule> </direct> -
A firewalld reload is required to activate the changes:
~]#
This will reload the firewall without losing state information (TCP sessions will not be terminated), but service disruption is possible during the reload.firewall-cmd --reload
root
:
~]# yum install ipset
To see the usage message:
~]$ ipset --help
ipset v6.11
Usage: ipset [options] COMMAND
output truncated
ipset [options] command [command-options]
Where command is one of:
create | add | del | test | destroy | list | save | restore | flush | rename | swap | help | version | -Allowed options are:
-exist | -output [ plain | save | xml ] | -quiet | -resolve | -sorted | -name | -terse
create
command
is used to create a new data structure to store a set of IP data. The add
command
adds new data to the set, the data added is referred to as an element of the set.-exist
option
suppresses error message if the element already exists, and it has a special role in updating a time out value. To change a time out, use the ipset
add
command and specify all the data for the element again, changing only the time out value as required, and using the -exist
option.test
option
is for testing if the element already exists within a set.create
command
is as follows:
ipset create set-name type-name [create-options]
The set-name is a suitable name chosen by the user, the type-name is
the name of the data structure used to store the data comprising the set. The format of the type-name is
as follows:
method:datatype[,datatype[,datatype]]
The allowed methods for storing data are:
bitmap | hash | listThe allowed data types are:
ip | net | mac | port | ifaceWhen adding, deleting, or testing entries in a set, the same comma separated data syntax must be used for the data that makes up one entry, or element, in the set. For example:
ipset add set-name ipaddr,portnum,ipaddr
NOTE
IPv4
and IPv6
addresses
at the same time. When a set is created it is bound to a family, inet
for IPv4
or inet6
for IPv6
,
and the default is inet
.Example 4.2. Create an IP Set
~]# ipset create my-set hash:ip,port,ip
Once the set is created, entries can be added as follows:
~]#ipset add my-set 192.168.1.2,80,192.168.2.2
~]#ipset add my-set 192.168.1.2,443,192.168.2.2
-
timeout
— The value given with thecreate
command will be the default value for the set created. If a value is given with theadd
command, it will be the initial non-default value for the element. -
counters
— If the option is given with thecreate
command then packet and byte counters are created for every element in the set. If no value is given with theadd
command then the counters start from zero. -
comment
— If the option is given with thecreate
command then a quoted string of text can be passed with theadd
command to document the purpose of the element being added. Note that quotation marks are not allowed within the string, and escape characters will have no effect within IP set.
Example 4.3. List an IP Set
my-set
,
issue a command as follows:~]# ipset list my-set
Name: my-set
Type: hash:ip,port,ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8360
References: 0
Members:
192.168.1.2,tcp:80,192.168.2.2
192.168.1.2,tcp:443,192.168.2.2
Example 4.4. Test the Elements of an IP Set
~]# ipset test my-set 192.168.1.2,80,192.168.2.2
192.168.1.2,tcp:80,192.168.2.2 is in set my-set.
- bitmap:ip
-
Stores an IPv4 host address, a network range, or an IPv4 network addresses with the prefix-length in CIDR notation if the
netmask
option is used when the set is created. It can optionally store a timeout value, a counter value, and a comment. It can store up to65536
entries. The command to create thebitmap:ip
set has the following format:ipset create set-name range start_ipaddr-end_ipaddr |ipaddr/prefix-length [netmask prefix-length] [timeout value] [counters] [comment]
Example 4.5. Create an IP Set for a Range of Addresses Using a Prefix Length
bitmap:ip
set
type as follows:
~]# ipset create my-range bitmap:ip range 192.168.33.0/28
~]# ipset add my-range 192.168.33.1
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
~]# ipset add my-range 192.168.33.2-192.168.33.4
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
192.168.33.2
192.168.33.3
192.168.33.4
Example 4.6. Create an IP Set for a Range of Addresses Using a Netmask
bitmap:ip
set
type as follows:
~]# ipset create my-big-range bitmap:ip range 192.168.124.0-192.168.126.0 netmask 24
Once the set is created, entries can be added as follows:
~]# ipset add my-big-range 192.168.124.0
~]#ipset add my-big-range 192.168.125.150
~]#ipset list my-big-range
Name: my-big-range Type: bitmap:ip Header: range 192.168.124.0-192.168.126.255 netmask 24 Size in memory: 84 References: 0 Members: 192.168.124.0 192.168.125.0
- bitmap:ip,mac
-
Stores an IPv4 address and a MAC address as a pair. It can store up to
65536
entries.ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr | ipaddr/prefix-length [timeout value ] [counters] [comment]
Example 4.7. Create an IP Set for a Range of IPv4 MAC Address Pairs
bitmap:ip,mac
set
type as follows:
~]# ipset create my-range bitmap:ip,mac range 192.168.1.0/24
It is not necessary to specify a MAC address when creating the set.~]# ipset add my-range 192.168.1.1,12:34:56:78:9A:BC
- bitmap:port
-
Stores a range of ports. It can store up to
65536
entries.ipset create my-port-range bitmap:port range start_port-end_port [timeout value ] [counters] [comment]
The set match and SET target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers. The protocol can optionally be specified together with the port. Theproto
only needs to be specified if a service name is used, and that name does not exist as a TCP service.
Example 4.8. Create an IP Set for a Range of Ports
bitmap:port
set
type as follows:
~]# ipset create my-permitted-port-range bitmap:port range 1024-49151
Once the set is created, entries can be added as follows:
~]# ipset add my-permitted-port-range 5060-5061
- hash:ip
-
Stores a host or network address in the form of a hash. By default, an address specified without a network prefix length is a host address. The all-zero IP address cannot be stored.
ipset create my-addresses hash:ip [family[ inet | inet6 ]] [hashsize value] [maxelem value ] [netmask prefix-length] [timeout value ]
Theinet
family is the default, iffamily
is omitted addresses will be interpreted as IPv4 addresses. Thehashsize
value is the initial hash size to use and defaults to1024
. Themaxelem
value is the maximum number of elements which can be stored in the set, it defaults to65536
.The netfilter tool searches for a network prefix which is the most specific, it tries to find the smallest block of addresses that match.
Example 4.9. Create an IP Set for IP Addresses
hash:ip
set
type as follows:
~]# ipset create my-addresses hash:ip
Once the set is created, entries can be added as follows:
~]# ipset add my-addresses 10.10.10.0
~]# ipset create my-busy-addresses hash:ip maxelem 24 netmask 28 timeout 100
The maxelem
option
restricts to total number of elements in the set, thus conserving memory space.~]# ipset add my-busy-addresses 192.168.60.0 timeout 100
The following output shows the time counting down:
~]#The element will be removed from the set when the timeout period ends.ipset list my-busy-addresses
Name: my-busy-addresses Type: hash:ip Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100 Size in memory: 8300 References: 0 Members: 192.168.60.0 timeout 90 ~]#ipset list my-busy-addresses
Name: my-busy-addresses Type: hash:ip Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100 Size in memory: 8300 References: 0 Members: 192.168.60.0 timeout 83
ipset(8)
manual
page for more examples.firewalld
.-
firewalld(1)
man page — Describes command options forfirewalld
. -
firewalld.conf(5)
man page — Contains information to configurefirewalld
. -
firewall-cmd(1)
man page — Describes command options for thefirewalld
command line client. -
firewalld.icmptype(5)
man page — Describes XML configuration files forICMP
filtering. -
firewalld.service(5)
man page — Describes XML configuration files for firewalld service. -
firewalld.zone(5)
man page — Describes XML configuration files forfirewalld
zone configuration. -
firewalld.direct(5)
man page — Describes thefirewalld
direct interface configuration file. -
firewalld.lockdown-whitelist(5)
man page — Describes thefirewalld
lockdown whitelist configuration file. -
firewall.richlanguage(5)
man page — Describes thefirewalld
rich language rule syntax. -
firewalld.zones(5)
man page — General description of what zones are and how to configure them.