UNIX Journey of Indrajit: RHEL7 - Configuring Firewall using a firewalld

Check whether firewalld services are running

# systemctl status firewalld

Incase it is not running, start with below command:

# systemctl start firewalld

Enable it by, so that it would start by default while booting:

# systemctl enable firewalld

To add roles to firewall, there are couple of command, they are :

[root@server1 /]# firewall
firewall-cmd firewalld firewall-config firewall-offline-cmd

# firewall-cmd is an command line interface

# firewall-conf is an graphical interface

The basic concept in firewall is zones & services.

If you want to know which are zones are availabe, type:

[root@server1 /]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

If you want to know which are services are availabe, type:

[root@server1 /]# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

To know which is the default zone:

[root@server1 /]# firewall-cmd --get-default-zone
home

To set the default zone:

[root@server1 /]# firewall-cmd --set-default-zone=public
success

Now to add serivces to zone:

Basically service is name associated to protocol & ports.

Here /etc/firewalld/services is an directory where user defined its own services.

[root@server1 services]# pwd
/etc/firewalld/services
[root@server1 services]# ls -l
total 4
-rw-r--r--. 1 root root 449 Dec 11 15:53 amanda-client.xml

Default system defined services are stored at /usr/lib/firewalld/services/

[root@server1 services]# pwd
/usr/lib/firewalld/services
[root@server1 services]# ls
amanda-client.xml dhcpv6.xml high-availability.xml ipp-client.xml kpasswd.xml      libvirt.xml mysql.xml    pmcd.xml       pop3s.xml       rpc-bind.xml      ssh.xml          transmission-client.xml
bacula-client.xml dhcp.xml    https.xml              ipp.xml         ldaps.xml        mdns.xml     nfs.xml      pmproxy.xml    postgresql.xml samba-client.xml telnet.xml       vnc-server.xml
bacula.xml         dns.xml     http.xml               ipsec.xml       ldap.xml         mountd.xml   ntp.xml      pmwebapis.xml proxy-dhcp.xml samba.xml         tftp-client.xml wbem-https.xml
dhcpv6-client.xml ftp.xml     imaps.xml              kerberos.xml    libvirt-tls.xml ms-wbt.xml   openvpn.xml pmwebapi.xml   radius.xml      smtp.xml          tftp.xml

[root@server1 services]# cat high-availability.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Red Hat High Availability</short>
<description>This allows you to use the Red Hat High Availability (previously named Red Hat Cluster Suite). Ports are opened for corosync, pcsd, pacemaker_remote and dlm.</description>
<port protocol="tcp" port="2224"/>
<port protocol="tcp" port="3121"/>
<port protocol="udp" port="5404"/>
<port protocol="udp" port="5405"/>
<port protocol="tcp" port="21064"/>
</service>

[root@server1 services]# cat samba-client.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Samba Client</short>
<description>This option allows you to access Windows file and printer sharing networks. You need the samba-client package installed for this option to be useful.</description>
<port protocol="udp" port="137"/>
<port protocol="udp" port="138"/>
<module name="nf_conntrack_netbios_ns"/>
</service>

If you want to add a services, you could do by:

[root@server1 services]# firewall-cmd --zone=public --add-service=high-availability
success

Let’s type # firewall-cmd --list-all to get the configuration for the current zone.

[root@server1 services]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client high-availability https samba-client ssh
ports: 8080/tcp 2020/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

Everything you add, will persist until reboot only. If you want to make it permanent setting, type:

[root@server1 services]# firewall-cmd --permanent --zone=public --add-service=high-availability
success

Exercise:

1. Open a root shell. Type firewall-cmd --get-default-zone . This shows the current default zone. You’ll see the current default zone, which is by default set to public.

[root@server1 /]# firewall-cmd --get-default-zone
public

2. To see which zones are available, type firewall-cmd --get-zones .

[root@server1 /]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

3. Now show the services that are available on your server by using firewall-cmd--get-services . Notice that the firewall-cmd --get options show what is available on your server.

4. To see which services are available in the current zone, type firewall-cmd--list-services . You’ll see a short list containing a Dynamic Host Configuration Protocol (DHCP) client as well as Secure Shell (SSH).

[root@server1 /]# firewall-cmd --list-services
dhcpv6-client high-availability https samba-client ssh

5. Now type firewall-cmd --list-all . Look at the output and compare the output to the result of firewall-cmd --list-all --zone=public . Both commands show a complete overview of the current firewall configuration. Notice that you see much more than just the zone and services that are configured in that zone; you also see information about the interfaces and more advanced items.

[root@server1 /]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client high-availability https samba-client ssh
ports: 8080/tcp 2020/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

[root@server1 /]# firewall-cmd --list-all --zone=public
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client high-availability https samba-client ssh
ports: 8080/tcp 2020/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

6. Type firewall-cmd --add-service=vnc-server to add the VNC server to the configuration of the firewall. Verify using firewall-cmd --list-all .

[root@server1 /]# firewall-cmd --add-service=vnc-server
success

[root@server1 /]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client high-availability https samba-client ssh vnc-server
ports: 8080/tcp 2020/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

7. Type systemctl restart firewalld and repeat firewall-cmd --list-all . Notice that the vnc-server service is no longer listed.

[root@server1 /]# systemctl restart firewalld

8. Add the vnc-server service again, but make it permanent this time, using firewall-cmd --add-service vnc-server --permanent .

[root@server1 /]# firewall-cmd --add-service=vnc-server --permanent
success

9. Type firewall-cmd --list-all again to verify. You’ll see that VNC server is not listed. Services that have been added to the on-disk configuration are not added automatically to the runtime configuration. Type firewall-cmd --reload to reload the on-disk configuration into runtime configuration.

[root@server1 /]# firewall-cmd --reload
success

[root@server1 /]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client high-availability https samba-client ssh vnc-server
ports: 8080/tcp 2020/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

10. Type firewall-cmd --addport=2022/tcp --permanent , followed by firewallcmd --reload . Verify using firewall-cmd --list-all . You’ll see that a port has now been added to the firewalld configuration.

[root@server1 /]# firewall-cmd --add-port=2022/tcp --permanent
success

[root@server1 /]# firewall-cmd --reload
success

[root@server1 /]# firewall-cmd --list-all
public (default, active)
interfaces: eno16777736
sources:
services: dhcpv6-client high-availability https samba-client ssh vnc-server
ports: 2020/tcp 8080/tcp 2022/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:

Common firewall-cmd Options

*Firewall-cmd Options*	*Explanation*
*--get-zones*	Lists all available zones
*--get-default-zone*	Shows the zone currently set as default zone
*--set-default-zone=<ZONE>*	Changes the default zone
*--get-services*	Shows all available services
*--list-services*	Shows services currently in use
*--add-service=<service-name> [--zone=<ZONE>]*	Adds a service to the current default zone or the zone that is specified
*--remove-service=<service-name>*	Removes a service from the configuration
*--list-all [--zone=<ZONE>]*	Lists all configurations in a zone
*--add-port=<port/protocol> [--zone=<ZONE>]*	Adds a port and protocol
--remove-port=<port/protocol> [--zone=<ZONE>]	Removes a port from the configuration
--add-interface=<INTERFACE> [--zone=<ZONE>]	Adds an interface to the default zone or a specific zone that is specified
--remove-interface=<INTERFACE> [--zone=<ZONE>]	Removes an interface from a specific zone
*--add-source=<ipaddress/netmask> [--zone=<ZONE>]*	Adds a specific IP address
*--remove-source=<ipaddress/netmask> [-zone=<ZONE>]*	Removes an IP address from the configuration
*--permanent*	Writes configuration to disk and not to run-time
*--reload*	Reloads the on-disk configuration

Thank you for reading.

For Reading other article, visit to “https://sites.google.com/site/unixwikis/”

UNIX Journey of Indrajit

Search This Blog

Thursday, December 24, 2015

RHEL7 - Configuring Firewall using a firewalld

No comments:

Post a Comment