====== Linux Firewalld Documentation ======
^ Documentation ^|
^Name:| Linux Firewalld Documentation|
^Description:|HOWTO manage firewalld on Linux machines |
^Modification date :|11/04/2018|
^Owner:|dodger|
^Notify changes to:|dodger or networking|
^Tags:| firewalld|
^Scalate to:| dodger or networking|
====== PRE-Requirements ======
Some knowledge of iptables/firewalld.
====== Daemon Management ======
===== Status firewalld =====
systemctl status firewalld
===== Start firewalld =====
systemctl start firewalld
===== Enable firewalld =====
So it will start on boot:
systemctl enable firewalld
===== Stop firewalld =====
The server will be fully accessible (iptables with no rules and ACCEPT everything)
systemctl stop firewalld
echo "## check"
iptables -vnL
===== Disable firewalld =====
It won't start at boot:
systemctl disable firewalld
Check status after that.
====== Rules Management ======
TO make the changes permanent, you must add ''--permanent'' to firewall-cmd executions!!!
''--permanent'' does not apply rules on LIVE system!!!
\\
To switch between permanent or live:
export PERMANENT="--permanent"
===== Reload rules =====
For example after using ''--permanent'' without applying live rules:
firewall-cmd --reload
===== View information =====
==== All zones ====
firewall-cmd --list-all
==== list zones ====
firewall-cmd --get-zones
==== Selected zone ====
firewall-cmd --zone=internal --list-all
firewall-cmd --zone=public --list-all
Sample:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
===== Remove service =====
Change ''THEZONE'' and ''THESERVICE'' from this command.
* non-permanent:
firewall-cmd ${PERMANENT} --zone=THEZONE --remove-service=THESERVICE
Sample:
ciberterminal.net /etc/sysconfig # firewall-cmd --zone=public --remove-service=dhcpv6-client
success
ciberterminal.net /etc/sysconfig # firewall-cmd ${PERMANENT} --zone=public --remove-service=dhcpv6-client
Warning: NOT_ENABLED: dhcpv6-client
success
====== Basic Rules ======
Remove ipv6:
firewall-cmd ${PERMANENT} --zone=public --remove-service=dhcpv6-client
Add snmp:
firewall-cmd ${PERMANENT} --zone=public --add-service=snmp
====== Rich Rules ======
===== Open port for source range =====
firewall-cmd ${PERMANENT} --zone=public --add-rich-rule='rule family=ipv4 source address=10.40.0.0/16 port port=8181 protocol=tcp accept'
====== Openvpn/Wireguard setup ======
As a client:
firewall-cmd ${PERMANENT} --zone=internal --add-interface=tun+
firewall-cmd ${PERMANENT} --zone=internal --add-interface=wg+
firewall-cmd ${PERMANENT} --zone=internal --add-interface=ppp+
firewall-cmd ${PERMANENT} --list-all --zone=internal