linux:firewalld_documentation
Table of Contents
Linux Firewalld Documentation
Documentation | |
---|---|
Name: | Linux Firewalld Documentation |
Description: | HOWTO manage firewalld on Linux machines |
Modification date : | 11/04/2018 |
Owner: | dodger |
Notify changes to: | dodger or networking |
Tags: | firewalld |
Scalate to: | dodger or networking |
PRE-Requirements
Some knowledge of iptables/firewalld.
Daemon Management
Status firewalld
systemctl status firewalld
Start firewalld
systemctl start firewalld
Enable firewalld
So it will start on boot:
systemctl enable firewalld
Stop firewalld
The server will be fully accessible (iptables with no rules and ACCEPT everything)
systemctl stop firewalld echo "## check" iptables -vnL
Disable firewalld
It won't start at boot:
systemctl disable firewalld
Check status after that.
Rules Management
TO make the changes permanent, you must add –permanent
to firewall-cmd executions!!!
–permanent
does not apply rules on LIVE system!!!
To switch between permanent or live:
export PERMANENT="--permanent"
Reload rules
For example after using –permanent
without applying live rules:
firewall-cmd --reload
View information
All zones
firewall-cmd --list-all
list zones
firewall-cmd --get-zones
Selected zone
firewall-cmd --zone=internal --list-all
firewall-cmd --zone=public --list-all
Sample:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
Remove service
Change THEZONE
and THESERVICE
from this command.
- non-permanent:
firewall-cmd ${PERMANENT} --zone=THEZONE --remove-service=THESERVICE
Sample:
ciberterminal.net /etc/sysconfig # firewall-cmd --zone=public --remove-service=dhcpv6-client success ciberterminal.net /etc/sysconfig # firewall-cmd ${PERMANENT} --zone=public --remove-service=dhcpv6-client Warning: NOT_ENABLED: dhcpv6-client success
Basic Rules
Remove ipv6:
firewall-cmd ${PERMANENT} --zone=public --remove-service=dhcpv6-client
Add snmp:
firewall-cmd ${PERMANENT} --zone=public --add-service=snmp
Rich Rules
Open port for source range
firewall-cmd ${PERMANENT} --zone=public --add-rich-rule='rule family=ipv4 source address=10.40.0.0/16 port port=8181 protocol=tcp accept'
Openvpn/Wireguard setup
As a client:
firewall-cmd ${PERMANENT} --zone=internal --add-interface=tun+ firewall-cmd ${PERMANENT} --zone=internal --add-interface=wg+ firewall-cmd ${PERMANENT} --zone=internal --add-interface=ppp+ firewall-cmd ${PERMANENT} --list-all --zone=internal
linux/firewalld_documentation.txt · Last modified: 2023/08/28 10:34 by dodger