Table of Contents
Introduction:
In Re Hat Enterprise Linux 7 a new method of interacting with netfilter has been introduced: firewalld. Firewalld is a system daemon that can configure and monitor the system firewall rules. Application can talk to firewall to request ports to be opened using the DBus messaging system, a feature which can be disabled or locked down. It both covers IPv4, IPv6, and potentially tables settings. The firewalld daemons are installed from the firewall package. This package is part of a base install, but not part of a minimal install.
Firewalld simplifies firewall management by classifying all network traffic into zones. Based on criteria such as the source IP address of a packet or the incoming network interface, traffic is then diverted into the firewall rules for the appropriate zone. Each zone can have its own list of ports and services to be opened or closed.
Default configuration of firewalld zones
| Trusted | Allow all incoming traffic. |
| Home | Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client pre-defined services. |
| Internal | Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client pre-defined services(same as the home zone to start with) |
| Work | Reject incoming traffic unless relate to outgoing traffic or matching the ssh, ipp-client, or dhcpv6-client pre-defined services. |
| Public | Reject incoming traffic unless relate to outgoing traffic or matching the ssh, ipp-client, or dhcpv6-client pre-defined services. The default zone for newly-added network interface. |
| External | Reject incoming traffic unless relate to outgoing traffic or matching the ssh, pre-defined services. Outgoing ipv4 traffic forwarded through this zone is masqueraded to look like it originate from the ipv4 address of the outgoing network interface. |
| Dmz | Reject incoming traffic unless related to outgoing traffic or matching the ssh pre-defined service. |
| Block | Reject all incoming traffic unless related to outgoing traffic. |
| Drop | Drop all incoming traffic unless related to outgoing traffic (do not even respond with ICMP errors). |
Pre-defined service
Firewalld also ships with a number of pre-defined services. These service definitions can be used to easily permit traffic for particular network services to pass through the firewall.
Selected pre-defined firewalld services
| ssh | Local SSH server. Traffic to 22/tcp |
| dhcpv6-client | Local DHCPv6 client. Traffic to 546/udp on the fe80::/64 IPv6 network |
| ipp-client | Local IPP printing. Traffic to 631/udp |
| samba-client | Local Windows file and print sharing client. Traffic to 137/udp and 138/udp. |
| mdns | Multicast DNS (mDNS) local-link name resolution. Traffic to 5353/udp to the 224.0.0.251 (IPv4) or ff02::fb (IPv6) multicast addresses. |
Configure firewall setting
[root@asim ~]# yum –y install httpd mod_ssl
[root@asim ~]# bash –c “echo ‘I am alive’ > /var/www/html/index.html”
[root@asim ~]# systemctl start httpd
[root@asim ~]# systemctl enable httpd
[root@asim ~]# systemctl mask iptables
[root@asim ~]# systemctl mask ip6tables
[root@asim ~]# systemctl status firewalld
[root@asim ~]# firewall-config
From the configuration dropdown menu, select Permanent to switch to editing the permanent configuration
Add the https service to the list of services allowed in the public zone.
In the Zone list, select public. Since this zone is also the default zone, it is highlighted in bold.
In the Service tab, add a checkmark in front of the https service.
Activate your firewall configuration by selecting Options > Reload Firewalld from the menu.
Verify your work by attempting to view your web server contents from client PC.
[root@asim ~]#curl –k http://study.eiheducation.in
[root@asim ~]#curl –k https://study.eiheducation.in
This is how you configure firewalld. Follow are the some other firewalld example:
| Query the current default zone. [root@asim ~]# firewall-cmd – – get – default – zone |
| Set the default zone. [root@asim ~]# firewall-cm – – default – zone = <Zone> |
| List all available zones. [root@asim ~]# firewall – cmd – get – zones |
| List all zones currently in use (have an interface or source tied to them), along with their interface and source information. [root@asim ~]# firewall – cmd – – get – active – zones |
| Route all traffic coming from the IP address or network/netmask <CIDR> to the specified zone. If no – – zone = option is provide, the default zone will be used. [root@asim ~]# firewall – cmd – – add – source = <CIDR> [ – – zone = <ZONE>] |
| Remove the rule of routing all traffic coming from the IP address or network/netmask <CIDR> to the specified zone. If no – – zone = option is provide, the default zone will be used. [root@asim ~]# firewall – cmd – – remove – source = <CIDR> [- – zone = <ZONE>] |
| Route all traffic coming from <INTERFACE> to the specified zone. If no –zone= option is provided, the default zone will be used. [root@asim ~]# firewall – cmd – – add – interface = <INTERFACE> [ – – zone = <ZONE>] |
| Associate the interface with <ZONE> instead of its current zone. If no –zone= option is provided, the default zone will be used. [root@asim ~]# firewall – cmd — change – interface = <INTERFACE> [- – zone = <ZONE>] |
| List all Zones. [root@asim ~]# firewall – cmd – – list – all [- – zone=<ZONE>] |
| Retrieve all information for all zones. [root@asim ~]# firewall – cmd – – list – all – zone |
| Allow traffic to any service. [root@asim ~]# firewall – cmd – – add – service=<Service> [ – – zone = <ZONE>] |
| Allow traffic to Ports. [root@asim ~]# firewall – cmd – – add – port = <PORT/PROTOCOL> [- – zone=<ZONE>] |
| Remove service from the zone. [root@asim ~]# firewall – cmd – – remove – service = <Service> [- – zone= <ZONE>] |
| Remove ports from the zone. [root@asim ~]# firewall – cmd — remove – port = <PORT/PROTOCOL> [– zone =<ZONE>] |
| Apply the firewall. [root@asim ~]# firewall – cmd – – reload |
