I’m a person who is nuts about security. Seeing multiple layers of security being circumvented on a network is just against the reasons I’m security-centric all times. Some System administrators can’t take few minutes of their time to close the front door, and this always impact negatively on network systems.
In this guide, we’ll look at defense in depth- covering both port security and use of firewalls to secure Linux servers. Since we can’t cover everything in this tutorial, We’ll concentrate on firewalld basics and demos on various configurations.
What is Firewalld?
Firewalld is a dynamic firewall service that manages the Linux kernel netfilter subsystem using low-level iptables,ip6tables and ebtables commands. Firewalld is the default firewall service used in Red Hat Enterprise Linux 7 (RHEL) family of Linux distributions. It has support for IPv4 and IPv6 firewall settings.
The firewall service provided by firewalld is dynamic rather than static because the changes made to the configuration are immediately implemented, there is no need to apply or save the changes. This is an advantage since unintended disruption of existing network connections can’t occur.
Firewalld separates all incoming traffic into zones, and each zone have its own set of rules.
Firewalld logic used for incoming connection
Firewalld has to determine the zone to use for an incoming connection. To do this, the following order is followed, the first rule that matches wins:
- If the source address of an incoming packet matches a source rule setup for a zone, that packet is routed through the zone.
- If an incoming interface for a packet matches a filter setup for a zone, that zone will be used.
- Else the default zone is used.
Note: The default zone for any new network interface will be set to the public zone.
Where are the configuration files?
The configuration files for firewalld are stored in various XML files in /usr/lib/firewalld/ and /etc/firewalld/ directories. These files can be edited,written to, backed up and used as templates for other installations.
If a configuration file having same name is stored in both locations, the version from /etc/firewalld/ will be used, this means administrators can override default zones and settings.
How to manage firewalld?
As a way to make changes to firewall service, three ways are available:
- Using the command line client, firewall-cmd. It is used to make both permanent and run-time changes. A root user or any member of wheel group can run firewall-cmd command, polkit mechanism is used to authorize the command.
- Using the graphical tool firewall-config
- Using the configuration files in /etc/firewalld/
NOTE:
The firewalld.service and iptables.service,ip6tables.service and ebtables.service services conflict with each other. It is a good practice to mask the other services before running firewalld service . This can be done with below commands:
for SERVICE in iptables ip6tables ebtables; do
systemctl mask ${SERVICE}.service
done
}
How is firewalld different from iptables?
- Firewalld stores its configuration files in various XML files in /usr/lib/firewalld/ and /etc/firewalld/ while iptables service stores them in /etc/sysconfig/iptables. The file /etc/sysconfig/iptables does not exist on RHEL 7 since it comes with firewalld by default.
- With the iptables service, old rules has to be flushed when every single change is made, the rules has to be re-read from /etc/sysconfig/iptables. With firewalld only the differences are applied and settings can be changed during run time without losing existing connections.
Firewalld vs IPtables Working Diagram
Configuring firewall settings with firewall-cmd
firewall-cmd is installed as part of the main firewalld package. Almost all commands will work on the runtime configuration, unless the --permanent
option is specified. The zone where the rules are applied is specified using the option --zone=<ZONE>
. Default zone is used if --zone
is omitted.
Changes are activated with firewall-cmd --reload
if they are applied to the --permanent
permanent configuration.
The following table shows a number of frequently used firewall-cmd commands, along with explanation:
Command | Command Explanation |
---|---|
--get-zones |
List all available zones |
--get-default-zone |
Get the current default zone |
--get-active-zones |
List all zones with an interface or source tied to them and are currently in use. |
--set-default-zone=<ZONE> |
Set the default zone. This will change both the runtime and permanent configuration. |
--list-all-zones |
Retrieve all information for all zones – interfaces,ports,services,sources e.t.c. |
--list-all [--zone=<ZONE>] |
List all configured services,ports,sources and interfaces for <ZONE> . Default zone is used if no --zone= option is used. |
--add-interface=<INTERFACE> [--zone=<ZONE>] |
Route all traffic coming through <INTERFACE > to the specified zone. Default zone used if no --zone= option is provided. |
--change-interface=<INTERFACE> [--zone=<ZONE>] |
Associate an interface with the <ZONE> instead of its current zone. Default zone used if no --zone= option is provided. |
--add-source=<CIDR> [--zone=<ZONE>] |
Route all the traffic that comes from the IP address/network <CIDR> to the specified zone. Default zone used if no zone is provided. |
--remove-source=<CIDR> [--zone=<ZONE> |
Remove a rule that routes all traffic coming from specified IP address or network <CIDR> from specified zone. Default zone used if no zone option is given. |
--get-services |
List all predefined services |
--add-service=<SERVICE> |
Allow traffic to the <SERVICE> . Default zone is used if no --zone= option is provided. |
--remove-service=<SERVICE> |
Remove <SERVICE> from the allowed list for the zone. Default zone is used if no --zone= option is provided. |
--add-port=<PORT/PROTOCOL> |
Allow traffic to the <PORT/PROTOCOL> port(s). Default zone is used if no --zone= option is provided. |
--remove-port=<PORT/PROTOCOL> |
Remove <PORT/PROTOCOL> port(s) from the allowed list for the zone. Default zone is used if no --zone= option is provided. |
--reload |
Drop the runtime configuration and apply the persistent configuration. |
Understanding Network Zones
Firewalls can separate networks into different zones based on the level of trust the user has decided to place. A number of predefined zones are shipped with firewalld, and each has its intended usage. The table below explains more:
Zone | Default Configuration |
---|---|
trusted |
By default, it allows all incoming traffic |
home |
By default, reject incoming traffic unless it matches the ssh,ipp-client,mdns,samba-client,dhcpv6-client predefined services or related to outgoing traffic |
public |
By default, reject incoming traffic unless it matches the ssh,dhcpv6-client predefined services or related to outgoing traffic. This is the default zone for newly added network interfaces. |
internal |
By default, reject incoming traffic unless it matches the ssh,ipp-client,mdns,samba-client,dhcpv6-client predefined services or related to outgoing traffic – same as home zone. |
work |
By default, reject incoming traffic unless it matches the ssh,ipp-client,dhcpv6-client predefined services or related to outgoing traffic |
dmz |
By default, reject incoming traffic unless it matches the ssh predefined services or related to outgoing traffic. Mostly used in demilitarized zone for computers that are publicly-accessible with limited access to the internal network |
external |
By default, reject incoming traffic unless it matches the ssh predefined service or is related to outgoing traffic. The outgoing traffic for IPv4 forwarded through this zone is masqueraded to resemble traffic originating from the IPv4 address of the outgoing network interface. |
block |
By default, rejects all incoming traffic unless related to outgoing traffic |
drop |
By default, drops all incoming traffic unless it is related to outgoing traffic – do not respond with ICMP errors. |
Using firewall-cmd examples
Consider examples below to help you strengthen your knowledge on how firewall-cmd is used. First verify that firewalld is enabled and running on your system.
systemctl status firewalld.service
If not running, you can start and enable it using:
systemctl start firewalld
systemctl enable firewalld
1.
Set the default zone to dmz.
firewall-cmd --set-default-zone=dmz
firewall-cmd --get-default-zone
2.
Assign all traffic coming from the 192.168.100.0/24 network to the trusted zone and verify.
firewall-cmd --permanent --zone=trusted --add-source=192.168.100.0/24
firewall-cmd --reload
firewall-cmd --list-all --zone=trusted
firewall-cmd --get-active-zones
3.
Open up http and https traffic for the internal zone.
firewall-cmd --permanent --add-service={http,https} --zone=internal
firewall-cmd --reload
firewall-cmd --list-services --zone=internal
To remove permanent service from a zone:
firewall-cmd --permanent [--zone=<zone>] --remove-service=<service>
4.
Transition eth0 interface to the “internal” zone for the current session:
firewall-cmd --zone=internal --change-interface=eth0
5.
Add eth1 interface to home zone:
firewall-cmd --zone=home --add-interface=eth1
Other options for interface management:
Query if an interface is in a zone:
firewall-cmd [--zone=<zone>] --query-interface=<interface>
Remove an interface from a zone:
firewall-cmd [--zone=<zone>] --remove-interface=<interface>
6.
Enable masquerading in a home zone
firewall-cmd --zone=home --add-masquerade
Disable masquerading in a zone
firewall-cmd [--zone=<zone>] --remove-masquerade
Query masquerading in a zone
firewall-cmd [--zone=<zone>] --query-masquerade
Disable masquerading permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --remove-masquerade
7.
Enable port 3306/tcp for mysql permanently in the home zone
firewall-cmd --permanent --zone=home --add-port=3306/tcp
Disable a port and protocol combination permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>
8.
Block echo-reply messages in the public zone
firewall-cmd --zone=public --add-icmp-block=echo-reply
9.
Forward ssh to host 192.168.10.5 in the internal zone
firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=192.168.10.5
References
- Man pages:
man firewall-cmd
man firewalld
man firewalld.zones
man firewall.zone
man firewall-config
More articles: