Useful ‘FirewallD’ Rules to Configure and Manage Firewall in Linux

Firewalld provides a way to configure
dynamic firewall rules in Linux that can be applied instantly, without
the need of firewall restart and also it support D-BUS and zone
concepts which makes configuration easy.

Useful Firewalld Rules to Manage Linux Firewall

Useful Firewalld Rules to Manage Linux
Firewall

Firewalld replaced old Fedora’s
firewall (Fedora 18 onwards) mechanism,
RHEL/CentOS 7 and other latest
distributions rely on this new mechanism. One of the biggest motive of
introducing new firewall system is that the old firewall needs a
restart after making each change, thus breaking all active connections.
As said above, that the latest firewalld supports dynamic zones which
is useful in configuring different set of zones and rules for your
office or home network via a command line or using a GUI method.
Initially, firewalld concept looks very difficult to configure, but
services and zones makes it easier by keeping both together as covered
in this article. In our earlier article, where we have seen how to
play with firewalld and its zones, now here, in this article, we will
see some useful firewalld rules to configure your current Linux systems
using command line way.

  1. Firewalld Configuration in RHEL/CentOS 7

All the examples covered in this article are
practically tested on CentOS 7 distribution, and also
works on RHEL and Fedora distributions. Before implementing firewalld
rules, make sure to first check whether firewalld service enabled and
running.

# systemctl status firewalld

Firewalld Status Check

Firewalld
Status Check

The above picture shows that firewalld is
active and running. Now it’s time to check all the active zones and
active services.

# firewall-cmd --get-active-zones # firewall-cmd 
--get-services

Check Firewalld Zones and Services

Check Zones
and Services

If incase, you’re not familiar with command
line, you can also manage firewalld from the GUI, for this you need to
have GUI package installed on the system, if not install it using the
following command.

# yum install firewalld firewall-config

As said above, this article is specially written for command line
lovers and all the examples, which we’re going to cover are based on
command line only, no GUI way..sorry….. Before moving further, first
make sure to confirm on which public zone you’re going to configure
Linux firewall and list all active services, ports, rich rules for
public zone using following command.

# firewall-cmd --zone=public 
--list-all

Check Firewalld Public Zones

Check Public
Zones

In the above picture, there isn’t any active rules
are added yet, let’s see how to add, remove and modify rules in the
remaining part of this article….

1. Adding and Removing Ports in
Firewalld

To open any port for public zone, use the following
command. For example, the following command will open port 80 for
public zone.

# firewall-cmd --permanent --zone=public 
--add-port=80/tcp

Similarly, to remove added port, just use the
–remove‘ option with firewalld command as shown
below.

# firewall-cmd --zone=public --remove-port=80/tcp

After adding or removing specific ports, make sure to confirm whether
the port is added or removed by using ‘–list-ports
option.

# firewall-cmd --zone=public --list-ports

Add Port in Firewalld

Add Port in
Firewalld

2. Adding and Removing Services in
Firewalld

By default firewalld comes with pre-defined services, if
you want to add a list of specific services, you need to create a new
xml file with all services included in the file or else you can also
define or remove each service manually by running following commands.
For example, the following commands will help you to add or remove
specific services, like we did for FTP here in this example.

# 
firewall-cmd --zone=public --add-service=ftp # firewall-cmd 
--zone=public --remove-service=ftp # firewall-cmd --zone=public 
--list-services

Add Services in Firewalld

Add Services
in Firewalld

3. Block Incoming and Outgoing Packets
(Panic Mode)

If you wish to block any incoming or outgoing
connections, you need to use a ‘panic-on‘ mode to
block such requests. For example, the following rule will drop any
existing established connection on the system.

# firewall-cmd 
--panic-on

After enabling panic mode, try to ping any domain
(say google.com) and check whether the panic mode is
ON using ‘–query-panic‘ option as
listed below.

# ping google.com -c 1 # firewall-cmd --query-panic 

Block Incoming Connections in Firewalld

Block
Incoming Connections in Firewalld

Do you see in the above
picture, the panic query says “Unknown host
google.com
“. Now try to disable the panic mode and then once
again ping and check.

# firewall-cmd --query-panic # firewall-cmd 
--panic-off # ping google.com -c 1

Disable Panic Mode in Firewalld

Disable Panic
Mode in Firewalld

Now this time, there will be a ping
request from google.com..

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s