Understanding the firewall-cmd Command and Firewalld
The firewall-cmd command is the primary command-line tool for managing the firewalld daemon, a dynamic firewall management tool in Linux. It allows you to configure firewall rules without restarting the service, which is a major advantage over static firewall systems like iptables.
Key Concepts
Zones: Firewalld uses the concept of zones to manage different network environments. A zone is a predefined set of rules that determines what traffic is allowed. You can assign network interfaces to specific zones. Common zones include:
public: For untrusted networks, like the internet.
trusted: For all network connections; all traffic is accepted.
home: For trusted networks; allows incoming traffic related to home services.
internal: For internal networks.
Services: A service is a predefined set of rules for a specific application or protocol, like HTTP, SSH, or FTP. Using services simplifies firewall management as you don't need to remember specific port numbers.
Permanent vs. Runtime: Changes made with firewall-cmd can be either runtime (active immediately but lost on reboot) or permanent (saved to a configuration file and applied on reboot). To make a change permanent, you must use the --permanent flag.
firewall-cmd Command Options
Here are some of the most common and useful firewall-cmd options:
General Commands
--state: Checks the status of the firewalld daemon.
--reload: Reloads the firewall rules from the permanent configuration. This is crucial for applying permanent changes without a reboot.
Zone Management
--get-active-zones: Lists all active zones and the interfaces assigned to them.
--get-default-zone: Displays the current default zone.
--set-default-zone=<zone>: Sets a new default zone.
--get-zones: Lists all available zones.
--list-all-zones: Lists all information for all zones.
--zone=<zone> --list-all: Lists all rules, services, ports, and other information for a specific zone.
Service Management
--zone=<zone> --add-service=<service>: Adds a predefined service to a zone.
--zone=<zone> --remove-service=<service>: Removes a service from a zone.
--get-services: Lists all available predefined services.
Port Management
--zone=<zone> --add-port=<port>/<protocol>: Adds a specific port and protocol to a zone. For example, --add-port=8080/tcp.
--zone=<zone> --remove-port=<port>/<protocol>: Removes a port from a zone.
Rich Rules
Rich rules provide more detailed and specific control than simple port or service rules. They can be used for things like source IP filtering, logging, and more complex traffic forwarding.
--add-rich-rule='rule ...': Adds a rich rule.
--remove-rich-rule='rule ...': Removes a rich rule.
Masquerading and Port Forwarding
Masquerading (Network Address Translation or NAT) allows a computer to act as a gateway for other devices on a private network, sharing its internet connection.
--zone=<zone> --add-masquerade: Enables masquerading for a zone.
--zone=<zone> --add-forward-port=port=<port>:proto=<protocol>:toport=<port>:toaddr=<address>: Forwards traffic from one port to another, or to a different IP address.
Firewalld Configuration Files
Firewalld uses two main locations for its configuration files: runtime and permanent.
Runtime Configuration:
/run/firewalld/: This directory contains the temporary runtime configurations. Any changes made without the --permanent flag are stored here. These files are typically created and managed by the firewalld service and are not meant for direct user editing.
Permanent Configuration:
/usr/lib/firewalld/: This directory holds the default or system-provided configuration files, including pre-defined zones and services. You should not edit these files directly.
/etc/firewalld/: This is the primary location for user-created and modified permanent configurations. When you use the --permanent flag with firewall-cmd, the changes are saved in this directory. The files in /etc/firewalld/ override the default files in /usr/lib/firewalld/.
Key Configuration Files
/etc/firewalld/firewalld.conf: The main firewalld configuration file. It sets the default zone and other global settings.
/etc/firewalld/zones/: This directory contains XML files for each zone (e.g., public.xml, home.xml). These files define the rules for each zone.
/etc/firewalld/services/: This directory contains XML files for user-defined services. You can create a new service file here to define a set of ports and protocols for a new application.
/etc/firewalld/icmptypes/: This directory contains XML files for user-defined ICMP types.
You can block traffic from specific IP addresses using firewall-cmd just like you would with iptables. The most flexible way to do this is by using a rich rule. Rich rules provide more granular control and are the recommended method for complex firewall policies in firewalld.
Blocking a Single IP Address
To block all incoming traffic from a specific IP address (e.g., 192.168.1.100) to your server, you can use the reject action in a rich rule. This sends an "ICMP host unreachable" message back to the sender, letting them know the connection was refused.
Bash
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" reject'
firewall-cmd --reload
--permanent: Makes the rule persistent across reboots.
--add-rich-rule: Tells firewalld to add a new rich rule.
rule family="ipv4": Specifies that this rule applies to IPv4 traffic.
source address="192.168.1.100": The source IP you want to block.
reject: The action to take, which in this case is to reject the connection.
Blocking an IP Address for a Specific Service (e.g., SSH)
To block a specific IP address from accessing a particular service, you can combine the rich rule with the service or port option.
For example, to block an IP (192.168.1.100) from accessing SSH only:
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" reject'
firewall-cmd --reload
Blocking a Subnet
You can also block an entire range of IP addresses (a subnet) by using CIDR notation.
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" reject'
firewall-cmd --reload
This command blocks all traffic from the 192.168.1.x network.
After adding any of these rules, you must run firewall-cmd --reload to apply the changes from the permanent configuration to the running firewall.
So keeping your systems safe from unauthorised access with firewalld.
Thanks for reading.
Top comments (0)