Presentation
Firewalld is the new userland interface in RHEL 7. It replaces the iptables interface and connects to the netfilter kernel code. It mainly improves the security rules management by allowing configuration changes without stopping the current connections.
The dynamic firewall daemon
firewalld provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly.Comparison of firewalld to system-config-firewall and iptables
The essential differences between
Both use iptables tool to talk to the kernel packet filter.
firewalld and the iptables service are:- The iptables service stores configuration in
/etc/sysconfig/iptableswhilefirewalldstores it in various XML files in/usr/lib/firewalld/and/etc/firewalld/. Note that the/etc/sysconfig/iptablesfile does not exist asfirewalldis installed by default on Red Hat Enterprise Linux. - With the iptables service, every single change means flushing all the old rules and reading all the new rules from
/etc/sysconfig/iptableswhile withfirewalldthere is no re-creating of all the rules; only the differences are applied. Consequently,firewalldcan change the settings during runtime without existing connections being lost.
Figure 4.1. The Firewall Stack
Understanding Network Zones
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NetworkManager informs
firewalldto which zone an interface belongs. An interface's assigned zone can be changed by NetworkManageror via the firewall-config tool which can open the relevant NetworkManager window for you.
The zone settings in
/etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:drop- Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block- Any incoming network connections are rejected with an icmp-host-prohibited message for
IPv4andicmp6-adm-prohibited forIPv6. Only network connections initiated from within the system are possible. public- For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external- For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz- For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work- For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home- For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal- For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted- All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in
firewalld is set to be the public zone.
The network zone names have been chosen to be self-explanatory and to allow users to quickly make a reasonable decision. However, a review of the default configuration settings should be made and unnecessary services disabled according to your needs and risk assessments.
A service can be a list of local ports and destinations as well as a list of firewall helper modules automatically loaded if a service is enabled. The use of predefined services makes it easier for the user to enable and disable access to a service. Using the predefined services, or custom defined services, as opposed to opening ports or ranges or ports may make administration easier. Service configuration options and generic file information are described in the
firewalld.service(5) man page. The services are specified by means of individual XML configuration files which are named in the following format: service-name.xml.
To view the list of services using the graphical firewall-config tool, press the Super key to enter the Activities Overview, type
firewall and then press Enter. The firewall-config tool appears. You will be prompted for an administrator password. You can now view the list of services under theServices tab.
To list the default predefined services available using the command line, issue the following command as
root:~]# ls /usr/lib/firewalld/services/
Files in /usr/lib/firewalld/services/ must not be edited. Only the files in /etc/firewalld/services/ should be edited.
To list the system or user created services, issue the following command as
root:~]# ls /etc/firewalld/services/
Services can be added and removed using the graphical firewall-config tool and by editing the XML files in
/etc/firewalld/services/. If a service has not been added or changed by the user, then no corresponding XML file will be found in /etc/firewalld/services/. The files /usr/lib/firewalld/services/ can be used as templates if you wish to add or change a service. As root, issue a command in the following format:~]# cp /usr/lib/firewalld/services/[service].xml /etc/firewalld/services/[service].xml
You may then edit the newly created file. firewalld will prefer files in /etc/firewalld/services/but will fall back to /usr/lib/firewalld/services/ should a file be deleted, but only after a reload.firewalld has a so called “direct interface”, which enables directly passing rules to iptables,ip6tables and ebtables. It is intended for use by applications and not users. It is dangerous to use the direct interface if you are not very familiar with iptables as you could inadvertently cause a breach in the firewall. firewalld still tracks what has been added, so it is still possible to query firewalld and see the changes made by an application using the direct interface mode. The direct interface is used by adding the --direct option to the firewall-cmd command.
The direct interface mode is intended for services or applications to add specific firewall rules during runtime. The rules can be made permanent by adding the
--permanent option using the firewall-cmd --permanent --direct command or by modifying /etc/firewalld/direct.xml. If the rules are not made permanent then they need to be applied every time after receiving the start, restart or reload message from firewalld using D-BUS.
In Red Hat Enterprise Linux 7
firewalld and the graphical user interface configuration tool firewall-config are installed by default. This can be checked by running the following command as root:~]# yum install firewalld firewall-config
To disable
firewalld, run the following commands as root:~]#systemctl disable firewalld#systemctl stop firewalld
To use the
iptables and ip6tables services instead of firewalld, first disable firewalld by running the following command as root:~]#systemctl disable firewalld#systemctl stop firewalld
Then install the iptables-services package by entering the following command as
root:~]# yum install iptables-services
The iptables-services package contains the iptables service and the ip6tables service.
Then, to start the
iptables and ip6tables services, run the following commands as root:# systemctl start iptables# systemctl start ip6tables# systemctl enable iptables# systemctl enable ip6tables
To start
firewalld, enter the following command as root:~]# systemctl start firewalld
To check if
firewalld is running, enter the following command:~]$ systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sat 2013-04-06 22:56:59 CEST; 2 days ago
Main PID: 688 (firewalld)
CGroup: name=systemd:/system/firewalld.service
In addition, check if firewall-cmd can connect to the daemon by entering the following command:
~]$ firewall-cmd --state
running
To install firewalld, run the following command as
root:~]# yum install firewalld
To install the graphical user interface tool firewall-config, run the following command as root:~]# yum install firewall-config
The firewall can be configured using the graphical user interface tool firewall-config, using the command line interface tool firewall-cmd and by editing XML configuration files. These methods will be described in order.
To start the graphical firewall-config tool, press the Super key to enter the Activities Overview, type
firewall and then press Enter. The firewall-config tool appears. You will be prompted for an administrator password.
To start the graphical firewall configuration tool using the command line, enter the following command as
root user:~]# firewall-config
The Firewall Configuration window opens. Note, this command can be run as normal user but you will then be prompted for an administrator password from time to time.
Look for the word “Connected” in the lower left corner. This indicates that the firewall-config tool is connected to the user space daemon,
firewalld. Note that the ICMP Types, Direct Configuration, and Lockdown Whitlist tabs are only visible after being selected from the View drop-down menu.
To immediately change the current firewall settings, ensure the current view is set to . Alternatively, to edit the settings to be applied at the next system start, or firewall reload, select from the drop-down list.
NOTE
When making changes to the firewall settings in mode, your selection takes immediate effect when you set or clear the check box associated with the service. You should keep this in mind when working on a system that may be in use by other users.
When making changes to the firewall settings in mode, your selection will only take effect when you reload the firewall or the system restarts. You can use the reload icon below the File menu, or click the menu and select Reload Firewall.
You can select zones in the left hand side column. You will notice the zones have some services enabled, you may need to resize the window or scroll to see the full list. You can customize the settings by selecting and deselecting a service.
To add or reassign an interface of a connection to a zone, start firewall-config, select from the menu bar, select Change Zones of Connections from the drop-down menu, the Connections list is displayed. Select the connection to be reassigned. The Select Zone for Connection window appears. Select the new firewall zone from the drop-down menu and click OK.
To set the default zone that new interfaces will be assigned to, start firewall-config, select from the menu bar, select Change Default Zone from the drop-down menu. The Default Zone window appears. Select the zone form the list that you want to be used as the default zone and click OK.
To enable or disable a predefined or custom service, start the firewall-config tool and select the network zone whose services are to be configured. Select the Services tab and select the check box for each type of service you want to trust. Clear the check box to block a service.
To edit a service, start the firewall-config tool and then select mode from the drop-down selection menu labeled Configuration. Additional icons and menu buttons appear at the bottom of the window. Select the service you wish to configure.
The Ports and Protocols tab enables adding, changing, and removing of ports and protocols for the selected service. The modules tab is for configuring Netfilter helper modules. The Destination tab enables limiting traffic to a particular destination address and Internet Protocol (
IPv4 or IPv6).
To permit traffic through the firewall to a certain port, start the firewall-config tool and select the network zone whose settings you want to change. Select the Ports tab and the click the button on the right hand side. The Port and Protocol window opens.
Enter the port number or range of ports to permit. Select tcp or udp from the drop-down list.
To translate
IPv4 addresses to a single external address, start the firewall-config tool and select the network zone whose addresses are to be translated. Select the Masquerading tab and select the check box to enable the translation of IPv4 addresses to a single address.
To forward inbound network traffic, or “packets”, for a specific port to an internal address or alternative port, first enable IP address masquerading, then select the Port Forwarding tab.
Select the protocol of the incoming traffic and the port or range of ports on the upper section of the window. The lower section is for setting details about the destination.
To forward traffic to a local port, that is to say to a port on the same system, select the Local forwarding check box. Enter the local port or range of ports for the traffic to be sent to.
To forward traffic to another
IPv4 address, select the Forward to another port check box. Enter the destination IP address and port or port range. The default is to send to the same port if the port field is left empty. Click OK to apply the changes.
To enable or disable an
ICMP filter, start the firewall-config tool and select the network zone whose messages are to be filtered. Select the ICMP Filter tab and select the check box for each type of ICMPmessage you want to filter. Clear the check box to disable a filter. This setting is per direction and the default allows everything.
To edit an
ICMP type, start the firewall-config tool and then select mode from the drop-down selection menu labeled Configuration. Additional icons appear at the bottom of the window.
The command line tool firewall-cmd is part of the
firewalld application which is installed by default. You can verify that it is installed by checking the version or displaying the help output. Enter the following command to check the version:~]$ firewall-cmd --version
Enter the following command to view the help output:~]$ firewall-cmd --help
We list a selection of commands below, for a full list please see the man page,
man firewall-cmd(1).
NOTE
In order to make a command permanent or persistent, add the
--permanent option to all commands apart from the --direct commands (which are by their nature temporary). Note that this not only means the change will be permanent but that the change will only take effect after firewall reload, service restart, or after system reboot. Settings made with firewall-cmd without the --permanent option take effect immediately, but are only valid till next firewall reload, system boot, or firewalld service restart. Reloading the firewall does not in itself break connections, but be aware you are discarding temporary changes by doing so.
To get a text display of the state of
firewalld, enter the following command:~]$ firewall-cmd --state
To view the list of active zones, with a list of the interfaces currently assigned to them, enter the following command:
~]$ firewall-cmd --get-active-zones
public: em1 wlan0
To find out the zone that an interface, for example em1, is currently assigned to, enter the following command:
~]$ firewall-cmd --get-zone-of-interface=em1
public
To find out all the interfaces assigned to a zone, for example the public zone, enter the following command as
root:~]# firewall-cmd --zone=public --list-interfaces
em1 wlan0
This information is obtained from NetworkManager and only shows interfaces not connections.
To find out all the settings of a zone, for example the public zone, enter the following command as
root:~]# firewall-cmd --zone=public --list-all
public
interfaces:
services: mdns dhcpv6-client ssh
ports:
forward-ports:
icmp-blocks: source-quench
To view the network zones currently active, enter the following command as
root:~]# firewall-cmd --get-service
cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba dhcpv6-client dns openvpn imaps samba-client http https ntp vnc-server telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp libvirt-tls
This will list the names of the services in /usr/lib/firewalld/services/. Note that the configuration files themselves are named service-name.xml.
To view the network zones that will be active after the next firewall reload, enter the following command as
root:~]# firewall-cmd --get-service --permanent
To start dropping all incoming and outgoing packets, enter the following command as
root:~]# firewall-cmd --panic-on
All incoming and outgoing packets will be dropped. Active connections will be terminated after a period of inactivity; the time taken depends on the individual session time out values.
To start passing incoming and outgoing packets again, enter the following command as
root:~]# firewall-cmd --panic-off
After disabling panic mode, established connections might work again if panic mode was enabled for a short period of time.
To find out if panic mode is enabled or disabled, enter the following command:
~]$ firewall-cmd --query-panic
Prints yes with exit status 0, if enabled, prints no with exit status 1 otherwise.
To reload the firewall with out interrupting user connections, that is to say, with out losing state information, enter the following command as
root:~]# firewall-cmd --reload
To reload the firewall and interrupt user connections, that is to say, to discard state information, enter the following command as
root:~]# firewall-cmd --complete-reload
This command should normally only be used in case of severe firewall problems. For example, if there are state information problems and no connection can be established but the firewall rules are correct.
To add an interface to a zone, for example to add em1 to the public zone, enter the following command as
root:~]# firewall-cmd --zone=public --add-interface=em1
To make this setting permanent, add the --permanent option and reload the firewall.
To add an interface to a zone by editing the
ifcfg-em1 configuration file, for example to add em1 to the work zone, as root use an editor to add the following line to ifcfg-em1:ZONE=workNote that if you omit the
ZONE option, or use ZONE=, or ZONE='', then the default zone will be used.
NetworkManager will automatically reconnect and the zone will be set accordingly.
As
root, open /etc/firewalld/firewalld.conf and edit the file as follows:# default zone # The default zone used if an empty zone string is used. # Default: public DefaultZone=home
Reload the firewall, by entering the following command as
root:~]# firewall-cmd --reload
This will reload the firewall without losing state information (TCP sessions will not be interrupted).
To set the default zone, for example to public, enter the following command as
root:~]# firewall-cmd --set-default-zone=public
This change will take immediate effect and in this case it is not necessary to reload the firewall.
List all open ports for a zone, for example dmz, by entering the following command as
root:~]# firewall-cmd --zone=dmz --list-ports
To add a port to a zone, for example to allow
TCP traffic to port 8080 to the dmz zone, enter the following command as root:~]# firewall-cmd --zone=dmz --add-port=8080/tcp
To make this setting permanent, add the --permanent option and reload the firewall.
To add a range of ports to a zone, for example to allow the ports from 5060 to 5061 to the public zone, enter the following command as
root:~]# firewall-cmd --zone=public --add-port=5060-5061/udp
To make this setting permanent, add the --permanent option and reload the firewall.
To add a service to a zone, for example to allow
SMTP to the work zone, enter the following command as root:~]# firewall-cmd --zone=work --add-service=smtp
To make this setting permanent, add the --permanent option and reload the firewall.
To remove a service from a zone, for example to remove
SMTP from the work zone, enter the following command as root:~]# firewall-cmd --zone=work --remove-service=smtp
Add the --permanent option to make the change persist after system boot. If using this option and you wish to make the change immediate, reload the firewall, by entering the following command as root:~]# firewall-cmd --reload
Note, this will not break established connections. If that is your intention, you could use the --complete-reload option but this will break all established connections not just for the service you have removed.
To view the default zone files, enter the following command as
root:~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
These files must not be edited. They are used by default if no equivalent file exists in the /etc/firewalld/zones/ directory.
To view the zone files that have been changed from the default, enter the following command as
root:~]# ls /etc/firewalld/zones/
external.xml public.xml public.xml.old
In the example shown above, the work zone file does not exist. To add the work zone file, enter the following command as
root:~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
You can now edit the file in the /etc/firewalld/zones/ directory. If you delete the file, firewalldwill fall back to using the default file in /usr/lib/firewalld/zones/.
To add a service to a zone, for example to allow
SMTP to the work zone, use an editor with rootprivileges to edit the /etc/firewalld/zones/work.xml file to include the following line:<service name="smtp"/>
An editor running with
root privileges is required to edit the XML zone files. To view the files for previously configured zones, enter the following command as root:~]# ls /etc/firewalld/zones/
external.xml public.xml work.xml
To remove a service from a zone, for example to remove
SMTP from the work zone, use an editor with root privileges to edit the /etc/firewalld/zones/work.xml file to remove the following line:<service name="smtp"/>If no other changes have been made to the
work.xml file, it can be removed and firewalld will use the default /usr/lib/firewalld/zones/work.xml configuration file after the next reload or system boot.
To check if IP masquerading is enabled, for example for the external zone, enter the following command as
root:~]# firewall-cmd --zone=external --query-masquerade
Prints yes with exit status 0, if enabled, prints no with exit status 1 otherwise. If zone is omitted, the default zone will be used.
To enable IP masquerading, enter the following command as
root:~]# firewall-cmd --zone=external --add-masquerade
To make this setting permanent, add the --permanent option and reload the firewall.
To disable IP masquerading, enter the following command as
root:~]# firewall-cmd --zone=external --remove-masquerade
To make this setting permanent, add the --permanent option and reload the firewall.
To forward inbound network packets from one port to an alternative port or address, first enable IP address masquerading for a zone, for example external, by entering the following command as
root:~]# firewall-cmd --zone=external --add-masquerade
To forward packets to a local port, that is to say to a port on the same system, enter the following command as
root:~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753
In this example, the packets intended for port 22 are now forwarded to port 3753. The original destination port is specified with the port option. This option can be a port, or port range, together with a protocol. The protocol, if specified, must be one of either tcp or udp. The new local port, the port or range of ports to which the traffic is being forwarded to, is specified with the toport option. To make this setting permanent, add the --permanent option and reload the firewall.
To forward packets to another
IPv4 address, usually an internal address, without changing the destination port, enter the following command as root:~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55
In this example, the packets intended for port 22 are now forwarded to the same port at the address given with the toaddr. The original destination port is specified with the port. This option can be a port, or port range, together with a protocol. The protocol, if specified, must be one of either tcp or udp. The new destination port, the port or range of ports to which the traffic is being forwarded to, is specified with the toport. To make this setting permanent, add the --permanent option and reload the firewall.
To forward packets to another port at another
IPv4 address, usually an internal address, enter the following command as root:~]#In this example, the packets intended for port 22 are now forwarded to port 2055 at the address given with thefirewall-cmd --zone=external /--add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55
toaddr option. The original destination port is specified with the port option. This option can be a port, or port range, together with a protocol. The protocol, if specified, must be one of either tcp orudp. The new destination port, the port or range of ports to which the traffic is being forwarded to, is specified with the toport. To make this setting permanent, add the --permanent option and reload the firewall.
The configuration settings for firewalld are stored in XML files in the
/etc/firewalld/ directory. Do not edit the files in the /usr/lib/firewalld/ directory, they are for the default settings. You will needroot user permissions to view and edit the XML files. The XML files are explained in three man pages:firewalld.icmptype(5)man page — Describes XML configuration files forICMPfiltering.
firewalld.service(5)man page — Describes XML configuration files for firewalld service.
firewalld.zone(5)man page — Describes XML configuration files forfirewalldzone configuration.
The XML files can be created and edited directly or created indirectly using the graphical and command line tools. Organizations can distribute them in RPM files which can make management and version control easier. Tools such as Puppet can distribute such configuration files.
It is possible to add and remove chains during runtime by using the
--direct option with the firewall-cmd tool. A few examples are presented here, please see the firewall-cmd(1) man page for more information.
It is dangerous to use the direct interface if you are not very familiar with iptables as you could inadvertently cause a breach in the firewall.
The direct interface mode is intended for services or applications to add specific firewall rules during runtime. The rules can be made permanent by adding the
--permanent option using the firewall-cmd --permanent --direct command or by modifying /etc/firewalld/direct.xml. See man firewalld.direct(5) for information on the /etc/firewalld/direct.xml file.
To add a custom rule to the chain “IN_public_allow”, issuing a command as
root in the following format:~]#Add thefirewall-cmd --direct --add-rule ipv4 filter IN_public_allow \0 -m tcp -p tcp --dport 666 -j ACCEPT
--permanent option if you want to make it persistent.
To remove a custom rule from the chain “IN_public_allow”, issuing a command as
root in the following format:~]#Add thefirewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \0 -m tcp -p tcp --dport 666 -j ACCEPT
--permanent option if you want to make it persistent.
Comentarios
Publicar un comentario