Firewalld - How To Manage Fire For The Masses

Oct 24

2 min read

A note for the RHCSA exam. It's better to restart services than to reload them just to be completely sure that everything survives a reboot.

This "Linux firewall how to for the masses" is not just for Red Hat/Fedora. It applies to any distro using Firewalld...

The Netfilter framework in the Linux kernel manages firewall operations such as

Packet filtering
Network address translation
Port forwarding

cat /etc/services to see a list of ports for common network services.

The configuration directory for firewalld is /etc/firewalld.

Let's check if firewalld is running, systemctl status firewalld.service or with firewall-cmd --state.

If it's not running, start and enable it, systemctl enable --now firewalld.service.

Firewalld

Firewalld is a good interface to create and manage a simple firewalls but the framework behind it is either Netfilter or IPTables (legacy). To check what backend you are using, cat /etc/firewalld/firewalld.conf | grep -i "FirewallBackend".

To see config files for services, check out /usr/lib/firewalld/.

General commands

firewall-cmd --list-all

firewall-cmd --get-services firewall-cmd --reload

firewall-cmd --add-service squid --permanent

firewall-cmd --add-port=443/tcp

firewall-cmd --add-service=postgresql

firewall-cmd --remove-service=dhcpv6-client --permanent firewall-cmd --remove-port=1025-65535/udp --permanent

Remember to use the permanent switch, otherwise the rule is written only to the runtime and is lost if you restart firewalld or the server! The permanent switch saves the rule in /etc/firewalld/zones.

Logging.

firewall-cmd --set-log-denied all

Only enable log denied all temporarily.

journalctl -k | grep REJECT

Zones

A zone is a default configuration to which network cards can be assigned to apply specific settings. The public zone is the default zone. Any new network interface added to the system is automatically assigned to the default zone. In addition, the rules of the default zone are processed for all incoming packets that do not match any of the other zones.

Add IP address to the trusted zone.

firewall-cmd --zone=trusted --add-source=192.168.124.1 --permanent

List configuration for all zones.

firewall-cmd --list-all-zones

Change the default zone.

firewall-cmd --set-default-zone=name_of_zone

firewall-cmd --zone=FedoraWorkstation --list-rich-rules

firewall-cmd --zone=FedoraWorkstation --remove-forward --permanent

Network Sockets

Use ss to show socket information. This will show all connections.

ss -tu displays all TCP and UDP sockets.

ss -tua lists all TCP and UDP sockets, including both listening and established connections, without showing the process information.

ss -tulpn lists TCP and UDP sockets in a listening state, it also adds process names to the output and numerical addresses instead of resolving host names.