Basic Operation of Firewalld in Linux

In this tutorial, we will take you through the basic operation of Firewalld in Linux. Every server that is connected to the Internet or any other network has to be protected against any sort of unauthorized access and malicious attacks. Use of firewall is one of the several measures that can be used to achieve this. So, what is a firewall? Firewall is a network security system/device, hardware or software based, that is used to prevent unauthorized access, allow or reject incoming or outgoing network traffic into or out of the server, based on predefined set of security rules.

Basic Operation of Firewalld in Linux

In Linux, firewalling is implemented using a kernel subsystem called netfilter which allows kernel modules to inspect network traffic and allow or block them based on set rules.

Firewall daemon, firewalld, as well as iptables service are used to configure netfilter although firewalld is the default service in the latest versions of RHEL/CentOS while iptables was default for the earlier versions.

However, it is not a good practise to use them both at the same time. As such;

• To use firewalld, disable iptables service using either of the following commands;

systemctl mask iptables

systemctl stop iptables

for i in iptables ip6tables ebtables; do systemctl mask $i; done

• To use iptables instead, disable firewalld service;

systemctl mask firewalld;systemctl stop firewalld

• The major difference between the two services is that firewalld is dynamic i.e changes made to its configuration file are implemented immediately and only differences are applied to the file without recreating rules. Firewalld also applies the changes without interrupting the existing connections. iptables service on the other hand flushes the old rules and creates new ones in case changes are made to the configuration file thus interrupting the existing network connections.
• Firewalld has default configuration files in /usr/lib/firewalld directory and user/system configuration files in /etc/firewalld directory. Default configuration files should not be changed and in case there is a need to make some changes, it is advisable to copy the respective file from respective directory in the default configuration directory to corresponding directory in the system configuration directory and make appropriate changes.
• Firewalld uses zones (collections of rules applied to incoming network traffic that matches specific source address or network interface) to define a level of trust on a network connection. It supports IPsets, Ethernet bridges, IPv4, IPv6 firewall settings.
• Firewalld also uses DBus interface to allow applications to requests certain ports be opened enabling them to directly create or remove firewall rules without intervention of an Administrator.

Firewalld Zones

Some of the firewalld zones are described below.

• trusted – a zone in which all network connections are accepted.
• home – Used in home networks where computers on the same network are trusted. Only selected incoming connections are accepted.
• work – used on work networks where most computers on the same networks are trusted.. Only selected incoming connections are accepted.
• dmz – This is a demilitarized zone, computers in this zone are publicly-accessible but they have limited access to your internal network. Only selected incoming connections are accepted.
• drop – In this zone, any incoming network packets are dropped and no reply is sent to the source. Only outgoing network connections are allowed.
• external – used mostly in external networks for routers where other computers on the network are not trusted. Only selected incoming connections are accepted.
• internal – Used in internal networks. Most computers in the same network are trusted and only selected incoming connections are accepted.
• public – Used in public networks. Other computers in the network are not trusted. Only selected connections are accepted. This is the default zone for all newly created network interfaces.
• block – rejects incoming connection with an icmp-host-prohibited message for IPv4 and/or icmp6-adm-prohibited for IPv6. Only connections initiated within the system are allowed.

Firewalld Configuration tools

When configuring firewall features, two configuration tools can be used:

• Command-line tool; firewall-cmd
• Graphical tool; firewall-config

Commonly used firewall-cmd options;

• General Options
  • --help, --h – display help text
  • --version, --V – Get version information
• Status Options
  • --state – check the status of the firewalld
  • --reload – To reload on-disk configuration without interrupting user connections
  • --complete-reload – Reload firewall and interrupt user connections
  • --runtime-to-permanent – Create permanent configuration from runtime configuration
• Permanent Options
  • --permanent – Set an option permanently.
• Zone Options
  • --get-default-zone – Print default zone for connections and interfaces
  • --set-default-zone=<zone> – Set default zone
  • --get-active-zones – list currently active zones
  • --get-zones – Lists all available zones
  • --get-services –Show all available services.
  • --add-service=<service-name> [--zone=<zone>] – Adds a service to the current default zone or the specified zone.
  • --get-icmptypes – list predefined icmptypes
  • --get-zone-of-interface=<interface> –Display the name of the zone the interface is bound to
  • --get-zone-of-source=<source>[/<mask>] | <MAC> | ipset:<ipset> – displays the name of the zone the source is bound to
  • --list-all [–zone=<ZONE>] – Lists all configurations in a zone.
  • --list-all-zones – List everything added for or enabled in all zones
  • --new-zone=<zone> Add a new zone
  • --new-zone-from-file=<filename> [--name=<zone>] – Add a new zone from file with an optional name
  • --delete-zone=<zone> Delete an existing zone
• Service Options
  • --new-service=<service> – Add a new service
  • --new-service-from-file=<filename> [--name=<service>] – Add a new service from file with optional name
  • --delete-service=<service> – Delete an existing service
  • --load-service-defaults=<service> – load icmptype default settings
• IcmpType Options
  • --new-icmptype=<icmptype> – Add a new icmptype
  • --new-icmptype-from-file=<filename> [--name=<icmptype>] – Add a new icmptype from file with optional name
  • --delete-icmptype=<icmptype> – Delete an existing icmptype
• Interfaces Options
  • --list-interfaces – list interfaces that are bound to a zone
  • --add-interface=<interface> – binds the interface to a zone
  • --change-interface=<interface> – Change zone the interface is bound to
  • --remove-interface=<interface> – Removes an interface from a zone
• Sources Options
  • --list-sources – list sources bound to a zone
  • --add-source=<source>[/<mask>] | <MAC> | ipset:<ipset> – binds a source to a zone
  • --remove-source=<source>[/<mask>] | <MAC> | ipset:<ipset> – removes a source from a zone
• Port options
  • --add-port=<port/protocol> [--zone=<zone>] – Adds a port /protocol to the specified zone
  • --remove-port=<port/protocol> [--zone=<zone>] – Removes a port/protocol from the configuration in a specified zone
  • --list-ports – List ports added for a zone

Consult firewall-cmd(1) man page for more options.

Creating custom Firewalld Services

Firewalld services are stored in /etc/firewalld/services and /usr/lib/firewalld/services directories as xml files. If a service file exists in both directories, the service file in /etc/firewalld/service directory takes precedence.

Customed firewalld services can be created or the existing firewalld services in the default services directory can be customized. For instance to customize an existing http service, its xml file can be copied from the default services directory to user services directory where it can be modified i.e;

cp /usr/lib/firewalld/services/http.xml /etc/firewalld/services/

The original http.xml file looks like:

cat /etc/firewalld/services/http.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>WWW (HTTP)</short>
<description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
<port protocol="tcp" port="80"/>
</service>

Modify the description of the above xml file so it can show that is is modified and set its port to a new port, say, 8800 so it can appear as in below;

cat /etc/firewalld/services/http.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Modified (HTTP)</short>
<description>This HTTP has been modified by changing its default port from 80 to 8800 for learning purposes. This option is not required for viewing pages locally or developing Web pages.</description>
<port protocol="tcp" port="8800"/>
</service>

Rename the customized http.xml file to reflect its modification for example.

mv /etc/firewalld/services/http{-mod}.xml

Add the customized http service to the default zone and reload firewalld

firewall-cmd --add-service=http.mod --permanent; firewallcmd --reload

List the available services in the default zone to confirm the new service is added.

firewall-cmd --list-services

dhcpv6-client ftp http-mod ssh

To make the process available on the new port, edit the /etc/httpd/conf/httpd.conf file and add Port 8800 right below the line Port 80. Save the file and quit.

Install semanage tools and add port 8800 to system’s SELinux configuration;

yum -y install policycoreutils-python

semanage port -a -t http_port_t -p tcp 8800

Open port 8800 on firewall

firewall-cmd --add-port=8800/tcp --permanent; firewall-cmd --reload

Start httpd service; systemctl start httpd

On the address bar of your browser, type http://<local-IP-Address>:8800 and you should be welcomed by a testing page for http server.

That is how to simply create a cumstom firewalld service.

Direct Rules vs Rich Rules

Firewalld Direct Rules

• Direct rules can be used by the administrators to add or remove chains during runtime using the – -direct options. The syntax of direct rules is simillar to that of the iptables. Therefore, it requires user to know basic iptables, ip6tables or ebtables concepts. The syntax is:

firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args

• An example to add a rule to the FORWARD chain;

firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -m tcp -p tcp --dport 22 -j ACCEPT

• To remove a rule from the FORWARD chain;

firewall-cmd --direct --remove-rule ipv4 filter FORWARD 0 -m tcp -p tcp --dport 22 -j ACCEPT

• add --permanent options to make the settings persistent across reboots.

Firewalld Rich Rules

• Rich rules allows administrators to easily create firewall rules without necessarily having the knowledge of iptables syntax. General rich-rules syntax is:

rule [family="rule family"] [ source [NOT] [address="address"] [mac="mac-address"] [ipset="ipset"] ] [ destination [NOT] address="address" ] [ element ] [ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ] [ audit ] [ action ]

Rich Rule Command Options

• rule – If the rule family (IPv4 or IPv6) is provided, it will limit the rule to IPv4 or IPv6 respectively, otherwise the rule is added for both IPv4 and IPv6. If the source or destination addresses are used in a rule, then the rule family should be provided.

rule [family="ipv4|ipv6"]

• source – Limits the origin of connection to the source address. The address can match an IP adress, mac address or an IPset and it has to match the rule family. This address can be a single IP or a network IP address prefixed with sub-net mask as /x.x.x.x or /x for IPv4 and /x for IPv6. The NOT keyword if used will mean that all the addresses except the specified will match the rule specified.

source [not] address=<address[/mask]>|mac=<mac-address>|ipset=<ipset>

• destination – Limits the target to a destination address.

destination [not] address=<address[/mask]>

• element – the element types used include:
  • service – this represent one of the services provided by firewalld.
    service name=<service-name>
  • port – this can either be a single or a range of ports followed by a protocol type, tcp or udp.
    port port=<port-value> protocol=<tcp|udp>
  • protocol – this can be the protocol number or name.
    protocol value=<protocol-value>
  • ICMP-Block – these can one of the firewalld icmp types.
    icmp-block name=<icmp-type-name>
  • masquerade – enable masquerading on the rule.
  • Forward port – forwards port/packets from local port value with protocol “tcp” or “udp” to either another port locally or to another system or to another port on another system.
    forward-port port=<port value> protocol=<tcp|udp> to-port=<port value> to-addr=<address>
  • log – Log new connection attempts to the rule with kernel logging, for example, in syslog. You can define a prefix text that will be added to the log message as a prefix. Log level can be; emerg, alert, crit, error, warning, notice, info, or debug. It is possible to limit logging as follows:
    log [prefix=<prefix text>] [level=<log level>] [limit value=<rate/duration>]
  • audit – provides an alternative way for logging using audit records sent to the service auditd.
    audit [limit value=<rate/duration>]
  • action – an action can be accept, reject, drop or mark.
    • accept – accepts all new connections
      accept [limit value=<rate/duration>]
    • reject – rejects a connection and sends an ICMP(v6) message to the source
      reject [type=<reject type>] [limit value=<rate/duration>]
    • drop – drops all the packets and no information is sent to the source.
      drop [limit value=<rate/duration>]
    • mark – all packets will be marked in the PREROUTING chain in the mangle table with the mark and mask combination.mark set=<mark[/mask]> [limit value=<rate/duration>]

When creating rules within a zone, they are supposed to be ordered to avoid creating rules that conflict. The basic ordering is:

1. Direct rules
2. Port forwarding and masquerading rules
3. Logging rules
4. Allow rules
5. Deny rules

Commonly used rich-rules options:

• --list-rich-rules – list rich rules for a default or specified zone
• --add-rich-rule=<rule> – add rules for a default or specified zone
• --remove-rich-rule=<rule> – remove rich rule from default or specified zone
• --query-rich-rule=<rule> – shows whether a rich rule has been added to a zone

It’s often necessary to add a timeout (--timeout=<timevalue>) when configuring rich rules so that in case an error is made, the rule will expire after the timeout has passed.

Examples of how to specify rich-rules:

i. To allow connection from 192.168.122.100 to work zone for a minute;

firewall-cmd --zone=work --add-rich-rule='rule family=ipv4 source 192.168.122.100/32 allow' --timeout=60

ii. Allow all connections from 2:4:3:8:5::

firewall-cmd --add-rich-rule='rule family=ipv6 source address= 2:4:3:8:5:: accept'

iii. Reject all new IPv4 and IPv6 connections from 192.168.122.2

firewall-cmd --add-rich-rule='rule source address="192.168.122.2 reject type=icmp-admin-prohibited'

iv. Black-list source address to drop all connections from 192.168.122.4

firewall-cmd --add-rich-rule='rule family="ipv4" source address=192.168.122.4 drop'

v. To allow ssh connection from a specific source to dmz zone and limit the connection to one per minute;

firewall-cmd --zone=dmz --add-rich-rule='rule family=ipv4 source address=192.168.122.100 service name=ssh limit value=1/m accept'

vi. To reject ICMP (ping requests) towards a public zone;

firewall-cmd --add-rich-rule='rule protocol value=icmp reject'

For more rich rules examples, consult firewalld.richlanguage man page.

Reference:

firewall-cmd(1), firewalld(1), firewall.richlanguage(5) man pages

Other Tutorials

Install pfSense Firewall on KVM

Control NoMachine Ports on Firewall