Use apt-get or yum to install firewalld.
~]# apt-get install firewalld ~]# yum install firewalld
Start and enable firewalld, and ensure firewalld is active and running.
~]# systemctl enable firewalld ~]# systemctl start firewalld ~]# systemctl status firewalld
Firewalld uses zones, such as public, internal, and dmz. Each zone has its own unique set of rules. For example, public zone can be bound to eth0 and only allow HTTP, and internal zone can be bound to eth1 and allow both HTTP and SSH.
One of the most useful commands is firewall-cmd --list-all. If a zone is not specified, the default zone will be displayed. In this example, public is the default zone.
~]# firewall-cmd --list-all public target: default icmp-block-inversion: no interfaces: eth0 sources: services: https ports: protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules:
The --zone=zone_name option can be used to display the settings for a specific zone.
~]# firewall-cmd --list-all --zone=internal . . .
Information about each zone will be listed in an .xml file at /usr/lib/firewalld/zones/ or /etc/firewalld/zones/. The files in the /usr/lib/firewalld/zones/ should not be edited. When a change is made to a zone, the .xml file will be copied from /usr/lib/firewalld/zones/ to /etc/firewalld/zones/. The .xml files at /etc/firewalld/zones/ can be edited. If the /etc/firewalld/zones/ directory does not contain a file for a zone, this means no changes have been made to the zone.
The default zone can be changed using the --set-default-zone=zone_name option. In this example, the default zone is set to DMZ.
~]$ firewall-cmd --set-default-zone=dmz
Or, add DefaultZone=zone_name to /etc/firewalld/firewalld.conf.
Or, you can add ZONE=zone_name to the /etc/sysconfig/network-scripts/ifcfg-xxxxxxx file.
Instead of using --list-all, you can instead list a single item.
The --add-interface=interface_name option can be used to bind an interface to a zone. In this example, eth0 is bound to the public zone.
~]# firewall-cmd --zone=public --add-interface=eth0
The --add-service=service_name option can be used to allow connections to a certain service, such as SMTP.
~]# firewall-cmd --zone=work --add-service=smtp --permanent
Each service has an XML file located at /usr/lib/firewalld/services which contains the port and protocol being used by the service. For example, the ssh.xml file is using port 22 and the TCP protocol.
<?xml version="1.0" encoding="utf-8"?> <service> <short>SSH</short> <port protocol="tcp" port="22"/> </service>
The --add-port=port_number/protocol option can be used to allow connections on a port number. This is typically used when a protocol is not used the default port associated with the protocol, such as when HTTP is using 8080.
~]# firewall-cmd --zone=dmz --add-port=12345/tcp --permanent
The --add-protocol=protocol_name option can be used to allow connections to a certain protocol.
~]# firewall-cmd --zone=dmz --add-protocol=smb2 –permanent
The --add-masquerade option can be used to enable IP address masquerading for a zone.
~]# firewall-cmd --zone=external --add-masquerade –permanent
Masquerade must be turned on to port forward. Use the --add-forward-port=port=xx:proto=xxx:toport=xx to forward traffic from one port to another. In this example, traffic is forwarded from TCP port 22 to port 12345. In this example, the SSH service listening on port 12345 is on the same server as the SSH service with port 22.
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=12345 –permanent
To forward request to another server, add the target IP address.
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=10.1.2.3:12345 --permanent
If the firewall is not locked down, services may be able to make changes to the firewall. The firewall can be locked down.
~]# firewall-cmd --lockdown=on
You will no longer be able to add a service to the firewall.
~]# firewall-cmd --add-service=dhcp --permanent Error: ACCESS_DENIED: lockdown is enabled
Issue this command so that only you can modify the firewall. Reload the firewall, and you will again be able to modify the firewall.
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/firewall-cmd*' --permanent
After making a change to the firewall, there are two ways to reload the file. The --reload option will not interrupt connections to services. The --complete-reload option will interrupt connections to services.
~]$ firewall-cmd –reload ~]$ firewall-cmd –complete-reload