FirewallD is a new firewall suite being introduced to Linux distribution. At present, the all-new popular CentOs 7 has it as the default firewall suite which in near future will be implemented in servers. FirewallD, as usual, was developed by the Fedora community and was implemented in the 20th version of the same. It is also being used in arch Linux and others till the date.
FirewallD is a dynamic firewall, dynamic in the sense that any change in the firewall will be implemented as soon as the amendment is made. That is unlike the previous firewall suite (iptable) where no hard reset or restart is needed to implement the rule amended or included. Iptables is deprecated in the early release version of CentOs 7, which means sooner or later the package would be replaced by FirewallD. Since FirewallD is not completely compatible with Iptable it is still present. Although deprecated the concept of iptables can be implemented via firewallD using the direct option available.
FirewallD relies on the concept of the zone and the concept of the chain is ignored. Each interface is linked to a zone. An interface can have only one zone linked to it. But a zone can have more than one interface linked to it. There are many predefined zones around which an interface can be placed which are drop, block, public, dmz, work, home, internal and trusted. Zone acts like ACL‘s in iptables. Zone can be configured with the set of units describing the behavior of each zone.
FirewallD can be configured using system-config-firewall from frontend and firewall-cmd command from the backend. There are different units which can be linked to a zone like those specified below
- Predefined services like httpd.service bind.service etc. combination of ports and protocols
- Ports and protocols like 53 or UDP etc.specific port protocol
- ICMP blocks
- Masquerading NAT
- Forward ports
I will let you take a tour to firewallD via backend. Below are some of the command which can be used in the new suite. In general, we have a command for adding, removing and querying service and interface to a zone.
General commands
firewall-cmd –state >. displays state of firewalllD
firewall-cmd –reload >> reload firewalld
firewall-cmd –get-zones >> shows all zones available
firewall-cmd –get-services >> shows all service supported
firewall-cmd –get-icmptypes >> shows all the ICMP types supported
firewall-cmd –list-all-zones >. list zone with features
firewall-cmd [–zone=<zone>] –list-all >> list features of a single zone
firewall-cmd –get-default-zone >> show the default zone
firewall-cmd –set-default-zone=<zone> >> set the default zone
firewall-cmd –get-active-zones >> show zones which are active or bind to interface
Units Based Commands
Service:
Services may be any combination of port and protocol like httpd, bind etc
firewall-cmd [–zone=<zone>] –add-service=<service> [–timeout=<seconds>] >> enable service in zone for specified time
firewall-cmd [–zone=<zone>] –remove-service=<service> >> disable service in zone
firewall-cmd [–zone=<zone>] –query-service=<service> >> checks the service in zone
Port and Protocol :
Raw combination of port and protocols
firewall-cmd [–zone=<zone>] –add-port=<port>[-<port>]/<protocol> [–timeout=<seconds>] >> enable port and protocol combination
firewall-cmd [–zone=<zone>] –remove-port=<port>[-<port>]/<protocol> >> disable port and protocol combination
firewall-cmd [–zone=<zone>] –query-port=<port>[-<port>]/<protocol> >> query port and protocol
Masquerading :
Masquerade is the technique of providing NAT over the firewall. The address of the public is mapped to a public IP.(IPv4 only supported)
firewall-cmd [–zone=<zone>] –add-masquerade >> enable masquerading
firewall-cmd [–zone=<zone>] –remove-masquerade >> disable masquerading
firewall-cmd [–zone=<zone>] –query-masquerade >> query masquerading
ICMP :
ICMP block are used for testing the path to and fro to server at remote end.
firewall-cmd [–zone=<zone>] –add-icmp-block=<icmptype> >> enable ICMP block
firewall-cmd [–zone=<zone>] –remove-icmp-block=<icmptype> >> diasable ICMP block
firewall-cmd [–zone=<zone>] –query-icmp-block=<icmptype> >> query ICMP block
Port forwarding :
Mapping of port to another. It can be single port or a range of ports. (IPv4 only supported)
firewall-cmd [–zone=<zone>] –add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> } >> add port forwarding
firewall-cmd [–zone=<zone>] –remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> } >> remove forwarding
firewall-cmd [–zone=<zone>] –query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> } >> query forwarding
Direct mode commands
This mode of operation give direct access to the firewall. To play with the command we have to be familiar with the raw iptables command, chain, parameter and target. Can be used in the must need situation.
firewall-cmd –direct –passthrough { ipv4 | ipv6 | eb } <args> >> pass command through out
firewall-cmd [–permanent] –direct –add-chain { ipv4 | ipv6 | eb } <table> <chain> >>add new chain to a table
firewall-cmd [–permanent] –direct –remove-chain { ipv4 | ipv6 | eb } <table> <chain> >> remove chain from table
firewall-cmd [–permanent] –direct –query-chain { ipv4 | ipv6 | eb } <table> <chain> >> query chain in a table
firewall-cmd [–permanent] –direct –get-chains { ipv4 | ipv6 | eb } <table> >> show all chain added to a table
firewall-cmd [–permanent] –direct –add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args> >> adding rules
firewall-cmd [–permanent] –direct –remove-rule { ipv4 | ipv6 | eb } <table> <chain> <args> >> removing rules
firewall-cmd [–permanent] –direct –query-rule { ipv4 | ipv6 | eb } <table> <chain> <args> >> query rules
firewall-cmd [–permanent] –direct –get-rules { ipv4 | ipv6 | eb } <table> <chain> >> show all rules
*(ipv4 = ipv4iptables, ipv6 = ipv6iptable , eb = ethernet bridge )
If you require help, contact SupportPRO Server Admin
