Grav was with by Trilby Media.
The command-line tool firewall-cmd is part of the firewalld application. It can be used to make permanent and non-permanent runtime changes.
List all zones
Use following command to list all zones.
# firewall-cmd --list-all-zones
..
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: smtp http ssh https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
..Public is the default zone, if it wasn't changed. To check the current default zone use:
# firewall-cmd --get-default-zone
publicList allowed service and ports on the system
To show allowed service on your system use the following command.
# firewall-cmd --list-services
smtp http ssh httpsTo list open ports:
# firewall-cmd --list-ports
123/tcp 123/udp 3306/tcp 68/udp 9981-9982/tcpYou would normally see no ports listed here when not configured.
Enable a Service
You can open the required ports for a service by using the --add-service option. To allow access by HTTP clients:
# firewall-cmd --add-service=http
successTo list allowed services use the above command.
Enable a port
You can also open the ports directly whith the --add-port option
# firewall-cmd --add-port=80/tcp
successTo list allowed ports use the previous mentioned command.
Don't forget to add --permanent to make your changes permanent
Show config
# firewall-cmd --list-all --permanent
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: smtp http ssh https
ports:
protocols: tcp
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: Add a Service
There are different ways to a add a new service. A new service will only be visible in permanent configuration after it has been added. To make it active in the runtime environment you need to reload firewalld.
using firewall-cmd
To add a new and empty service, use the --new-service altogether with the --permanent option:
# firewall-cmd --permanent --new-service=ftpesConfigure the service:
# firewall-cmd --permanent --service=myservice --set-description="Explicit FTP over SSL/TLS"
# firewall-cmd --permanent --service=myservice --set-short="FTPES"
# firewall-cmd --permanent --service=myservice --add-port=20/tcp
# firewall-cmd --permanent --service=myservice --add-port=21/tcp
# firewall-cmd --permanent --service=myservice --add-port=21090-21100/tcp
# firewall-cmd --permanent --service=myservice --add-module=nf_conntrack_ftpAlternatively you can configure a new service using an existing file:
# firewall-cmd --permanent --new-service-from-file=ftp.xmlThis adds a new service using all settings from the file including the service name.
# firewall-cmd --permanent --new-service-from-file=ftp.xml --name=ftpesThis adds a new service using the service settings from the file. But the new service will have the name ftpes.
Copy a file from the services directory /usr/lib/firewalld/services/ to /etc/firewalld/services/
As root copy the file:
# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/ftpes.xmland edit it to your needs or create one from scratch
# nano /etc/firewalld/services/ftps.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTPES</short>
<description>Explicit FTP over SSL/TLS</description>
<port protocol="tcp" port="21"/>
<module name="nf_conntrack_ftp"/>
<port protocol="tcp" port="20"/>
<port protocol="tcp" port="21090-21100"/>
</service>After you have copied the file into /etc/firewalld/services it takes about 5 seconds till the new service will be visible in firewalld.
IPset Blacklist
Create the blacklist
# firewall-cmd --permanent --new-ipset=blacklist --type=hash:net --option=family=inet --option=hashsize=4096 --option=maxelem=200000
successPopulate the blacklist
# wget -q https://lists.blocklist.de/lists/all.txt
# firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=./all.txt
successRedirect the blacklist to the drop zone
# firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
success
# firewall-cmd --reload
success
Grav was with by Trilby Media.
