Table of Contents
Using the Built in Firewall on Cent OS 7
Start off by getting the Zones for the firewall
firewall-cmd --get-zones
Listing services for a zone:
firewall-cmd --list-services --zone=FedoraWorkstation dhcpv6-client http mdns samba-client ssh
Quick tip: if we set our default zone with:
firewall-cmd --set-default-zone=FedoraWorkstation success
Then we can drop the "–zone" parameter:
firewall-cmd --list-services dhcpv6-client http mdns samba-client ssh
To see the list of services that can be added, use:
firewall-cmd --get-services amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication
Whitelisting A New Port The simplest way of whitelisting a new incoming connection is to add it as a port, for example:
firewall-cmd --add-port=10000/tcp
This adds it in for the default zone (FedoraWorkstation, in our case), but is only a temporary rule – it won't persist after a reboot (or even a reload of the tables). To make it permanent, use:
firewall-cmd --add-port=10000/tcp --permanent
To view this rule now:
firewall-cmd --list-ports 10000/tcp
Whitelisting A New Service Services can also be whitelisted by name, for example:
firewall-cmd --list-services dhcpv6-client http mdns samba-client ssh
firewall-cmd --add-service=https success
firewall-cmd --list-services dhcpv6-client http https mdns samba-client ssh
Again, use the –permanent option to make it persist across reloads/reboots.
What if we wanted to whitelist a service by name that doesn't show up in our list? A good example is webmin, running on port 10000:
firewall-cmd --add-service=webmin Error: INVALID_SERVICE: webmin
We can simply use the port number, as seen earlier. However, a nicer (but longer) way is:
create a service definition file add it to our firewalld service list add the new service as before, by name. The service definition files are all held in /usr/lib/firewalld/services/:
cd /usr/lib/firewalld/services/ # dir amanda-client.xml kpasswd.xml radius.xml amanda-k5-client.xml ldaps.xml rpc-bind.xml bacula-client.xml ldap.xml samba-client.xml ...
These are simply plain-text XML files and it's fairly trivial to duplicate one of them and amend the content accordingly, for example:
<?xml version="1.0" encoding="utf-8"?> <service> <short>Webmin</short> <description>A web-based administration interface.</description> <port protocol="tcp" port="10000"/> </service>
However, it is recommended to leave these files alone and instead drop custom service definitions into /etc/firewalld/services, so we'll drop our file (webmin.xml) in there.
Next step is to reload firewalld to pick up this new definition, and ti should then be shown in the list of available services:
firewall-cmd --reload success
firewall-cmd --get-services amanda-client amanda-k5-client bacula .. webmin
Note that a –reload flushes any rules that are not marked as permanent! Now we can add it in as s service as before:
firewall-cmd --add-service=webmin success
firewall-cmd --list-services dhcpv6-client http mdns samba-client ssh webmin
Using FirewallD & ipsets
create a set
firewall-cmd –permanent –new-ipset=networkblock –type=hash:net –option=maxelem=1000000 –option=family=inet –option=hashsize=4096 firewall-cmd –reload
Add entries to the set
firewall-cmd –ipset=networkblock –add-entry=95.211.0.0/16 firewall-cmd –reload
3. add the set to the dropzone
firewall-cmd --permanent --zone=drop --add-source=ipset:networkblock firewall-cmd --reload
https://firewalld.org/documentation/man-pages/firewalld.ipset.html
Types:
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
/usr/etc/firewalld/ipsets/ipset.xml /usr/lib/firewalld/ipsets/ipset.xml
<?xml version="1.0" encoding="utf-8"?> <ipset type="hash:ip"> <short>My Ipset</short> <description>description</description> <entry>1.2.3.4</entry> <entry>1.2.3.5</entry> <entry>1.2.3.6</entry> </ipset>
firewall-cmd --get-active-zones - look at the zones
Create a new set
firewall-cmd --permanent --type=hash:ip --new-ipset=testblock ## creates /etc/firewalld/ipsets/testblock.xml firewall-cmd --permanent --ipset=testblock --set-description="testing ipsets by Dave" ## can't do description on same line firewall-cmd --permanent --ipset=testblock --get-description ## get info. firewall-cmd --get-ipsets ## won't show it yet firewall-cmd --reload firewall-cmd --get-ipsets ## should show up ipset -L ## also should show up.. but no description listed. hal:/etc/firewalld/ipsets ## more testblock.xml <?xml version="1.0" encoding="utf-8"?> <ipset type="hash:ip"> <description>testing ipsets by Dave</description> </ipset>
Add the set to the dropzone as a blacklist.
firewall-cmd --get-active-zones # see which zones are in use firewall-cmd --permanent --zone=drop --add-source=ipset:testblock ## adds this entry to /etc/firewalld/zones/drop.xml firewall-cmd --reload firewall-cmd --get-active-zones # should now show as a zone.
Remove a set
firewall-cmd --get-ipsets firewall-cmd --permanent --delete-ipset=testblock firewall-cmd --reload firewall-cmd --get-ipsets ## now missing ipset -L ## may still show, but it's not part of FirewallD
Add entries to the set
firewall-cmd --permanent --ipset=testblock --add-entry=1.2.3.4 firewall-cmd --permanent --ipset=testblock --add-entry=2.3.4.5 ipset -L # noshow yet - but added to /etc/firewalld/ipsets/testblock.xml firewall-cmd --reload ipset -L # shows hal:/etc/firewalld/ipsets ## more testblock.xml <?xml version="1.0" encoding="utf-8"?> <ipset type="hash:ip"> <description>testing ipsets by Dave</description> <entry>1.2.3.4</entry> <entry>2.3.4.5</entry> </ipset>
removing entries from ipset
firewall-cmd --permanent --ipset=testblock --remove-entry=1.2.3.4 ipset -L # still shows in ipset but removed from /etc/firewalld/ipsets/testblock.xml firewall-cmd --reload ipset -L # now removed from ipset
Adding a new IP: firewall-cmd --permanent --zone=drop --add-source=1.2.3.4 firewall-cmd --reload