====== Using the Built in Firewall on Cent OS 7 ======
Start off by getting the Zones for the firewall
firewall-cmd --get-zones
Listing services for a zone:
firewall-cmd --list-services --zone=FedoraWorkstation
dhcpv6-client http mdns samba-client ssh
Quick tip: if we set our default zone with:
firewall-cmd --set-default-zone=FedoraWorkstation
success
Then we can drop the "–zone" parameter:
firewall-cmd --list-services
dhcpv6-client http mdns samba-client ssh
To see the list of services that can be added, use:
firewall-cmd --get-services
amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6
dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication
Whitelisting A New Port The simplest way of whitelisting a new incoming connection is to add it as a port, for example:
firewall-cmd --add-port=10000/tcp
This adds it in for the default zone (FedoraWorkstation, in our case), but is only a temporary rule – it won't persist after a reboot (or even a reload of the tables). To make it permanent, use:
firewall-cmd --add-port=10000/tcp --permanent
To view this rule now:
firewall-cmd --list-ports
10000/tcp
Whitelisting A New Service Services can also be whitelisted by name, for example:
firewall-cmd --list-services
dhcpv6-client http mdns samba-client ssh
firewall-cmd --add-service=https
success
firewall-cmd --list-services
dhcpv6-client http https mdns samba-client ssh
Again, use the –permanent option to make it persist across reloads/reboots.
What if we wanted to whitelist a service by name that doesn't show up in our list? A good example is webmin, running on port 10000:
firewall-cmd --add-service=webmin
Error: INVALID_SERVICE: webmin
We can simply use the port number, as seen earlier. However, a nicer (but longer) way is:
create a service definition file add it to our firewalld service list add the new service as before, by name. The service definition files are all held in /usr/lib/firewalld/services/:
cd /usr/lib/firewalld/services/
# dir
amanda-client.xml kpasswd.xml radius.xml
amanda-k5-client.xml ldaps.xml rpc-bind.xml
bacula-client.xml ldap.xml samba-client.xml
...
These are simply plain-text XML files and it's fairly trivial to duplicate one of them and amend the content accordingly, for example:
Webmin
A web-based administration interface.
However, it is recommended to leave these files alone and instead drop custom service definitions into /etc/firewalld/services, so we'll drop our file (webmin.xml) in there.
Next step is to reload firewalld to pick up this new definition, and ti should then be shown in the list of available services:
firewall-cmd --reload
success
firewall-cmd --get-services
amanda-client amanda-k5-client bacula .. webmin
Note that a –reload flushes any rules that are not marked as permanent! Now we can add it in as s service as before:
firewall-cmd --add-service=webmin
success
firewall-cmd --list-services
dhcpv6-client http mdns samba-client ssh webmin
====== Using FirewallD & ipsets ======
=== create a set ===
firewall-cmd –permanent –new-ipset=networkblock –type=hash:net –option=maxelem=1000000 –option=family=inet –option=hashsize=4096 firewall-cmd –reload
=== Add entries to the set ===
firewall-cmd –ipset=networkblock –add-entry=95.211.0.0/16 firewall-cmd –reload
=== 3. add the set to the dropzone ===
firewall-cmd --permanent --zone=drop --add-source=ipset:networkblock
firewall-cmd --reload
[[https://firewalld.org/documentation/man-pages/firewalld.ipset.html|https://firewalld.org/documentation/man-pages/firewalld.ipset.html]]
Types:
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
/usr/etc/firewalld/ipsets/ipset.xml /usr/lib/firewalld/ipsets/ipset.xml
My Ipset
description
1.2.3.4
1.2.3.5
1.2.3.6
firewall-cmd --get-active-zones - look at the zones
==== Create a new set ====
firewall-cmd --permanent --type=hash:ip --new-ipset=testblock ## creates /etc/firewalld/ipsets/testblock.xml
firewall-cmd --permanent --ipset=testblock --set-description="testing ipsets by Dave" ## can't do description on same line
firewall-cmd --permanent --ipset=testblock --get-description ## get info.
firewall-cmd --get-ipsets ## won't show it yet
firewall-cmd --reload
firewall-cmd --get-ipsets ## should show up
ipset -L ## also should show up.. but no description listed.
hal:/etc/firewalld/ipsets ## more testblock.xml
testing ipsets by Dave
==== Add the set to the dropzone as a blacklist. ====
firewall-cmd --get-active-zones # see which zones are in use
firewall-cmd --permanent --zone=drop --add-source=ipset:testblock ## adds this entry to /etc/firewalld/zones/drop.xml
firewall-cmd --reload
firewall-cmd --get-active-zones # should now show as a zone.
==== Remove a set ====
firewall-cmd --get-ipsets
firewall-cmd --permanent --delete-ipset=testblock
firewall-cmd --reload
firewall-cmd --get-ipsets ## now missing
ipset -L ## may still show, but it's not part of FirewallD
==== Add entries to the set ====
firewall-cmd --permanent --ipset=testblock --add-entry=1.2.3.4
firewall-cmd --permanent --ipset=testblock --add-entry=2.3.4.5
ipset -L # noshow yet - but added to /etc/firewalld/ipsets/testblock.xml
firewall-cmd --reload
ipset -L # shows
hal:/etc/firewalld/ipsets ## more testblock.xml
testing ipsets by Dave
1.2.3.4
2.3.4.5
==== removing entries from ipset ====
firewall-cmd --permanent --ipset=testblock --remove-entry=1.2.3.4
ipset -L # still shows in ipset but removed from /etc/firewalld/ipsets/testblock.xml
firewall-cmd --reload
ipset -L # now removed from ipset
Adding a new IP:
firewall-cmd --permanent --zone=drop --add-source=1.2.3.4
firewall-cmd --reload