Firewalld Firewall-cmd

Original address: http://www.oracle-base.com/articles/linux/linux-firewall-firewalld.php

Reverting to the Iptables Service

# Systemctl Stop firewalld
# systemctl Disable FIREWALLD # iptables-service # touch/etc/sysconfig/iptables
# Systemctl start iptables
# Systemctl enable iptables

# touch/etc/sysconfig/ip6tables
# Systemctl Start Ip6tables
# Systemctl Enable ip6table

Installation

# yum Install firewalld firewall-config

# systemctl start Firewalld.service
# Systemctl Enable Firewalld.service

# systemctl Status firewalld
firewalld.service-firewalld-dynamic firewall daemon loaded:loaded
(/usr/ Lib/systemd/system/firewalld.service;   Enabled)
active:active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago
Main pid:13246 (FIREWALLD)
Cgroup:/system.slice/firewalld.service
└─13246/usr/bin/python/usr/sbin/firewalld--nofork--nopid

APR 14:06:44 Localhost.localdomain systemd[1]: Starting firewalld-dynamic firewall daemon ...
APR 14:06:46 Localhost.localdomain systemd[1]: Started firewalld-dynamic firewall.

# Systemctl Stop firewalld.service
# systemctl Disable Firewalld.service

Firewall-cmd

# firewall-cmd--help

# Check firewall state.
Firewall-cmd--state

# Check active zones.
Firewall-cmd--get-active-zones

# Check current active services.
Firewall-cmd--get-service


# Check services that is active after next reload.
Firewall-cmd--get-service--permanent

Lock down and unlock the firewall using the following commands.

# firewall-cmd--panic-on
Success
# firewall-cmd--query-panic
Yes
# firewall-cmd--panic-off
Success
# firewall-cmd--query-panic
No

Reload the runtime configuration from the permanent files using the following command.

# Firewall-cmd--reload

The firewall comes with predefined services, which are XML files are the "/usr/lib/firewalld/services/" directory.

# ls/usr/lib/firewalld/services/amanda-client.xml      http.xml         Libvirt.xml & Nbsp;pmwebapis.xml     Ssh.xml bacula-client.xml      imaps.xml        mdns. XML     pmwebapi.xml      telnet.xml bacula.xml             IPP-CLI Ent.xml   mountd.xml   pop3s.xml         Tftp-client.xml dhcpv6-client.xml     &NB Sp;ipp.xml          ms-wbt.xml   postgresql.xml    tftp.xml dhcpv6.xml   &nbs P         ipsec.xml        mysql.xml    proxy-dhcp.xml    TRANSM Ission-client.xml dhcp.xml               kerberos.xml     Nfs.xml   &NBS P  radius.xml        vnc-server.xml dns.xml                 Kpasswd.xml     ntp.xml      rpc-bind.xml      wbem-https.xml ftp.xml       &NBS P
       ldaps.xml        openvpn.xml  samba-client.xml High-availability.xml  ldap.xml         pmcd.xml     Samba.xml https.xml              libvirt-tls.xml  pmproxy.xml  smtp.xml

You are shouldn ' t edit these. Instead, copy a specific service file to the "/etc/firewalld/services/" directory and editing it there. The FIREWALLD service always uses files in '/etc/firewalld/services/' directory in preference to those in the '/usr/lib/fi rewalld/services/"directory. Remember to reload the config is making any changes.

Add an existing service to a zone.

# # Set Runtime and permanent independently.
# firewall-cmd--zone=public--add-service=https
# firewall-cmd--permanent--zone=public--add-service=https

or

# # Set Permanent and reload the runtime config.
# firewall-cmd--permanent--zone=public--add-service=https
# firewall-cmd--reload

All subsequent examples'll assume you want to amend both the runtime and permanent configuration and would only set the P Ermanent configuration and then reload the runtime configuration.

Once you ' ve amended the default configuration, the '/etc/firewalld/zones/public.xml ' file would be created. You can manually amend this file, but you'll need to issue a reload for the changes to take.

Check the services in a zone.

# firewall-cmd--zone=public--list-services
dhcpv6-client https SS
# firewall-cmd--permanent-- List-services
dhcpv6-client HTTPS SS

Remove a service from a zone.

# firewall-cmd--permanent--zone=public--remove-service=https
# firewall-cmd--reload

Open a specific port or range in a zone, check its runtime and permanent configuration, then remove it.

# firewall-cmd--permanent--zone=public--add-port=8080-8081/tcp
# firewall-cmd--reload

# firewall-cmd- Zone=public--list-ports
8080-8081/tcp
# firewall-cmd--permanent--zone=public--list-ports
8080-8081/ TCP

# firewall-cmd--permanent--zone=public--remove-port=8080-8081/tcp
# firewall-cmd--reload

Rich rules allow you to create more complex configurations. The following command allows your to open HTTP access to a specific IP address.

# firewall-cmd--permanent--zone=public--add-rich-rule= "rule family=" IPv4 "\
source address=" 192.168.0.4/24 "Ser Vice Name= "http" accept "

The "/etc/firewalld/zones/public.xml" file now contains the rich rule.

<?xml version= "1.0" encoding= "Utf-8"?>
<zone>
<short>Public</short>
< Description>for use with public areas. You don't trust the "other computers" networks to not
harm your computer. Only selected incoming connections are accepted.</description> <service name= "dhcpv6-client
"/>
& Lt;service name= "ssh"/>
<rule family= "IPv4" >
<source address= "192.168.0.4/24"/>
<s Ervice name= "http"/>
<accept/>
</rule>
</zone>

The rule can is removed directly from the XML file, or removed using the "--remove-rich-rule" option.

# firewall-cmd--permanent--zone=public--remove-rich-rule= "rule family=" IPv4 "\
source address=" 192.168.0.4/24 "Service Name=" http "accept"

The following example opens and closes port 8080 for a specific source IP addresses using a rich rule.

# firewall-cmd--permanent--zone=public--add-rich-rule= "rule family=" IPv4 "\      source address=" 192.168.0.4/24 "\      port protocol=" tcp "port=" 8080 "accept" # Cat/etc/firewalld/zones/public.xml < ? xml version= "1.0" encoding= "Utf-8"?> <zone>   <short>Public</short>   <description >for use with public areas. You don't trust the other computers on networks                to not harm your C Omputer.
Only selected incoming connections are accepted.</description>   <service name= "Dhcpv6-client"/>   <service name= "ssh"/>   <rule family= "IPv4" >     <source address= "192.168.0.4/24"/ >     <port protocol= "tcp" port= "8080"/>     <accept/>   </rule> </zone&
Gt # # Firewall-cmd--permanent--zone=public--remove-rich-rule= "rule family=" IPv4 "\      source address=" 192.168.0.4/24 "\      port protocol=" tcp "port=" 8080 "accept" 

Backups and transfers of Firewall Configuration

As all Non-default configuration are placed under the "/etc/firewalld/" directory, taking a copy of the contents of this Di Rectory and its sub-directories constitutes a backup of the firewall configuration.

Not surprisingly, transferring the contents of this directory would allow you to duplicate the firewall configuration in OT Her servers.