Introduction
– A packet filtering firewall reads incoming network packets and filters (allows or denies) each data packet based on the header information in the packet. The Linux kernel has built-in packet filtering functionality called Netfilter.
– Two services are available in RHEL 7 to create, maintain, and display the rules stored by Netfilter:
1. firewalld
2. iptables
– In RHEL 7, the default firewall service is firewalld.
– firewalld is a dynamic firewall manager which supports firewall (network) zones.
– The firewalld service has support for IPv4, IPv6, and for Ethernet bridges.
– The firewalld service also provides a D-BUS interface. Services or applications already using D-BUS can add or request changes to firewall rules directly through the D-BUS interface.
Advantages over iptables
firewalld has the following advantages over iptables :
1. Unlike the iptables command, the firewall-cmd command does not restart the firewall and disrupt established TCP connections.
2. firewalld supports dynamic zones.
3. firewalld supports D-Bus for better integration with services that depend on firewall configuration.
Configuration options
The firewalld service has two types of configuration options:
1. Runtime: Changes to firewall settings take effect immediately but are not permanent. Changes made in runtime configuration mode are lost when the firewalld service is restarted.
2. Permanent: Changes to firewall settings are written to configuration files. These changes are applied when the firewalld service restarts.
Configuration files
Configuration files for firewalld exist in two directories:
/usr/lib/firewalld: Contains default configuration files. Do not make changes to these files. An upgrade of the firewalld package overwrites this directory.
/etc/firewalld: Changes to the default configuration files are stored in this directory.Files in this directory overload the default configuration files.
firewalld zones
The firewalld service allows you to separate networks into different zones based on the level of trust you want to place on the devices and traffic within a specific network. For each zone you can define the following features:
Services: Predefined or custom services to trust. Trusted services are a combination of ports and protocols that are accessible from other systems and networks.
Ports: Additional ports or port ranges and associated protocols that are accessible from other systems and networks.
Masquerading: Translate IPv4 addresses to a single external address. With masquerading enabled, addresses of a private network are mapped to and hidden behind a public address.
Port Forwarding: Forward inbound network traffic from a specific port or port range to an alternative port on the local system, or to a port on another IPv4 address.
ICMP Filter: Block selected Internet Control Message Protocol messages.
Rich Rules: Extend existing firewalld rules to include additional source and destination addresses and logging and auditing actions.
Interfaces: Network interfaces bound to the zone. The zone for an interface is specified with the ZONE=option in the /etc/sysconfig/network-scripts/ifcfg file. If the option is missing, the interface is bound to the default zone.
Predefined firewalld Zones
The firewalld software package includes a set of predefined network zones in the following directory:
# ls -lrt /usr/lib/firewalld/zones/ total 36 -rw-r----- 1 root root 342 Sep 15 2015 work.xml -rw-r----- 1 root root 162 Sep 15 2015 trusted.xml -rw-r----- 1 root root 315 Sep 15 2015 public.xml -rw-r----- 1 root root 415 Sep 15 2015 internal.xml -rw-r----- 1 root root 400 Sep 15 2015 home.xml -rw-r----- 1 root root 304 Sep 15 2015 external.xml -rw-r----- 1 root root 291 Sep 15 2015 drop.xml -rw-r----- 1 root root 293 Sep 15 2015 dmz.xml -rw-r----- 1 root root 299 Sep 15 2015 block.xml
The zone files contain preset settings, which can be applied to a network interface. For example:
# grep –i service /usr/lib/firewalld/zones/public.xml <service name=“ssh”/> <service name=“dhcpv6-client”/>
In this example, network interfaces bound to the public zone trust only two services, ssh and dhcpv6-client.
A brief explanation of each zone follows:
drop: Any incoming network packets are dropped, there is no reply. Only outgoing
network connections are possible.
block: Any incoming network connections are rejected with an icmp-host- prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
home: For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
public: For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
work: For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmz: For computers in your demilitarized zone that are publicly accessible with limited access to your internal network. Only selected incoming connections are accepted.
external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted: All network connections are accepted.
Setting the Default firewalld Zone
After an initial installation, the public zone is the default zone as specified in the configuration file, /etc/firewalld/firewalld.conf.
# grep –i defaultzone /etc/firewalld/firewalld.conf DefaultZone=public
Network interfaces are bound to the default zone unless specified with ZONE=[zone] in the ifcfg file. The following command shows the interfaces that are bound to the public zone:
# firewall-cmd --get-active-zone
public
interfaces: eth0 eth1
You can use the firewall-cmd command to change the default zone:
# firewall-cmd --set-default-zone=work success
You can also use the firewall-config GUI to change the default zone. From the menu bar, select Options->Change Default Zone, and then select a zone from a pop-up list.
firewalld Services
– A firewalld service is a combination of local ports and protocols and destination addresses.
– A firewalld service can also include Netfilter kernel modules that are automatically loaded when a service is enabled.
– The firewalld software package includes a set of predefined services in the following directory:
# ls -lrt /usr/lib/firewalld/zones/ total 36 -rw-r----- 1 root root 342 Sep 15 2015 work.xml -rw-r----- 1 root root 162 Sep 15 2015 trusted.xml -rw-r----- 1 root root 315 Sep 15 2015 public.xml -rw-r----- 1 root root 415 Sep 15 2015 internal.xml -rw-r----- 1 root root 400 Sep 15 2015 home.xml -rw-r----- 1 root root 304 Sep 15 2015 external.xml -rw-r----- 1 root root 291 Sep 15 2015 drop.xml -rw-r----- 1 root root 293 Sep 15 2015 dmz.xml -rw-r----- 1 root root 299 Sep 15 2015 block.xml
– Services can be enabled for a zone in Runtime mode.
– Service definitions can only be edited in Permanent mode.
Start firewalld
To start firewalld:
# systemctl start firewalld
To ensure firewalld starts at boot time:
# systemctl enable firewalld
To check if firewalld is running:
# systemctl status firewalld # firewall-cmd --state
Three methods to configure the firewalld service:
– firewall-cmd : Command-line interface
– firewall-config : Graphical user interface
– Edit various XML configuration files.
The firewall-cmd Utility
The command-line tool firewall-cmd is part of the firewalld application, which is installed by default. To get help on the firewall-cmd command:
# firewall-cmd --help
The firewall-cmd command offers categories of options such as General, Status, Permanent, Zone, IcmpType, Service, Adapt and Query Zones, Direct, Lockdown, Lockdown Whitelist, and Panic. To list information for all zones:
# firewall-cmd --list-all-zones public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
...
To permit access by HTTP clients for the public zone:
# firewall-cmd --zone=public --add-service=http success
To list services that are allowed for the public zone:
# firewall-cmd --zone=work --list-services
dhcpv6-client http ssh
Using this command only changes the Runtime configuration and does not update the configuration files.
The configuration changes made in Runtime configuration mode are lost when the firewalld service is restarted:
# systemctl restart firewalld # firewall-cmd --zone=work --list-services dhcpv6-client ssh
To make changes permanent, use the –permanent option. Example:
# firewall-cmd --permanent --zone=public --add-service=http success
Changes made in Permanent configuration mode are not implemented immediately. However, changes made in Permanent configuration are written to configuration files. Restarting the firewalld service reads the configuration files and implements the changes. Example:
# systemctl restart firewalld # firewall-cmd --zone=work --list-services dhcpv6-client http ssh