35 commands to understand Firewalld in RHEL7 environment

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges, and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.Firewalld.org

Photo Credits: Cloudflare.com
Photo Credits: Cloudflare.com

IPtables VS Firewalld

In RHEL6, we had IPtables. Now, in RHEL7, the firewall mechanism or say, the firewall daemon changed to Firewalld. Both serve the same purpose, i.e; packet filtering using the Netfilter module inbuilt in the Linux kernel. However, it is important to know why the Firewalld took over the IPtables. In Firewalld, you can change settings dynamically whilst being on production compared to IPtables which needs to flush out the entire rules set once a change has been made. Another difference is that during the installation of firewalld, you have support for both IPv4 and IPv6 compared to IPtables, you will have to install Ip6tables for IPv6 support. For those who are not acquainted with IPv6, please check out the article on “Diving into the basics of IPv6“. To briefly describe Firewalld, it is a set of services and daemons that manage the Netfilter in the Linux kernel. Finally, it is important to understand that both RHEL6 and RHEL7 used the IPtables (commands) to talk to the Netfilter.

Photo Credits: 8gwifi.org
Photo Credits: 8gwifi.org

Zones concept in Firewalld

One of the important concepts in firewalld is ‘zones’. Zones are groups of rules which is managed by the firewalld. Zones are based on the level of trust a user has on the interface and traffic within a network. Zones are even defined from least trusted to most trusted. These are the types of zones:

  • Drop zones: This is where incoming connections are dropped without any messages.
  • Block zones: Same as block zone but the only difference is that it gives an ICMP reply.
  • Public zones: It is an untrusted zone, but may allow connections based on case to case basis.
  • External zones: It is used when your firewall is also a gateway or simply, configuration for NAT.
  • Internal zones: This is the other side of the gateway or simply the firewall configurations used inside your own network, usually in a private network.
  • Demilitarized zones: Demilitarized zones or say DMZ, is where only certain incoming connections are allowed.
  • Work zones: There is a trust in the majority of hosts on the network which makes it possible to allow more services.
  • Home zones: The trust here is more and more acceptable and much more restrictions are removed.
  • Trusted: Here, there is absolute trust. Note that this should be used carefully.

VIEW information on your firewall

1. You can check if your firewall is running from either of the following commands:

systemctl status firewalld
firewalld-cmd --state

2. Like we said earlier, we can also check in which zone is the interface card configured:

firewalld-cmd --get-default-zone

firewalld-cmd

3. Now, to check which interface card is in which zone, simply do the following. As you can see below, both interface cards enp0s3 and enp0s8 is in the active zone:

firewalld-cmd --get-active-zone

firewalld-cmd

4. To check which rules are in the zones:

firewalld-cmd --list-all

5. If you want to get all the existing zones, simply do the following:

firewalld-cmd --get-zones

6. To list all existing rules within each zone, use the following:

Currently, you will also know which zones are your interfaces.

firewalld-cmd --list-all

firewalld-cmd

7. But, you can still list the rules for a specific zone, say, the ‘home’ zone.

firewall-cmd --zone=home --list-all

8. For more details of all zones:firewall-cmd –list-all-zones

9. We have also seen, for example, in part 4 that firewall-zone –get-active-zone also shows us the services associated with the zone. But, we can also see a list of services with the firewall-zone command:

firewall-cmd --get-services

The services are just XML file located in /usr/lib/firewalld/services

Change information on the Firewall

10. Let’s say you want to move one interface from one zone to another zone. In my case, I want to move enp0s3 from the public to the home zone.

firewall-cmd --zone=home --change-interface=enp0s3

You can verify same using firewall-cmd –list-all-zones

11. However, another way to made verifications can be done using the command:

firewall-cmd --get-active-zones

12. Please note that restarting the service firewalld will result in loss of the change carried out. To ensure it is effective even after a restart of the service, go on the configuration on the network card which is /etc/sysconfig/network-scripts/ifcfg-enp0s3 and add the following line to it.

ZONE=home

13. Also, note that you can always change the default zone from public to home directly with the command:

firewall-cmd --set-default-zone=home

14. To add a specific service to a zone, for example, adding https to the zone public.

firewall-cmd --zone=public --add-service=https

15. Please note that this is only temporarily and after a restart of the service, the https will not be anymore in the home zone. To make it permanent:

firewall-cmd --permanent --zone=public --add-service=https

Always test your change with a firewall-cmd –reload

16. Most of the time, if you are running your own custom application, let’s say it is running on port 8080 and the services are not seen using firewall-cmd get-services, you can still add it to a zone by mentioning the port.

firewall-cmd --permanent --zone=public --add-port=8080/tcp

After adding the port, you must reload it to view the change.

More crazy Firewalld rules

17. You can also specify a range, for example, from 8000 to 8080 using the command:

firewall-cmd --permanent --zone=public --add-port=8000-8080/tcp

18. More interesting if you want to allow a specific IP Address for a specific zone, you can use the –add-source parameter:

firewall-cmd --permanent --zone=public --add-source=10.0.3.16/24

19. We can also block a specific IP Address from a zone. Let’s say we want to block IP 10.10.10.10/24 from the zone public. For that, we have to use the parameter –add-rich-rule.

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.10/24" reject'

20. You might also want a particular service to be allowed from a particular IP Address. Let’s say we want to allow IP 10.10.10.5 for the zone public and only for the FTP service. In this example below, limit value=”2/m” means to limit 2 connections per minute.

[[email protected] services]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.5/24" service name="ftp" log prefix="tftp" level="info" limit value="2/m" accept'
21. Let’s say you want to know which zone is a specific interface. You can use the following command:
firewall-cmd --get-zone-of-interface=enp0s3
22. You can also find how many particular interfaces are in a particular zone:
firewall-cmd --zone=public --list-interfaces
23. To stop all communications, let’s say during an attack, you can fire this command:
firewall-cmd --panic-on

24. You can also stop the panic using the following command:

firewall-cmd --panic-off

25. You can also check if you are in a query panic using the following command:

firewall-cmd --query-panic

NAT, Port Forwarding and Masquerading

Network Address Translation (NAT) means to use a strategy to hide an IP address space into another IP address by modifying the network address information in the IP header. The packets in the IP header will transit through a routing device.

Port Address Translation (PAT) sometimes called Port forwarding works the same fashion except that it works on port level. You can forward port 22 on from your IP address to port 8000 to your internal web server.
The word Masquerading itself means to use something fake. NAT masquerading is another strategy to allow a device that does not have an IP address to communicate with other computers on the internet. IP Masquerading means to set up an IP gateway for a device.
26. To check if masquerading is on or off, you can use the following command:
firewall-cmd --query-masquerade
27. Or say you want to query a particular zone if masquerade is on or off, simply use the –zone parameter:
firewall-cmd --zone=public --query-masquerade
28. To enable masquerade for the zone public
firewall-cmd --zone=public --add-masquerade
29.  Before performing a port forwarding, we need to enable the masquerading:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.5/24" masquerade'

30.  Now, let’s say we want to forward all SSH traffic which is on port 22 to port 8000. This can be achieved using the following command:

firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=8000

31. Since we did not define the IP address, it will redirect to localhost. Otherwise, you can also add an IP address:

firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=8000:toaddr=10.0.2.16

32.  You can also query it by using the parameter –query-forward-port:

firewall-cmd --permanent --zone=public --query-forward-port=port=22:proto=tcp:toport=8000:toaddr=10.0.2.16

Other stuff in Firewalld

33.  You can also use firewalld on the graphic user interface. This can be done by installing the package firewall-config. The following command can be used:

yum install firewall firewalld-config

34. There are other ways to check if firewalld is running:

systemctl status firewalld
firewall-cmd --state

35. To active debug mode on firewalld logs enter the following parameter in the /etc/sysconfig/firewalld 

FIREWALLD_ARGS='--debug'

After setting the parameter, the service need to be restarted.

If you want to get to the Ninja level using firewalld, please refer to this blog article by certdepot.net