====== Linux Firewalld Documentation ======

^  Documentation  ^|
^Name:| Linux Firewalld Documentation|
^Description:|HOWTO manage firewalld on Linux machines |
^Modification date :|11/04/2018|
^Owner:|dodger|
^Notify changes to:|dodger or networking|
^Tags:| firewalld|
^Scalate to:| dodger or networking|

====== PRE-Requirements ======
Some knowledge of iptables/firewalld.

====== Daemon Management ======

===== Status firewalld =====

<code bash>
systemctl status firewalld
</code>

===== Start firewalld =====
<code bash>
systemctl start firewalld
</code>

===== Enable firewalld =====
So it will start on boot:
<code bash>
systemctl enable firewalld
</code>


===== Stop firewalld =====
The server will be fully accessible (iptables with no rules and ACCEPT everything)
<code bash>
systemctl stop firewalld
echo "## check"
iptables -vnL
</code>


===== Disable firewalld =====
It won't start at boot:
<code bash>
systemctl disable firewalld
</code>

Check status after that.

====== Rules Management ======

<WRAP center round alert 60%>
TO make the changes permanent, you must add ''--permanent'' to firewall-cmd executions!!!
</WRAP>


<WRAP center round alert 60%>
''--permanent'' does not apply rules on LIVE system!!!
</WRAP>
\\
To switch between permanent or live:
<code bash>
export PERMANENT="--permanent"
</code>
===== Reload rules =====
For example after using ''--permanent'' without applying live rules:
<code bash>
firewall-cmd --reload
</code>

===== View information =====

==== All zones ====
<code bash>
firewall-cmd --list-all
</code>


==== list zones ====
<code bash>
firewall-cmd --get-zones
</code>

==== Selected zone  ====
<code bash>
firewall-cmd --zone=internal --list-all
</code>
<code bash>
firewall-cmd --zone=public --list-all
</code>

Sample:
<code bash>
internal
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
</code>



===== Remove service =====
Change ''THEZONE'' and ''THESERVICE'' from this command.
  * non-permanent:
<code bash>
firewall-cmd ${PERMANENT} --zone=THEZONE --remove-service=THESERVICE
</code>

Sample:
<code bash>
ciberterminal.net /etc/sysconfig # firewall-cmd --zone=public --remove-service=dhcpv6-client
success
ciberterminal.net /etc/sysconfig # firewall-cmd ${PERMANENT} --zone=public --remove-service=dhcpv6-client
Warning: NOT_ENABLED: dhcpv6-client
success
</code>


====== Basic Rules ======

Remove ipv6:
<code bash>
firewall-cmd ${PERMANENT} --zone=public --remove-service=dhcpv6-client
</code>


Add snmp:
<code bash>
firewall-cmd ${PERMANENT} --zone=public --add-service=snmp
</code>



====== Rich Rules ======

===== Open port for source range =====

<code bash>
firewall-cmd ${PERMANENT} --zone=public --add-rich-rule='rule family=ipv4 source address=10.40.0.0/16 port port=8181 protocol=tcp accept'
</code>



====== Openvpn/Wireguard setup ======
As a client:

<code bash>
firewall-cmd ${PERMANENT} --zone=internal --add-interface=tun+
firewall-cmd ${PERMANENT} --zone=internal --add-interface=wg+
firewall-cmd ${PERMANENT} --zone=internal --add-interface=ppp+

firewall-cmd ${PERMANENT} --list-all --zone=internal

</code>