Documentation | |
---|---|
Name: | Linux Firewalld Documentation |
Description: | HOWTO manage firewalld on Linux machines |
Modification date : | 11/04/2018 |
Owner: | dodger |
Notify changes to: | dodger or networking |
Tags: | firewalld |
Scalate to: | dodger or networking |
Some knowledge of iptables/firewalld.
systemctl status firewalld
systemctl start firewalld
So it will start on boot:
systemctl enable firewalld
The server will be fully accessible (iptables with no rules and ACCEPT everything)
systemctl stop firewalld echo "## check" iptables -vnL
It won't start at boot:
systemctl disable firewalld
Check status after that.
TO make the changes permanent, you must add –permanent
to firewall-cmd executions!!!
–permanent
does not apply rules on LIVE system!!!
To switch between permanent or live:
export PERMANENT="--permanent"
For example after using –permanent
without applying live rules:
firewall-cmd --reload
firewall-cmd --list-all
firewall-cmd --get-zones
firewall-cmd --zone=internal --list-all
firewall-cmd --zone=public --list-all
Sample:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
Change THEZONE
and THESERVICE
from this command.
firewall-cmd ${PERMANENT} --zone=THEZONE --remove-service=THESERVICE
Sample:
ciberterminal.net /etc/sysconfig # firewall-cmd --zone=public --remove-service=dhcpv6-client success ciberterminal.net /etc/sysconfig # firewall-cmd ${PERMANENT} --zone=public --remove-service=dhcpv6-client Warning: NOT_ENABLED: dhcpv6-client success
Remove ipv6:
firewall-cmd ${PERMANENT} --zone=public --remove-service=dhcpv6-client
Add snmp:
firewall-cmd ${PERMANENT} --zone=public --add-service=snmp
firewall-cmd ${PERMANENT} --zone=public --add-rich-rule='rule family=ipv4 source address=10.40.0.0/16 port port=8181 protocol=tcp accept'
As a client:
firewall-cmd ${PERMANENT} --zone=internal --add-interface=tun+ firewall-cmd ${PERMANENT} --zone=internal --add-interface=wg+ firewall-cmd ${PERMANENT} --zone=internal --add-interface=ppp+ firewall-cmd ${PERMANENT} --list-all --zone=internal