mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-12-01 07:39:48 +00:00
131 lines
5 KiB
Text
131 lines
5 KiB
Text
|
// Module included in the following assemblies:
|
||
|
//
|
||
|
// firewalld.adoc
|
||
|
|
||
|
// Base the file name and the ID on the module title. For example:
|
||
|
// * file name: doing-procedure-a.adoc
|
||
|
// * ID: [id='doing-procedure-a']
|
||
|
// * Title: = Doing procedure A
|
||
|
|
||
|
// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken.
|
||
|
[id=checking-firewalld-fedora]
|
||
|
// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide.
|
||
|
= Checking the firewalld status
|
||
|
|
||
|
== Viewing the current status of `firewalld`
|
||
|
|
||
|
The firewall service, `firewalld`, is installed on the system by default. Use the `firewalld` CLI interface to check that the service is running.
|
||
|
|
||
|
To see the status of the service:
|
||
|
|
||
|
----
|
||
|
$ sudo firewall-cmd --state
|
||
|
----
|
||
|
|
||
|
For more information about the service status, use the [command]`systemctl status` sub-command:
|
||
|
|
||
|
----
|
||
|
$ sudo systemctl status firewalld
|
||
|
firewalld.service - firewalld - dynamic firewall daemon
|
||
|
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr
|
||
|
Active: active (running) since Mon 2017-12-18 16:05:15 CET; 50min ago
|
||
|
Docs: man:firewalld(1)
|
||
|
Main PID: 705 (firewalld)
|
||
|
Tasks: 2 (limit: 4915)
|
||
|
CGroup: /system.slice/firewalld.service
|
||
|
└─705 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid
|
||
|
----
|
||
|
|
||
|
Furthermore, it is important to know how `firewalld` is set up and which rules are in force before you try to edit the settings. To display the firewall settings, see <<sec-Viewing_Current_firewalld_Settings>>
|
||
|
|
||
|
[[sec-Viewing_Current_firewalld_Settings]]
|
||
|
== Viewing current firewalld settings
|
||
|
|
||
|
[[sec-Viewing_Allowed_Services_Using_GUI]]
|
||
|
=== Viewing allowed services using GUI
|
||
|
|
||
|
To view the list of services using the graphical [application]*firewall-config* tool, press the kbd:[Super] key to enter the Activities Overview, type [command]`firewall`, and press kbd:[Enter]. The [application]*firewall-config* tool appears. You can now view the list of services under the `Services` tab.
|
||
|
|
||
|
Alternatively, to start the graphical firewall configuration tool using the command-line, enter the following command:
|
||
|
|
||
|
[subs="quotes, macros"]
|
||
|
----
|
||
|
$ [command]`firewall-config`
|
||
|
----
|
||
|
|
||
|
The `Firewall Configuration` window opens. Note that this command can be run as a normal user, but you are prompted for an administrator password occasionally.
|
||
|
////
|
||
|
[[exam-firewall_config_services]]
|
||
|
.The Services tab in firewall-config
|
||
|
|
||
|
image::images/firewall-config-services.png[A screenshot of the firewall configuration tool - the Services tab]
|
||
|
////
|
||
|
[[sec-Viewing_firewalld_Settings_Using_CLI]]
|
||
|
=== Viewing firewalld settings using CLI
|
||
|
|
||
|
With the CLI client, it is possible to get different views of the current firewall settings. The [option]`--list-all` option shows a complete overview of the `firewalld` settings.
|
||
|
|
||
|
`firewalld` uses zones to manage the traffic. If a zone is not specified by the [option]`--zone` option, the command is effective in the default zone assigned to the active network interface and connection.
|
||
|
|
||
|
To list all the relevant information for the default zone:
|
||
|
|
||
|
----
|
||
|
$ firewall-cmd --list-all
|
||
|
public
|
||
|
target: default
|
||
|
icmp-block-inversion: no
|
||
|
interfaces:
|
||
|
sources:
|
||
|
services: ssh dhcpv6-client
|
||
|
ports:
|
||
|
protocols:
|
||
|
masquerade: no
|
||
|
forward-ports:
|
||
|
source-ports:
|
||
|
icmp-blocks:
|
||
|
rich rules:
|
||
|
----
|
||
|
|
||
|
[NOTE]
|
||
|
====
|
||
|
To specify the zone for which to display the settings, add the [option]`--zone=pass:attributes[{blank}]_zone-name_pass:attributes[{blank}]` argument to the [command]`firewall-cmd --list-all` command, for example:
|
||
|
----
|
||
|
~]# firewall-cmd --list-all --zone=home
|
||
|
home
|
||
|
target: default
|
||
|
icmp-block-inversion: no
|
||
|
interfaces:
|
||
|
sources:
|
||
|
services: ssh mdns samba-client dhcpv6-client
|
||
|
... [output truncated]
|
||
|
|
||
|
----
|
||
|
====
|
||
|
|
||
|
To see the settings for particular information, such as services or ports, use a specific option. See the `firewalld` manual pages or get a list of the options using the command help:
|
||
|
|
||
|
----
|
||
|
$ firewall-cmd --help
|
||
|
|
||
|
Usage: firewall-cmd [OPTIONS...]
|
||
|
|
||
|
General Options
|
||
|
-h, --help Prints a short help text and exists
|
||
|
-V, --version Print the version string of firewalld
|
||
|
-q, --quiet Do not print status messages
|
||
|
|
||
|
Status Options
|
||
|
--state Return and print firewalld state
|
||
|
--reload Reload firewall and keep state information
|
||
|
... [output truncated]
|
||
|
----
|
||
|
|
||
|
For example, to see which services are allowed in the current zone:
|
||
|
|
||
|
----
|
||
|
$ firewall-cmd --list-services
|
||
|
samba-client ssh dhcpv6-client
|
||
|
----
|
||
|
|
||
|
Listing the settings for a certain subpart using the CLI tool can sometimes be difficult to interpret. For example, you allow the `SSH` service and `firewalld` opens the necessary port (22) for the service. Later, if you list the allowed services, the list shows the `SSH` service, but if you list open ports, it does not show any. Therefore, it is recommended to use the [option]`--list-all` option to make sure you receive a complete information.
|