mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-30 23:38:18 +00:00
1193 lines
40 KiB
Text
1193 lines
40 KiB
Text
= Firewalld
|
||
|
||
'''
|
||
|
||
[IMPORTANT]
|
||
======
|
||
|
||
This page was automatically converted from https://fedoraproject.org/wiki/Firewalld
|
||
|
||
It is probably
|
||
|
||
* Badly formatted
|
||
* Missing graphics and tables that do not convert well from mediawiki
|
||
* Out-of-date
|
||
* In need of other love
|
||
|
||
Please fix it, remove this notice, and then add to `_topic_map.yml`
|
||
|
||
Pull requests accepted at https://pagure.io/fedora-docs/quick-docs
|
||
|
||
Once that is live, go to the original wiki page and add an `{{old}}`
|
||
tag, followed by a note like
|
||
|
||
....
|
||
{{admon/note|This page has a new home!|
|
||
This wiki page is no longer maintained. Please find the up-to-date
|
||
version at: https://docs.fedoraproject.org/whatever-the-url
|
||
}}
|
||
....
|
||
|
||
======
|
||
|
||
'''
|
||
|
||
|
||
[[dynamic-firewall-with-firewalld]]
|
||
Dynamic firewall with firewalld
|
||
-------------------------------
|
||
|
||
firewalld provides a dynamically managed firewall with support for
|
||
network/firewall zones to define the trust level of network connections
|
||
or interfaces. It has support for IPv4, IPv6 firewall settings and for
|
||
ethernet bridges and has a separation of runtime and permanent
|
||
configuration options. It also supports an interface for services or
|
||
applications to add firewall rules directly.
|
||
|
||
The former firewall model with system-config-firewall/lokkit was static
|
||
and every change required a complete firewall restart. This included
|
||
also to unload the firewall netfilter kernel modules and to load the
|
||
modules that are needed for the new configuration. The unload of the
|
||
modules was breaking stateful firewalling and established connections.
|
||
|
||
The firewall daemon on the other hand manages the firewall dynamically
|
||
and applies changes without restarting the whole firewall. Therefore
|
||
there is no need to reload all firewall kernel modules. But using a
|
||
firewall daemon requires that all firewall modifications are done with
|
||
that daemon to make sure that the state in the daemon and the firewall
|
||
in kernel are in sync. The firewall daemon can not parse firewall rules
|
||
added by the ip*tables and ebtables command line tools.
|
||
|
||
The daemon provides information about the current active firewall
|
||
settings via D-BUS and also accepts changes via D-BUS using PolicyKit
|
||
authentication methods.
|
||
|
||
The official firewalld homepage is at
|
||
http://firewalld.org/[firewalld.org]
|
||
|
||
[[the-daemon]]
|
||
The Daemon
|
||
~~~~~~~~~~
|
||
|
||
Applications, daemons and the user can request to enable a firewall
|
||
feature over D-BUS. A feature could either be one of the predefined
|
||
firewall features like services, port and protocol combinations,
|
||
port/packet forwarding, masquerading or icmp blocking. The feature can
|
||
be enabled for a certain amount of time or can be disabled by again.
|
||
|
||
With the so called direct interface other services (like for example
|
||
libvirt) are able to add own rules using iptables arguments and
|
||
parameters.
|
||
|
||
The netfilter firewall helpers, that are for example used for amanda,
|
||
ftp, samba and tftp services, are also handled by the daemon as long as
|
||
they are part of a predefined service. Loading of additional helpers is
|
||
not part of the current interface. For some of the helpers unloading is
|
||
only possible after all connections that are handled by the module are
|
||
closed. Therefore connection tracking information is important here and
|
||
needs to be taken into account.
|
||
|
||
[[static-firewall-system-config-firewalllokkit]]
|
||
Static Firewall (system-config-firewall/lokkit)
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
The actual static firewall model with system-config-firewall and lokkit
|
||
will still be available and usable, but not at the same time as the
|
||
daemon is running. The user or admin can decide which firewall solution
|
||
should be used by enabling the corresponding services.
|
||
|
||
It is planned to add a selector for the firewall solution to be used at
|
||
install time or in first boot. The configuration of the other solution
|
||
will stay intact and can be enabled simply by switching to the other
|
||
model.
|
||
|
||
The firewall daemon is independent to system-config-firewall, but should
|
||
not be used at the same time.
|
||
|
||
[[using-static-firewall-rules-with-the-iptables-and-ip6tables-services]]
|
||
Using static firewall rules with the iptables and ip6tables services
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
If you want to use your own static firewall rules with the iptables and
|
||
ip6tables services, install iptables-services and disable firewalld and
|
||
enable iptables and ip6tables:
|
||
|
||
`dnf install iptables-services` +
|
||
`systemctl mask firewalld.service` +
|
||
`systemctl enable iptables.service` +
|
||
`systemctl enable ip6tables.service`
|
||
|
||
Use /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for your static
|
||
firewall rules.
|
||
|
||
Note: The package iptables and iptables-services do not provide firewall
|
||
rules for use with the services. The services are available for
|
||
compatibility and people that want to use their own firewall rules. You
|
||
can install and use system-config-firewall to create rules with the
|
||
services though. To be able to use system-config-firewall, you have to
|
||
stop firewalld.
|
||
|
||
After creating rules for use with the services stop firewalld and start
|
||
the iptables and ip6tables services:
|
||
|
||
`systemctl stop firewalld.service` +
|
||
`systemctl start iptables.service` +
|
||
`systemctl start ip6tables.service`
|
||
|
||
[[what-is-a-zone]]
|
||
What is a zone?
|
||
~~~~~~~~~~~~~~~
|
||
|
||
A network zone defines the level of trust for network connections. This
|
||
is a one to many relation, which means that a connection can only be
|
||
part of one zone, but a zone can be used for many network connections.
|
||
|
||
[[predefined-services]]
|
||
Predefined services
|
||
^^^^^^^^^^^^^^^^^^^
|
||
|
||
A service is a combination of port and/or protocol entries. Optionally
|
||
netfilter helper modules can be added and also a IPv4 and IPv6
|
||
destination address.
|
||
|
||
[[ports-and-protocols]]
|
||
Ports and protocols
|
||
^^^^^^^^^^^^^^^^^^^
|
||
|
||
Definition of tcp or udp ports, where ports can be a single port or a
|
||
port range.
|
||
|
||
[[icmp-blocks]]
|
||
ICMP blocks
|
||
^^^^^^^^^^^
|
||
|
||
Selected Internet Control Message Protocol (ICMP) messages. These
|
||
messages are either information requests or created as a reply to
|
||
information requests or in error conditions.
|
||
|
||
[[masquerading]]
|
||
Masquerading
|
||
^^^^^^^^^^^^
|
||
|
||
The addresses of a private network are mapped to and hidden behind a
|
||
public IP address. This is a form of address translation.
|
||
|
||
[[forward-ports]]
|
||
Forward ports
|
||
^^^^^^^^^^^^^
|
||
|
||
A port is either mapped to another port and/or to another host.
|
||
|
||
[[which-zones-are-available]]
|
||
Which zones are available?
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
These are the zones provided by firewalld sorted according to the
|
||
default trust level of the zones from untrusted to trusted:
|
||
|
||
[[drop]]
|
||
drop
|
||
^^^^
|
||
|
||
Any incoming network packets are dropped, there is no reply. Only
|
||
outgoing network connections are possible.
|
||
|
||
[[block]]
|
||
block
|
||
^^^^^
|
||
|
||
Any incoming network connections are rejected with an
|
||
icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6.
|
||
Only network connections initiated within this system are possible.
|
||
|
||
[[public]]
|
||
public
|
||
^^^^^^
|
||
|
||
For use in public areas. You do not trust the other computers on
|
||
networks to not harm your computer. Only selected incoming connections
|
||
are accepted.
|
||
|
||
[[external]]
|
||
external
|
||
^^^^^^^^
|
||
|
||
For use on external networks with masquerading enabled especially for
|
||
routers. You do not trust the other computers on networks to not harm
|
||
your computer. Only selected incoming connections are accepted.
|
||
|
||
[[dmz]]
|
||
dmz
|
||
^^^
|
||
|
||
For computers in your demilitarized zone that are publicly-accessible
|
||
with limited access to your internal network. Only selected incoming
|
||
connections are accepted.
|
||
|
||
[[work]]
|
||
work
|
||
^^^^
|
||
|
||
For use in work areas. You mostly trust the other computers on networks
|
||
to not harm your computer. Only selected incoming connections are
|
||
accepted.
|
||
|
||
[[home]]
|
||
home
|
||
^^^^
|
||
|
||
For use in home areas. You mostly trust the other computers on networks
|
||
to not harm your computer. Only selected incoming connections are
|
||
accepted.
|
||
|
||
[[internal]]
|
||
internal
|
||
^^^^^^^^
|
||
|
||
For use on internal networks. You mostly trust the other computers on
|
||
the networks to not harm your computer. Only selected incoming
|
||
connections are accepted.
|
||
|
||
[[trusted]]
|
||
trusted
|
||
^^^^^^^
|
||
|
||
All network connections are accepted.
|
||
|
||
[[which-zone-should-be-used]]
|
||
Which zone should be used?
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
A public WIFI network connection for example should be mainly untrusted,
|
||
a wired home network connection should be fairly trusted. Select the
|
||
zone that best matches the network you are using.
|
||
|
||
[[how-to-configure-or-add-zones]]
|
||
How to configure or add zones?
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
To configure or add zones you can either use one of the firewalld
|
||
interfaces to handle and change the configuration. These are the
|
||
graphical configuration tool firewall-config, the command line tool
|
||
firewall-cmd or the D-BUS interface. Or you can create or copy a zone
|
||
file in one of the configuration directories.
|
||
@PREFIX@/lib/firewalld/zones is used for default and fallback
|
||
configurations and /etc/firewalld/zones is used for user created and
|
||
customized configuration files.
|
||
|
||
[[how-to-set-or-change-a-zone-for-a-connection]]
|
||
How to set or change a zone for a connection
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
The zone is stored into the ifcfg of the connection with the ZONE=
|
||
option. If the option is missing or empty, the default zone set in
|
||
firewalld is used.
|
||
|
||
If the connection is controlled by NetworkManager, you can also use
|
||
nm-connection-editor to change the zone.
|
||
|
||
[[network-connections-handled-by-networkmanager]]
|
||
Network connections handled by NetworkManager
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
The firewall is not able to handle network connections with the name
|
||
shown by NetworkManager, it can only handle network interfaces.
|
||
Therefore NetworkManager tells firewalld to put the network interfaces
|
||
related to the connections in the zones defined by the config file
|
||
(ifcfg) of the connection before the connection comes up. If the zone is
|
||
not set in the config file, the interfaces will be put in the default
|
||
zone set by firewalld. If a connection has more than one interfaces,
|
||
both will be supplied to firewalld. Also changes in the names of
|
||
interfaces will be handled by NetworkManager and supplied to firewalld.
|
||
|
||
To simplify this connections will be used as related to zones from now
|
||
on.
|
||
|
||
NetworkManager also tells firewalld to remove connections from zones
|
||
again if the connection went down.
|
||
|
||
If firewalld gets started or restarted by systemd or init scripts,
|
||
firewalld notifies NetworkManager and the connections will be added to
|
||
the zones.
|
||
|
||
[[network-connections-handled-by-network-scripts]]
|
||
Network connections handled by network scripts
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
For connections handled by network scripts there a limitations: There is
|
||
no daemon that can tell firewalld to add connections to zones. This is
|
||
done in the ifcfg-post script only. Therefore changes in names after
|
||
this can not be supplied to firewalld. Also starting or restarting
|
||
firewalld if the connections are active already results in the loss of
|
||
the relation. There are ideas to fix this also. The simplest is to push
|
||
all connections to the default zone that are not set otherwise.
|
||
|
||
The zone defines the firewall features that are enabled in this zone.
|
||
|
||
[[working-with-firewalld]]
|
||
Working with firewalld
|
||
~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
To enable or disable firewall features for example in zones, you can
|
||
either use the graphical configuration tool *firewall-config* or the
|
||
command line client *firewall-cmd*
|
||
|
||
[[using-firewall-cmd]]
|
||
Using firewall-cmd
|
||
^^^^^^^^^^^^^^^^^^
|
||
|
||
The command line client *firewall-cmd* supports all firewall features.
|
||
For status and query modes, there is no output, but the command returns
|
||
the state.
|
||
|
||
[[generic-use]]
|
||
Generic use
|
||
+++++++++++
|
||
|
||
* Get the status of firewalld
|
||
|
||
` firewall-cmd --state`
|
||
|
||
This returns the status of firewalld, there is no output. To get a
|
||
visual state use:
|
||
|
||
` firewall-cmd --state && echo "Running" || echo "Not running"`
|
||
|
||
As of Fedora 19, the status seems printed just fine:
|
||
|
||
` # rpm -qf $( which firewall-cmd )` +
|
||
` firewalld-0.3.3-2.fc19.noarch` +
|
||
` # firewall-cmd --state` +
|
||
` not running`
|
||
|
||
* Reload the firewall without losing state information:
|
||
|
||
` firewall-cmd --reload`
|
||
|
||
If you are using *--complete-reload* instead, the state information will
|
||
be lost. This option should only be used in case of severe firewall
|
||
problems for example if there are state information problems that no
|
||
connection can be established but the firewall rules are correct.
|
||
|
||
* Get a list of all supported zones
|
||
|
||
` firewall-cmd --get-zones`
|
||
|
||
This command prints a space separated list.
|
||
|
||
* Get a list of all supported services
|
||
|
||
` firewall-cmd --get-services`
|
||
|
||
This command prints a space separated list.
|
||
|
||
* Get a list of all supported icmptypes
|
||
|
||
` firewall-cmd --get-icmptypes`
|
||
|
||
This command prints a space separated list.
|
||
|
||
* List all zones with the enabled features.
|
||
|
||
` firewall-cmd --list-all-zones`
|
||
|
||
The output format is:
|
||
|
||
` ` +
|
||
` interfaces: `` ..` +
|
||
` services: `` ..` +
|
||
` ports: `` ..` +
|
||
` forward-ports: `` ..` +
|
||
` icmp-blocks: `` ..` +
|
||
` ` +
|
||
` ..`
|
||
|
||
* Print zone with the enabled features. If zone is omitted, the default
|
||
zone will be used.
|
||
|
||
` firewall-cmd [--zone=``] --list-all`
|
||
|
||
* Get the default zone set for network connections
|
||
|
||
` firewall-cmd --get-default-zone`
|
||
|
||
* Set the default zone
|
||
|
||
` firewall-cmd --set-default-zone=`
|
||
|
||
All interfaces that are located in the default zone will be pushed in
|
||
the new default zone, that defines the limitations for new external
|
||
initiated connection attempts. Active connections are not affected.
|
||
|
||
* Get active zones
|
||
|
||
` firewall-cmd --get-active-zones`
|
||
|
||
The command prints the interfaces that are set to be part of a zone in
|
||
this form:
|
||
|
||
` ``: `` `` ..` +
|
||
` ``: `` ..`
|
||
|
||
* Get zone related to an interface
|
||
|
||
` firewall-cmd --get-zone-of-interface=`
|
||
|
||
This prints the zone name, if the interface is part of a zone
|
||
|
||
* Add an interface to a zone
|
||
|
||
` firewall-cmd [--zone=``] --add-interface=`
|
||
|
||
Add an interface to a zone, if it was not in a zone before. If the zone
|
||
options is omitted, the default zone will be used. The interfaces are
|
||
reapplied after reloads.
|
||
|
||
* Change the zone an interface belongs to
|
||
|
||
` firewall-cmd [--zone=``] --change-interface=`
|
||
|
||
This is similar to the --add-interface options, but pushes the interface
|
||
in the new zone even if it was in another zone before.
|
||
|
||
* Remove an interface from a zone
|
||
|
||
` firewall-cmd [--zone=``] --remove-interface=`
|
||
|
||
* Query if an interface is in a zone
|
||
|
||
` firewall-cmd [--zone=``] --query-interface=`
|
||
|
||
Returns if the interface is in the zone. There is no output.
|
||
|
||
* List the enabled services in a zone
|
||
|
||
` firewall-cmd [ --zone=`` ] --list-services`
|
||
|
||
* Enable panic mode to block all network traffic in case of emergency
|
||
|
||
` firewall-cmd --panic-on`
|
||
|
||
* Disable panic mode
|
||
|
||
` firewall-cmd --panic-off`
|
||
|
||
* Query panic mode
|
||
|
||
` firewall-cmd --query-panic`
|
||
|
||
This returns the state of the panic mode, there is no output. To get a
|
||
visual state use
|
||
|
||
` firewall-cmd --query-panic && echo "On" || echo "Off"`
|
||
|
||
[[runtime-zone-handling]]
|
||
Runtime zone handling
|
||
+++++++++++++++++++++
|
||
|
||
In the runtime mode the changes to zones are not permanent. The changes
|
||
will be gone after reload or restart.
|
||
|
||
* Enable a service in a zone
|
||
|
||
` firewall-cmd [--zone=``] --add-service=`` [--timeout=``]`
|
||
|
||
This enables a service in a zone. If zone is not set, the default zone
|
||
will be used. If timeout is set, the service will only be enabled for
|
||
the amount of seconds in the zone. If the service is already active,
|
||
there will be no warning message.
|
||
|
||
* *Example:* Enable ipp-client service for 60 seconds in the home zone:
|
||
|
||
` firewall-cmd --zone=home --add-service=ipp-client --timeout=60`
|
||
|
||
* *Example:* Enable the http service in the default zone:
|
||
|
||
` firewall-cmd --add-service=http`
|
||
|
||
* Disable a service in a zone
|
||
|
||
` firewall-cmd [--zone=``] --remove-service=`
|
||
|
||
This disables a service in a zone. If zone is not set, the default zone
|
||
will be used.
|
||
|
||
* *Example:* Disable http service in the home zone:
|
||
|
||
` firewall-cmd --zone=home --remove-service=http`
|
||
|
||
The service will be disabled in the zone. If the service is not enabled
|
||
in the zone, there will be an warning message.
|
||
|
||
* Query if a service is enabled in a zone
|
||
|
||
` firewall-cmd [--zone=``] --query-service=`
|
||
|
||
This returns 1 if the service is enabled in the zone, otherwise 0. There
|
||
is no output.
|
||
|
||
* Enable a port and protocol combination in a zone
|
||
|
||
` firewall-cmd [--zone=``] --add-port=``[-``]/`` [--timeout=``]`
|
||
|
||
This enables a port and protocol combination. The port can be a single
|
||
port or a port range -. The protocol can be either *tcp* or *udp*.
|
||
|
||
* Disable a port and protocol combination in a zone
|
||
|
||
` firewall-cmd [--zone=``] --remove-port=``[-``]/`
|
||
|
||
* Query if a port and protocol combination in enabled in a zone
|
||
|
||
` firewall-cmd [--zone=``] --query-port=``[-``]/`
|
||
|
||
This command returns if it is enabled, there is no output.
|
||
|
||
* Enable masquerading in a zone
|
||
|
||
` firewall-cmd [--zone=``] --add-masquerade`
|
||
|
||
This enables masquerading for the zone. The addresses of a private
|
||
network are mapped to and hidden behind a public IP address. This is a
|
||
form of address translation and mostly used in routers. Masquerading is
|
||
IPv4 only because of kernel limitations.
|
||
|
||
* Disable masquerading in a zone
|
||
|
||
` firewall-cmd [--zone=``] --remove-masquerade`
|
||
|
||
* Query masquerading in a zone
|
||
|
||
` firewall-cmd [--zone=``] --query-masquerade`
|
||
|
||
This command returns if it is enabled, there is no output.
|
||
|
||
* Enable ICMP blocks in a zone
|
||
|
||
` firewall-cmd [--zone=``] --add-icmp-block=`
|
||
|
||
This enabled the block of a selected Internet Control Message Protocol
|
||
(ICMP) message. ICMP messages are either information requests or created
|
||
as a reply to information requests or in error conditions.
|
||
|
||
* Disable ICMP blocks in a zone
|
||
|
||
` firewall-cmd [--zone=``] --remove-icmp-block=`
|
||
|
||
* Query ICMP blocks in a zone
|
||
|
||
` firewall-cmd [--zone=``] --query-icmp-block=`
|
||
|
||
This command returns if it is enabled, there is no output.
|
||
|
||
* *Example:* Block echo-reply messages in the public zone:
|
||
|
||
` firewall-cmd --zone=public --add-icmp-block=echo-reply`
|
||
|
||
* Enable port forwarding or port mapping in a zone
|
||
|
||
` firewall-cmd [--zone=``] --add-forward-port=port=``[-``]:proto=`` { :toport=``[-``] | :toaddr=`
|
||
|
||
| :toport=[-]:toaddr=
|
||
|
||
}
|
||
|
||
The port is either mapped to the same port on another host or to another
|
||
port on the same host or to another port on another host. The port can
|
||
be a singe port or a port range -. The protocol is either *tcp* or
|
||
*udp*. toport is either port or a port range -. toaddr is an IPv4
|
||
address. Port forwarding is IPv4 only because of kernel limitations.
|
||
|
||
* Disable port forwarding or port mapping in a zone
|
||
|
||
` firewall-cmd [--zone=``] --remove-forward-port=port=``[-``]:proto=`` { :toport=``[-``] | :toaddr=`
|
||
|
||
| :toport=[-]:toaddr=
|
||
|
||
}
|
||
|
||
* Query port forwarding or port mapping in a zone
|
||
|
||
` firewall-cmd [--zone=``] --query-forward-port=port=``[-``]:proto=`` { :toport=``[-``] | :toaddr=`
|
||
|
||
| :toport=[-]:toaddr=
|
||
|
||
}
|
||
|
||
This command returns if it is enabled, there is no output.
|
||
|
||
* *Example:* Forward ssh to host 127.0.0.2 in the home zone
|
||
|
||
` firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2`
|
||
|
||
[[permanent-zone-handling]]
|
||
Permanent zone handling
|
||
+++++++++++++++++++++++
|
||
|
||
The permanent options are not affecting runtime directly. These options
|
||
are only available after a reload or restart. To have runtime and
|
||
permanent setting, you need to supply both. The *--permanent* option
|
||
needs to be the first option for all permanent calls.
|
||
|
||
* Get a list of supported permanent services
|
||
|
||
` firewall-cmd --permanent --get-services`
|
||
|
||
* Get a list of supported permanent icmptypes
|
||
|
||
` firewall-cmd --permanent --get-icmptypes`
|
||
|
||
* Get a list of supported permanent zones
|
||
|
||
` firewall-cmd --permanent --get-zones`
|
||
|
||
* Enable a service in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --add-service=`
|
||
|
||
This enables the service in the zone permanently. If the zone option is
|
||
omitted, the default zone is used.
|
||
|
||
* Disable a service in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --remove-service=`
|
||
|
||
* Query if a service is enabled in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --query-service=`
|
||
|
||
This command returns if it is enabled, there is no output.
|
||
|
||
* *Example:* Enable service ipp-client permanently in the home zone
|
||
|
||
` firewall-cmd --permanent --zone=home --add-service=ipp-client`
|
||
|
||
* Enable a port and protocol combination permanently in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --add-port=``[-``]/`
|
||
|
||
* Disable a port and protocol combination permanently in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --remove-port=``[-``]/`
|
||
|
||
* Query if a port and protocol combination is enabled permanently in a
|
||
zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --query-port=``[-``]/`
|
||
|
||
This command returns if it is enabled, there is no output.
|
||
|
||
* *Example:* Enable port 443/tcp for https permanently in the home zone
|
||
|
||
` firewall-cmd --permanent --zone=home --add-port=443/tcp`
|
||
|
||
* Enable masquerading permanently in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --add-masquerade`
|
||
|
||
This enables masquerading for the zone. The addresses of a private
|
||
network are mapped to and hidden behind a public IP address. This is a
|
||
form of address translation and mostly used in routers. Masquerading is
|
||
IPv4 only because of kernel limitations.
|
||
|
||
* Disable masquerading permanently in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --remove-masquerade`
|
||
|
||
* Query masquerading permanently in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --query-masquerade`
|
||
|
||
This command returns if it is enabled, there is no output.
|
||
|
||
* Enable ICMP blocks permanently in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --add-icmp-block=`
|
||
|
||
This enabled the block of a selected Internet Control Message Protocol
|
||
(ICMP) message. ICMP messages are either information requests or created
|
||
as a reply to information requests or in error conditions.
|
||
|
||
* Disable ICMP blocks permanently in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --remove-icmp-block=`
|
||
|
||
* Query ICMP blocks permanently in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --query-icmp-block=`
|
||
|
||
This command returns if it is enabled, there is no output.
|
||
|
||
* *Example:* Block echo-reply messages in the public zone:
|
||
|
||
` firewall-cmd --permanent --zone=public --add-icmp-block=echo-reply`
|
||
|
||
* Enable port forwarding or port mapping permanently in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --add-forward-port=port=``[-``]:proto=`` { :toport=``[-``] | :toaddr=`
|
||
|
||
| :toport=[-]:toaddr=
|
||
|
||
}
|
||
|
||
The port is either mapped to the same port on another host or to another
|
||
port on the same host or to another port on another host. The port can
|
||
be a singe port or a port range -. The protocol is either *tcp* or
|
||
*udp*. toport is either port or a port range -. toaddr is an IPv4
|
||
address. Port forwarding is IPv4 only because of kernel limitations.
|
||
|
||
* Disable port forwarding or port mapping permanently in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --remove-forward-port=port=``[-``]:proto=`` { :toport=``[-``] | :toaddr=`
|
||
|
||
| :toport=[-]:toaddr=
|
||
|
||
}
|
||
|
||
* Query port forwarding or port mapping permanently in a zone
|
||
|
||
` firewall-cmd --permanent [--zone=``] --query-forward-port=port=``[-``]:proto=`` { :toport=``[-``] | :toaddr=`
|
||
|
||
| :toport=[-]:toaddr=
|
||
|
||
}
|
||
|
||
This command returns if it is enabled, there is no output.
|
||
|
||
* *Example:* Forward ssh to host 127.0.0.2 in the home zone
|
||
|
||
` firewall-cmd --permanent --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2`
|
||
|
||
[[direct-options]]
|
||
Direct options
|
||
++++++++++++++
|
||
|
||
The direct options give a more direct access to the firewall. These
|
||
options require user to know basic iptables concepts, i.e. table
|
||
(filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
|
||
(-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
|
||
(ACCEPT/DROP/REJECT/...). Direct options should be used only as a last
|
||
resort when it's not possible to use for example --add-service=service
|
||
or --add-rich-rule='rule'. The first argument of each option has to be
|
||
*ipv4* or *ipv6* or *eb*. With *ipv4* it will be for IPv4 (iptables(8)),
|
||
with *ipv6* for IPv6 (ip6tables(8)) and with *eb* for ethernet bridges
|
||
(ebtables(8)).
|
||
|
||
* Pass a command through to the firewall. can be all iptables, ip6tables
|
||
and ebtables command line arguments
|
||
|
||
` firewall-cmd --direct --passthrough { ipv4 | ipv6 | eb } <args>`
|
||
|
||
* Add a new chain to a table <table>.
|
||
|
||
` firewall-cmd [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } <table> <chain>`
|
||
|
||
* Remove a chain with name from table <table>.
|
||
|
||
` firewall-cmd [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } <table> <chain>`
|
||
|
||
* Query if a chain with name exists in table <table>. Returns 0 if true,
|
||
1 otherwise.
|
||
|
||
` firewall-cmd [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } <table> <chain>`
|
||
|
||
This command returns if it is enabled, there is no output.
|
||
|
||
* Get all chains added to table <table> as a space separated list.
|
||
|
||
` firewall-cmd [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } <table>`
|
||
|
||
* Add a rule with the arguments to chain in table <table> with priority
|
||
.
|
||
|
||
` firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>`
|
||
|
||
* Remove a rule with the arguments from chain in table <table>.
|
||
|
||
` firewall-cmd [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <args>`
|
||
|
||
* Query if a rule with the arguments exists in chain in table <table>.
|
||
Returns 0 if true, 1 otherwise.
|
||
|
||
` firewall-cmd [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <args>`
|
||
|
||
This command returns if it is enabled, there is no output.
|
||
|
||
* Get all rules added to chain in table <table> as a newline separated
|
||
list of arguments.
|
||
|
||
` firewall-cmd [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } <table> <chain>`
|
||
|
||
[[the-current-firewalld-features]]
|
||
The current firewalld features
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
[[d-bus-interface]]
|
||
D-BUS Interface
|
||
^^^^^^^^^^^^^^^
|
||
|
||
The D-BUS interface gives information about the firewall state and makes
|
||
it possible to enable, disable and query firewall settings.
|
||
|
||
[[zones]]
|
||
Zones
|
||
^^^^^
|
||
|
||
A network or firewall zone defines the trust level of the interface used
|
||
for a connection. There are several pre-defined zones provided by
|
||
firewalld. Zone configuration options and generic file information are
|
||
described in the firewalld.zone(5) man page.
|
||
|
||
[[services]]
|
||
Services
|
||
^^^^^^^^
|
||
|
||
A service can be a list of local ports and destinations and additionally
|
||
also a list of firewall helper modules automatically loaded if a service
|
||
is enabled. The use of predefined services makes it easier for the user
|
||
to enable and disable access to a service. Service configuration options
|
||
and generic file information are described in the firewalld.service(5)
|
||
man page.
|
||
|
||
[[icmp-types]]
|
||
ICMP types
|
||
^^^^^^^^^^
|
||
|
||
The Internet Control Message Protocol (ICMP) is used to exchange
|
||
information and also error messages in the Internet Protocol (IP). ICMP
|
||
types can be used in firewalld to limit the exchange of these messages.
|
||
ICMP type configuration options and generic file information are
|
||
described in the firewalld.icmptype(5) man page.
|
||
|
||
[[direct-interface]]
|
||
Direct interface
|
||
^^^^^^^^^^^^^^^^
|
||
|
||
The direct interface is mainly used by services or applications to add
|
||
specific firewall rules.
|
||
|
||
[[runtime-configuration]]
|
||
Runtime configuration
|
||
^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
The runtime configuration is not permanent and will only be restored for
|
||
a reload. After restart or stop of the service or a system reboot, these
|
||
options will be gone.
|
||
|
||
[[permanent-configuration]]
|
||
Permanent configuration
|
||
^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
The permanent configuration is stored in config files and will be
|
||
restored with every machine boot or service reload or restart.
|
||
|
||
[[tray-applet]]
|
||
Tray Applet
|
||
^^^^^^^^^^^
|
||
|
||
The tray applet *firewall-applet* visualizes the firewall state and also
|
||
problems with the firewall for the user. It can also be used to
|
||
configure settings by calling *firewall-config*.
|
||
|
||
[[graphical-configuration-tool]]
|
||
Graphical Configuration Tool
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
The configuration tool *firewall-config* is the main configuration tool
|
||
for the firewall daemon. It supports all features of the firewall
|
||
besides the direct interface, this is handled by the service/application
|
||
that added the rules.
|
||
|
||
[[command-line-client]]
|
||
Command Line client
|
||
^^^^^^^^^^^^^^^^^^^
|
||
|
||
The command line client *firewall-cmd* supports all firewall features.
|
||
For status and query modes, there is no output, but the command returns
|
||
the state.
|
||
|
||
For offline use there is also *firewall-offline-cmd*. This command line
|
||
client is creating firewalld configuration files directly and is not
|
||
using firewalld or the D-Bus interface. It is for example used in the
|
||
system installation process to create an initial firewall configuration
|
||
from the kickstart settings.
|
||
|
||
[[support-for-ebtables]]
|
||
Support for ebtables
|
||
^^^^^^^^^^^^^^^^^^^^
|
||
|
||
ebtables support is needed to fulfill all needs of the libvirt daemon
|
||
and to prevent access problems between ip*tables and ebtables on kernel
|
||
netfilter level. All these commands are accessing the same structures
|
||
and therefore they should not be used at the same time.
|
||
|
||
[[defaultfallback-configuration-in-usrlibfirewalld]]
|
||
Default/Fallback configuration in /usr/lib/firewalld
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
This directory contains the default and fallback configuration provided
|
||
by firewalld for icmptypes, services and zones. The files provided with
|
||
the firewalld package should not get changed and the changes are gone
|
||
with an update of the firewalld package. Additional icmptypes, services
|
||
and zones can be provided with packages or by creating files.
|
||
|
||
[[system-configuration-settings-in-etcfirewalld]]
|
||
System configuration settings in /etc/firewalld
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
The system or user configuration stored here is either created by the
|
||
system administrator or by customization with the configuration
|
||
interface of firewalld or by hand. The files will overload the default
|
||
configuration files.
|
||
|
||
To manually change settings of pre-defined icmptypes, zones or services,
|
||
copy the file from the default configuration directory to the
|
||
corresponding directory in the system configuration directory and change
|
||
it accordingly.
|
||
|
||
If you are loading the defaults for a zone that has a default or
|
||
fallback file, the file in /etc/firewalld will be renamed to .old and
|
||
the fallback will be used again.
|
||
|
||
[[work-in-progress-features]]
|
||
Work in Progress Features
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
[[rich-language]]
|
||
Rich Language
|
||
^^^^^^^^^^^^^
|
||
|
||
The rich language provides a high level language to be able to have more
|
||
complex firewall rules for IPv4 and IPv6 without the knowledge of
|
||
iptables syntax.
|
||
|
||
Fedora 19 provides milestone 2 of the rich language with D-Bus and
|
||
command line client support. The milestone 3 will also provide support
|
||
within firewall-config, the graphical configuration program.
|
||
|
||
For more information on this, please have a look at:
|
||
https://fedoraproject.org/wiki/Features/FirewalldRichLanguage[firewalld
|
||
Rich Language]
|
||
|
||
[[lockdown]]
|
||
Lockdown
|
||
^^^^^^^^
|
||
|
||
Lockdown adds a simple configuration setting for firewalld to be able to
|
||
lock down configuration changes from local applications or services. It
|
||
is a very light version of application policies.
|
||
|
||
Fedora 19 provides milestone 2 of the lockdown feature with D-Bus and
|
||
command line client support. The milestone 3 will also provide support
|
||
within firewall-config, the graphical configuration program.
|
||
|
||
For more information on this, please have a look at:
|
||
https://fedoraproject.org/wiki/Features/FirewalldLockdown[firewalld
|
||
Lockdown]
|
||
|
||
[[permanent-direct-rules]]
|
||
Permanent Direct Rules
|
||
^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
This feature is in early state. It provides the ability to permanently
|
||
save direct rules and chains. Passthorough rules are not part of this.
|
||
See link:Direct_options[Direct options] for more information on direct
|
||
rules.
|
||
|
||
[[migration-from-iptables-and-ebtables-services]]
|
||
Migration from ip*tables and ebtables services
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
This feature is in an very early state. It will provide a conversion
|
||
script that creates direct permanent rules from the iptables, ip6tables
|
||
and ebtables service configurations as far as possible. A limitation
|
||
here might be the integration into the direct chains firewalld provides.
|
||
|
||
This needs lots of tests at best also from more complex firewall
|
||
configurations.
|
||
|
||
[[planned-and-proposed-features]]
|
||
Planned and Proposed Features
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
[[firewall-abstraction-model]]
|
||
Firewall Abstraction Model
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Adding an abstraction layer on top of ip*tables and ebtables firewall
|
||
rules makes adding rules simple and more intuitive. The abstraction
|
||
layer needs to be powerful, but also simple, which makes this not an
|
||
easy task. A firewall language has to gen invented for this. Firewall
|
||
rules have a fixed position and querying generic information about
|
||
access state, access policies for ports and other firewall features is
|
||
possible.
|
||
|
||
[[support-for-conntrack]]
|
||
Support for conntrack
|
||
^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Conntrack is needed to be able to terminate established connections for
|
||
features that get disabled. For some use cases it might not be good to
|
||
terminate the connection: Enabling of a firewall service for a limited
|
||
time to establish a persistent external connection.
|
||
|
||
[[user-interaction-mode]]
|
||
User interaction mode
|
||
^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
This is a special mode of in the firewall the user or admin can enable.
|
||
All requests of applications to alter the firewall are directed to the
|
||
user to get notified and granted or denied. It is possible to set a time
|
||
limit for the acceptance of a connection and to limit it to hosts,
|
||
networks or connections. It can be saved to behave the same in the
|
||
future without notification.
|
||
|
||
An additional feature of this mode is direct external connection
|
||
attempts on preselected services or ports to the user with the same
|
||
features as the application initiated requests. The limitation on
|
||
services and ports will also limit the amount of requests sent to the
|
||
user.
|
||
|
||
[[user-policy-support]]
|
||
User policy support
|
||
^^^^^^^^^^^^^^^^^^^
|
||
|
||
The administrator can define which users are able to use the User
|
||
Interaction Mode and can also limit the firewall features, that can be
|
||
used with it.
|
||
|
||
[[port-metadata-information-proposed-by-lennart-poettering]]
|
||
Port metadata information (proposed by Lennart Poettering)
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
To have a port independent metadata information would be good to have.
|
||
The current model with a static assignment of ports and protocols from
|
||
/etc/services is not a good solution and is not reflecting current use
|
||
cases. Ports in applications or services are dynamic and therefore the
|
||
port itself does not describe the use case.
|
||
|
||
This metadata information could be used to form simple rules for the
|
||
firewall. Here are some examples:
|
||
|
||
` allow external access to file sharing applications or services` +
|
||
` allow external access to music sharing applications or services` +
|
||
` allow external access to all sharing applications or services` +
|
||
` allow external access to torrent file sharing applications or services` +
|
||
` allow external access to http web services`
|
||
|
||
The metadata information here could not only be application specific,
|
||
but also a group of use cases. For example the "all sharing" group or
|
||
the "file sharing" group could match all sharing or file sharing
|
||
applications, for example torrent file sharing. These are examples,
|
||
therefore it might be that they are not useful.
|
||
|
||
There are two possible solutions to get metadata information in the
|
||
firewall:
|
||
|
||
The first is to add it to netfilter (kernel space). This has the
|
||
advantage, that it can be used by everyone, but also limits the use. To
|
||
get user or system specific information into account, all these need to
|
||
be implemented in kernel space also.
|
||
|
||
The other one would be to add this to a firewall daemon. These abstract
|
||
rules could be used together with information like the trust level of
|
||
the network connections, the user decision to share with as specific
|
||
person/host or the hard rule of the administrator to forbid sharing
|
||
completely.
|
||
|
||
The second solution would have the advantage that new metadata groups or
|
||
changes in incorporation of trust levels, user preferences or
|
||
administrator rules would not require to push a new kernel. Adding these
|
||
kind of abstract rules to a firewall daemon would make it much more
|
||
flexible. Even new security levels would be easy to add without kernel
|
||
updates.
|
||
|
||
[[sysctld]]
|
||
sysctld
|
||
^^^^^^^
|
||
|
||
At the moment there are sysctl settings that are not properly applied.
|
||
This happens if the module providing the setting is not loaded at boot
|
||
time when rc.sysinit runs or it the module gets reloaded at runtime.
|
||
Another example is net.ipv4.ip_forward, which is needed for example for
|
||
specific firewall settings, libvirt and also user/admin changes. If
|
||
there are two apps or daemons enabling ip_forwarding only if needed,
|
||
then it could happen that one of them is turning it off again without
|
||
knowing that there is another one, that still needs it turned on.
|
||
|
||
The sysctl daemon could solve this by having an internal use count for
|
||
settings, that will make it possible to turn it off or go to the
|
||
previous setting again if the requester reverted the request to change
|
||
it.
|
||
|
||
[[firewall-rules]]
|
||
Firewall Rules
|
||
~~~~~~~~~~~~~~
|
||
|
||
Netfilter firewalls are always susceptible to rule ordering issues,
|
||
because a rule does not have a fixed position in a chain. The position
|
||
can change if other rules are added or removed in a position before that
|
||
rule.
|
||
|
||
In the static firewall model a firewall change is recreating a clean and
|
||
sane firewall setup limited to the features directly supported by
|
||
system-config-firewall / lokkit. Firewall rules created by other
|
||
applications are not integrated and s-c-fw / lokkit does not know about
|
||
them if the customs rules file feature is not in use. Default chains are
|
||
used and there is no safe way to add and remove rules without
|
||
interfering with others.
|
||
|
||
The dynamic model has additional chains for the firewall features. These
|
||
specific chains are called in a defined ordering and rules added to a
|
||
chain could not interfere with reject or drop rules in chains that were
|
||
called before. This makes it possible to have a more sane firewall
|
||
configuration.
|
||
|
||
Here are example rules created by the daemon in the filter table with
|
||
ssh, ipp-client and mdns enabled in the public zone, all other zones
|
||
have been removed to simplify and shorten the output:
|
||
|
||
` *filter` +
|
||
` :INPUT ACCEPT [0:0]` +
|
||
` :FORWARD ACCEPT [0:0]` +
|
||
` :OUTPUT ACCEPT [0:0]` +
|
||
` :FORWARD_ZONES - [0:0]` +
|
||
` :FORWARD_direct - [0:0]` +
|
||
` :INPUT_ZONES - [0:0]` +
|
||
` :INPUT_direct - [0:0]` +
|
||
` :IN_ZONE_public - [0:0]` +
|
||
` :IN_ZONE_public_allow - [0:0]` +
|
||
` :IN_ZONE_public_deny - [0:0]` +
|
||
` :OUTPUT_direct - [0:0]` +
|
||
` -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT` +
|
||
` -A INPUT -i lo -j ACCEPT` +
|
||
` -A INPUT -j INPUT_direct` +
|
||
` -A INPUT -j INPUT_ZONES` +
|
||
` -A INPUT -p icmp -j ACCEPT` +
|
||
` -A INPUT -j REJECT --reject-with icmp-host-prohibited` +
|
||
` -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT` +
|
||
` -A FORWARD -i lo -j ACCEPT` +
|
||
` -A FORWARD -j FORWARD_direct` +
|
||
` -A FORWARD -j FORWARD_ZONES` +
|
||
` -A FORWARD -p icmp -j ACCEPT` +
|
||
` -A FORWARD -j REJECT --reject-with icmp-host-prohibited` +
|
||
` -A OUTPUT -j OUTPUT_direct` +
|
||
` -A IN_ZONE_public -j IN_ZONE_public_deny` +
|
||
` -A IN_ZONE_public -j IN_ZONE_public_allow` +
|
||
` -A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT` +
|
||
` -A IN_ZONE_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT` +
|
||
` -A IN_ZONE_public_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT`
|
||
|
||
Used is a deny/allow model to have a clear behaviour and at best no rule
|
||
interferences. Icmp blocks for example will go to the
|
||
IN_ZONE_public_deny chain if set for the public zone and will be handled
|
||
before the rules in the IN_ZONE_public_allow chain.
|
||
|
||
This model makes it more easy to add or remove rules from a specific
|
||
block without interfering with accept or drop rules from another block.
|
||
|
||
Category:FirewallD
|
||
'''
|
||
|
||
See a typo, something missing or out of date, or anything else which can be
|
||
improved? Edit this document at https://pagure.io/fedora-docs/quick-docs.
|