My linux world » Firewall Survival Guide

Firewall Survival Guide


Contents

Zones

FirewallD uses zones. A network zone defines the level of trust for network connections. Most zones are mutable, but there are also immutable zones. Immutable zones are not customizable and there is no way to overload them. These are the different zones:

Zone Description
drop Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
public For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted All network connections are accepted.

commands

manage service

echo "Add a service"
firewall-cmd --permanent --add-service MY-SERVICE
echo "check if the service is enabled"
firewall-cmd --query-service= MY-SERVICE
echo "remove a service"
firewall-cmd --remove-service MY-SERVICE
echo "get a list of the service names"
firewall-cmd --get-service
echo "get a list of the permanent services"
firewall-cmd --get-service --permanent

Note : to list all available services : ls /usr/lib/firewalld/services

manage port

echo "add port"
firewall-cmd --zone=public --add-port=MY-PORT/tcp
echo "add range port"
firewall-cmd --zone=public --add-port=MY-PORT-START-MY-PORT-END/udp
echo "check if the port is enabled"
firewall-cmd --zone=public --query-port=MY-PORT/tcp 
echo "remove a port"
firewall-cmd --zone=public --remove-port=MY-PORT/tcp 
echo "open for 10 seconds a rule: add --timeout=10"
firewall-cmd --zone=public --query-port=80/tcp --timeout=10
echo "list open ports for a zone"
firewall-cmd --zone=public --list-ports

panic mode

echo "drop incoming and outgoing packets"
firewall-cmd --panic-on
echo "enable incoming and outgoing packets"
firewall-cmd --panic-off
echo "check if panic mode status"
firewall-cmd --query-panic

port forwarding

echo "to work with port forwarding, you must enable masquerading for a zone"
firewall-cmd --zone=public --add-masquerade
echo "to forward MY-PORT1 to MY-PORT2"
firewall-cmd --zone=external --add-forward-port=port=MY-PORT1:proto=tcp:toport=MY-PORT2
echo "to forward MY-PORT1 to MY-IP-ADDRESS:MYPORT-2"
firewall-cmd --zone=external --add-forward-port=port=MY-PORT1:proto=tcp:toport=MY-PORT2:toaddr=MY-IP-ADDRESS

Read More

You can read more here


Copyright © 2023 My linux world - by Marc RABAHI
Design by Marc RABAHI and encelades.

Fork me on GitHub