{"id":1052,"date":"2014-08-04T18:08:46","date_gmt":"2014-08-04T16:08:46","guid":{"rendered":"http:\/\/blog.rabahi.net\/?page_id=1052"},"modified":"2016-10-16T22:58:03","modified_gmt":"2016-10-16T20:58:03","slug":"firewall-survival-guide","status":"publish","type":"page","link":"https:\/\/blog.rabahi.net\/?page_id=1052","title":{"rendered":"Firewall Survival Guide"},"content":{"rendered":"<div id=\"toc_container\" class=\"no_bullets\"><p class=\"toc_title\">Contents<\/p><ul class=\"toc_list\"><li><a href=\"#Zones\"><span class=\"toc_number toc_depth_1\">1<\/span> Zones<\/a><\/li><li><a href=\"#commands\"><span class=\"toc_number toc_depth_1\">2<\/span> commands<\/a><ul><li><a href=\"#manage_service\"><span class=\"toc_number toc_depth_2\">2.1<\/span> manage service<\/a><\/li><li><a href=\"#manage_port\"><span class=\"toc_number toc_depth_2\">2.2<\/span> manage port<\/a><\/li><li><a href=\"#panic_mode\"><span class=\"toc_number toc_depth_2\">2.3<\/span> panic mode<\/a><\/li><li><a href=\"#port_forwarding\"><span class=\"toc_number toc_depth_2\">2.4<\/span> port forwarding<\/a><\/li><\/ul><\/li><li><a href=\"#Read_More\"><span class=\"toc_number toc_depth_1\">3<\/span> Read More<\/a><\/li><\/ul><\/div>\n<h1><span id=\"Zones\">Zones<\/span><\/h1>\n<p>FirewallD uses zones. A network zone defines the level of trust for network connections. Most zones are mutable, but there are also immutable zones. Immutable zones are not customizable and there is no way to overload them. These are the different zones:<\/p>\n<table class=\"table\">\n<tr>\n<th>Zone<\/th>\n<th>Description<\/th>\n<\/tr>\n<tr>\n<td>drop<\/td>\n<td>Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.<\/td>\n<\/tr>\n<tr>\n<td>block<\/td>\n<td>Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.<\/td>\n<\/tr>\n<tr>\n<td>public<\/td>\n<td>For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. <\/td>\n<\/tr>\n<tr>\n<td>external<\/td>\n<td>For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. <\/td>\n<\/tr>\n<tr>\n<td>dmz<\/td>\n<td>For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.<\/td>\n<\/tr>\n<tr>\n<td>work<\/td>\n<td>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. <\/td>\n<\/tr>\n<tr>\n<td>home<\/td>\n<td>For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. <\/td>\n<\/tr>\n<tr>\n<td>internal<\/td>\n<td>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted. <\/td>\n<\/tr>\n<tr>\n<td>trusted<\/td>\n<td>All network connections are accepted.<\/td>\n<\/tr>\n<\/table>\n<h1><span id=\"commands\">commands<\/span><\/h1>\n<h2><span id=\"manage_service\">manage service<\/span><\/h2>\n<pre lang=\"bash\">\r\necho \"Add a service\"\r\nfirewall-cmd --permanent --add-service MY-SERVICE\r\necho \"check if the service is enabled\"\r\nfirewall-cmd --query-service= MY-SERVICE\r\necho \"remove a service\"\r\nfirewall-cmd --remove-service MY-SERVICE\r\n<\/pre>\n<pre lang=\"bash\">\r\necho \"get a list of the service names\"\r\nfirewall-cmd --get-service\r\necho \"get a list of the permanent services\"\r\nfirewall-cmd --get-service --permanent\r\n<\/pre>\n<p>Note : to list all available services : ls \/usr\/lib\/firewalld\/services<\/p>\n<h2><span id=\"manage_port\">manage port<\/span><\/h2>\n<pre lang=\"bash\">\r\necho \"add port\"\r\nfirewall-cmd --zone=public --add-port=MY-PORT\/tcp\r\necho \"add range port\"\r\nfirewall-cmd --zone=public --add-port=MY-PORT-START-MY-PORT-END\/udp\r\necho \"check if the port is enabled\"\r\nfirewall-cmd --zone=public --query-port=MY-PORT\/tcp \r\necho \"remove a port\"\r\nfirewall-cmd --zone=public --remove-port=MY-PORT\/tcp \r\necho \"open for 10 seconds a rule: add --timeout=10\"\r\nfirewall-cmd --zone=public --query-port=80\/tcp --timeout=10\r\necho \"list open ports for a zone\"\r\nfirewall-cmd --zone=public --list-ports\r\n<\/pre>\n<h2><span id=\"panic_mode\">panic mode<\/span><\/h2>\n<pre lang=\"bash\">\r\necho \"drop incoming and outgoing packets\"\r\nfirewall-cmd --panic-on\r\necho \"enable incoming and outgoing packets\"\r\nfirewall-cmd --panic-off\r\necho \"check if panic mode status\"\r\nfirewall-cmd --query-panic\r\n<\/pre>\n<h2><span id=\"port_forwarding\">port forwarding<\/span><\/h2>\n<pre lang=\"bash\">\r\necho \"to work with port forwarding, you must enable masquerading for a zone\"\r\nfirewall-cmd --zone=public --add-masquerade\r\necho \"to forward MY-PORT1 to MY-PORT2\"\r\nfirewall-cmd --zone=external --add-forward-port=port=MY-PORT1:proto=tcp:toport=MY-PORT2\r\necho \"to forward MY-PORT1 to MY-IP-ADDRESS:MYPORT-2\"\r\nfirewall-cmd --zone=external --add-forward-port=port=MY-PORT1:proto=tcp:toport=MY-PORT2:toaddr=MY-IP-ADDRESS\r\n<\/pre>\n<h1><span id=\"Read_More\">Read More<\/span><\/h1>\n<p>You can read more <a href=\"https:\/\/access.redhat.com\/documentation\/en-US\/Red_Hat_Enterprise_Linux\/7\/html\/Security_Guide\/sec-Using_Firewalls.html\" title=\"what-is-firewalld-and-how-it-works\" target=\"_blank\">here<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Contents1 Zones2 commands2.1 manage service2.2 manage port2.3 panic mode2.4 port forwarding3 Read More Zones FirewallD uses zones. A network zone defines the level of trust for network connections. Most zones are mutable, but there are also immutable zones. Immutable zones are not customizable and there is no way to overload them. These are the different [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":492,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-1052","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1052","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1052"}],"version-history":[{"count":11,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1052\/revisions"}],"predecessor-version":[{"id":1766,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1052\/revisions\/1766"}],"up":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/492"}],"wp:attachment":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}