4.5. Using Firewalls

The firewall daemon firewalld provides a dynamically managed firewall with support for network zones to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and ipsets, and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly. The complete communication with firewalld is done using D-Bus.

Note

To expand your expertise, you might also be interested in the Red Hat Server Hardening (RH413) training course.

4.5.1. Introduction to firewalld

The firewall daemon uses the restore commands of iptables, ip6tables, and ebtables by default to speed up all firewall actions that are changing the rule set. The normal commands are used if the configuration setting IndividualCalls is set to yes in the firewalld.conf file or if the rules can not be applied with the restore commands as a fallback solution. However, using the normal commands results in significant slow down.
To use the graphical firewall-config tool, press the Super key to enter the Activities Overview, type firewall and then press Enter. The firewall-config tool appears. You will be prompted for an administrator password.
The sidebar on the left shows the Active Bindings of the active zones. These are grouped by Connections, which are handled by NetworkManager, Interfaces, and Sources.
The firewall-config tool has a drop-down selection menu labeled Configuration. This enables selecting between Runtime and Permanent mode. Notice that if you select Permanent, an additional row of icons will appear in the left hand corner. These icons only appear in permanent configuration mode because a service's parameters cannot be changed in Runtime mode. This setting does not affect the Active Bindings sidebar.
The firewall service provided by firewalld is dynamic rather than static because changes to the configuration can be made at anytime and are immediately implemented, there is no need to save or apply the changes. No unintended disruption of existing network connections occurs as no part of the firewall has to be reloaded.
A command-line client, firewall-cmd, is provided. It can be used to make permanent and non-permanent runtime changes as explained in man firewall-cmd(1). Permanent changes need to be made as explained in the firewalld(1) man page. Note that the firewall-cmd command can be run by the root user and also by an administrative user, in other words, a member of the wheel group. In the latter case the command will be authorized via the polkit mechanism.
The command-line client firewall-offline-cmd can only be used by the user root to alter the permanent environment. It is not talking to firewalld, but is using a part of the firewalld core and the I/O backends to alter the configuration. It is not recommended to use this tool while firewalld is active. It could be used, but changes done with the firewall-offline-cmd are not applied immediately to firewalld. The changes are applied to the permanent environment after firewalld was able to detect file changes in the file system. For example, the firewall-offline-cmd command is used while installing to set up the firewall. It can also be used in the post installation stage to alter the firewall configuration before the freshly installed system has been booted.
There is also an applet, firewall-applet, which can be used to quickly launch the NetworkManager configuration tab for the network connection in use. From the General tab changes to the assigned firewall zone can be made. This applet is not installed by default in Red Hat Enterprise Linux.
The configuration for firewalld is stored in various XML files in /usr/lib/firewalld/ and /etc/firewalld/. This allows a great deal of flexibility as the files can be edited, written to, backed up, used as templates for other installations and so on. The configuration in /usr/lib/firewalld/ is the default and also fallback configuration, while the configuration in /etc/firewalld/ is the system specific configuration.
All applications communicate with firewalld using the D-Bus interface.

4.5.1.1. Comparison of firewalld to system-config-firewall and iptables

The essential differences between firewalld and the iptables (and ip6tables) services are:
  • The iptables service stores configuration in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables while firewalld stores it in various XML files in /usr/lib/firewalld/ and /etc/firewalld/. Note that the /etc/sysconfig/iptables file does not exist as firewalld is installed by default on Red Hat Enterprise Linux.
  • With the iptables service, every single change means flushing all the old rules and reading all the new rules from /etc/sysconfig/iptables while with firewalld there is no re-creating of all the rules; only the differences are applied. Consequently, firewalld can change the settings during runtime without existing connections being lost.
Both use iptables tool to talk to the kernel packet filter.

Note

firewalld is not able to import firewall settings from the /etc/sysconfig/ip*tables files. To import lokkit or system-config-firewall settings, use the firewall-offline-cmd and the /etc/sysconfig/system-config-firewall file. Custom rules files can not be imported to ⁠firewalld. The imported settings are applied to the default zone.

Figure 4.1. The Firewall Stack

4.5.1.2. Understanding Network Zones

firewalld can be used to separate networks into different zones based on the level of trust the user has decided to place on the interfaces and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface's assigned zone can be changed by NetworkManager or via the firewall-config tool which can open the relevant NetworkManager window for you. You can also use the firewall-cmd command-line tool. If an interface is controlled by NetworkManager, and the user change the zone of the interface using firewall-cmd, firewall-offline-cmd, or firewall-config, then this request is forwarded to NetworkManager and not handled by ⁠firewalld.
The zone settings in /etc/firewalld/ are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:
drop
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
public
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone.
Choosing a Network Zone
The network zone names have been chosen to be self-explanatory and to allow users to quickly make a reasonable decision. However, a review of the default configuration settings should be made and unnecessary services disabled according to your needs and risk assessments.
The zone names and settings are proposals and can be changed according to the needs. A built-in zone can not be removed, but it is possible to revert the zone configuration back to the initial defaults by loading the zone defaults either in the permanent configuration of firewall-config or firewall-cmd.

4.5.1.3. Understanding Predefined Services

A service can be a list of local ports, protocols, source ports, and destinations as well as a list of firewall helper modules automatically loaded if a service is enabled. The use of predefined services makes it easier for the user to enable and disable access to a service. Using the predefined services, or custom defined services, as opposed to opening ports or ranges of ports, may make administration easier. Service configuration options and generic file information are described in the firewalld.service(5) man page. The services are specified by means of individual XML configuration files which are named in the following format: service-name.xml. Protocol names are preferred in firewalld over service or application names.
To view the list of services using the graphical firewall-config tool, press the Super key to enter the Activities Overview, type firewall and then press Enter. The firewall-config tool appears. You will be prompted for an administrator password. You can now view the list of services under the Services tab.
To list all services available on the system, run the following command:
~]$ firewall-cmd --get-services
To get the settings of a service, use the following command:
~]$ firewall-cmd --info-service=service-name
To list only the default predefined services available using the command-line, run the following command:
~]$ ls /usr/lib/firewalld/services/

Note

The root user is not needed to list files in /usr/lib/firewalld. Make sure to change the attributes accordingly after an addition of custom private files.
Files in /usr/lib/firewalld/services/ must not be edited. Only the files in /etc/firewalld/services/ should be edited.
To list the system or user created services, run the following command as root:
~]# ls /etc/firewalld/services/
Services can be added and removed using the graphical firewall-config tool, firewall-cmd, and firewall-offline-cmd. Alternatively, you can edit the XML files in /etc/firewalld/services/. If a service has not been added or changed by the user, then no corresponding XML file will be found in /etc/firewalld/services/. The files /usr/lib/firewalld/services/ can be used as templates if you want to add or change a service.
To add a new service in a terminal, use firewall-cmd, or firewall-offline-cmd in case of not active firewalld. Run the following command to add a new and empty service:
~]$ firewall-cmd --permanent --new-service=service-name
To add a new service using a local file, use the following command:
~]$ firewall-cmd --permanent --new-service-from-file=service-name.xml
With the additional --name=service-name option you can change the service name.
As soon as service settings are changed, an updated copy of the service is placed into /etc/firewalld/services/.
As root, you can run the following command to copy a service manually:
~]# cp /usr/lib/firewalld/services/service-name.xml /etc/firewalld/services/service-name.xml
firewalld loads files from /usr/lib/firewalld/services in the first place. If files are placed in /etc/firewalld/services and they are valid, then these will override the matching files from /usr/lib/firewalld/services. The overriden files in /usr/lib/firewalld/services will be used as soon as the matching files in /etc/firewalld/services have been removed or if firewalld has been asked to load the defaults of the services. This applies to the permanent environment only. A reload is needed to get these fallbacks also in the runtime environment.

4.5.1.4. Understanding the Direct Interface

firewalld has a so called direct interface, which enables directly passing rules to iptables, ip6tables and ebtables. It is primarily intended for use by applications. It is not recommended and dangerous to use the direct interface if you are not very familiar with iptables as you could inadvertently cause a breach in the firewall. As long as the tracked interface parts are used, it is still possible to query firewalld and see the changes made by an application using this mode. The untracked passthrough mode is only intended for services that completely take care about the own rule set, such as libvirt and docker. The direct interface is used by adding the --direct option to the firewall-cmd command.
The direct interface mode is intended for services or applications to add specific firewall rules during runtime. The rules can be made permanent by adding the --permanent option using the firewall-cmd --permanent --direct command or by modifying /etc/firewalld/direct.xml. If the rules are not made permanent then they need to be applied every time after receiving the start, restart, or reload message from firewalld using D-Bus. With the direct interface it is possible to add chains, rules, and tracked and untracked passthrough rules. You can also use direct rules in zone specific chains.

4.5.2. Installing firewalld

In Red Hat Enterprise Linux 7 firewalld is installed by default. If required, to ensure that it is, enter the following command as root:
~]# yum install firewalld
The graphical user interface configuration tool firewall-config is installed by default in some versions of Red Hat Enterprise Linux 7. If required, to ensure that it is, enter the following command as root:
~]# yum install firewall-config
To install the optional firewall-applet, run the following command as root:
~]# yum install firewall-applet
The applet is visible in the panel of the desktop with the next login. The use of the applet in GNOME is limited according to the GNOME rules for applets.

4.5.2.1. Stopping firewalld

To stop firewalld, enter the following command as root:
~]# systemctl stop firewalld
To prevent firewalld from starting automatically at system start, run the following command as root:
~]# systemctl disable firewalld
To make sure firewalld is not started by accessing the firewalld D-Bus interface and also if other services require firewalld, run the following command as root:
~]# systemctl mask firewalld

4.5.2.2. Starting firewalld

To start firewalld, enter the following command as root:
~]# systemctl unmask firewalld
~]# systemctl start firewalld
To ensure firewalld starts automatically at system start, enter the following command as root:
~]# systemctl enable firewalld

4.5.2.3. Checking if firewalld is Running

To check if firewalld is running, enter the following command:
~]$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2016-10-11 09:15:58 CEST; 2 days ago
     Docs: man:firewalld(1)
 Main PID: 721 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─721 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Oct 11 09:15:57 localhost.localdomain systemd[1]: Starting firewalld - dynami...
Oct 11 09:15:58 localhost.localdomain systemd[1]: Started firewalld - dynamic...
Hint: Some lines were ellipsized, use -l to show in full.
In addition, check if firewall-cmd can connect to the daemon by entering the following command:
~]$ firewall-cmd --state
	running

4.5.3. Configuring firewalld

The firewall service, implemented by the daemon firewalld, can be configured using the graphical user interface tool firewall-config, using the command-line interface tools firewall-cmd, firewall-offline-cmd, and by editing XML configuration files. These methods will be described in order.

4.5.3.1. Configuring firewalld Using The Graphical User Interface

4.5.3.1.1. Start The graphical firewall configuration tool
To start the graphical firewall-config tool, press the Super key to enter the Activities Overview, type firewall and then press Enter. The firewall-config tool appears. You will be prompted for an administrator password.
To start the graphical firewall configuration tool using the command-line, run the following command:
~]$ firewall-config
The Firewall Configuration window opens. Note, this command can be run as normal user but you will then be prompted for an administrator password from time to time.

Figure 4.2. The firewall configuration tool

Look for the Connection to firewalld established message in the lower left corner. This indicates that the firewall-config tool is connected to firewalld. Note that the ICMP Types, IPSets, Direct Configuration, and Lockdown Whitelist tabs are only visible after being selected from the View drop-down menu. The Active Bindings sidebar on the left is visible by default.
4.5.3.1.2. Changing the Firewall Settings
To immediately change the current firewall settings, ensure the current view is set to Runtime. Alternatively, to edit the settings to be applied at the next system start, or firewall reload, select Permanent from the drop-down list.

Note

When making changes to the firewall settings in Runtime mode, your selection takes immediate effect when you set or clear the check box associated with the service. You should keep this in mind when working on a system that may be in use by other users.
When making changes to the firewall settings in Permanent mode, your selection will only take effect when you reload the firewall or the system restarts. Click the Options menu and select Reload Firewall.
You can select zones in the left hand side column. You will notice the zones have some services enabled, you may need to resize the window or scroll to see the full list. You can customize the settings by selecting and deselecting a service.
4.5.3.1.3. Add an Interface to a Zone
To add a connection (the interfaces used by a connection) to a zone, start firewall-config. Click on the zone in the zone list on the left and select the Interfaces tab on the right. Click on the Add button to rise a new dialog to add the interface.
To change the zone setting for an interface double click the proper connection or interface in the Active Bindings sidebar. Select the new firewall zone from the drop-down menu in the following dialog and confirm by clicking OK.
Alternatively, to add or reassign an interface of a connection to a zone, start firewall-config, select Options from the menu bar, select Change Zones of Connections from the drop-down menu, the Connections, Interface, and Source list is displayed. Select the connection to be reassigned. The Select Zone for Connection window appears. Select the new firewall zone from the drop-down menu and click OK.
For connections handled by NetworkManager, the request to change the zone is forwarded to NetworkManager. The zone interface setting will not be saved in firewalld.
You can also use the firewall-cmd command-line tool or the firewall-applet applet to change the zone for a connection, interface and source.
4.5.3.1.4. Set the Default Zone
To set the default zone that new interfaces will be assigned to, start firewall-config, select Options from the menu bar, select Change Default Zone from the drop-down menu. The Default Zone window appears. Select the zone from the list that you want to be used as the default zone and click OK. Alternatively, run the following command:
~]$ firewall-cmd --set-default-zone=zone-name
4.5.3.1.5. Configuring Services
To enable or disable a predefined or custom service, start the firewall-config tool and select the network zone whose services are to be configured. Select the Services tab and select the check box for each type of service you want to trust. Clear the check box to block a service.
To edit a service, start the firewall-config tool and then select Permanent mode from the drop-down selection menu labeled Configuration. Additional icons and menu buttons appear at the bottom of the Services window. Select the service you want to configure.
The Ports, Protocols, and Source Port tabs enables adding, changing, and removing of ports, protocols, and source port for the selected service. The modules tab is for configuring Netfilter helper modules. The Destination tab enables limiting traffic to a particular destination address and Internet Protocol (IPv4 or IPv6).

Note

In Runtime mode is not possible to alter service settings.
4.5.3.1.6. Open Ports in the Firewall
To permit traffic through the firewall to a certain port, start the firewall-config tool and select the network zone whose settings you want to change. Select the Ports tab and click the Add button on the right hand side. The Port and Protocol window opens.
Enter the port number or range of ports to permit. Select tcp or udp from the drop-down list.
4.5.3.1.7. Open Protocols in the Firewall
To permit traffic through the firewall using a certain protocol, start the firewall-config tool and select the network zone whose settings you want to change. Select the Protocols tab and then click the Add button on the right hand side. The Protocol window opens.
Either select a protocol from the drop-down list or select the Other Protocol check box and enter the protocol in the field.
4.5.3.1.8. Open Source Ports in the Firewall
To permit traffic through the firewall from a certain port, start the firewall-config tool and select the network zone whose settings you want to change. Select the Source Port tab and then click the Add button on the right hand side. The Source Port window opens.
Enter the port number or range of ports to permit. Select tcp or udp from the drop-down list.
4.5.3.1.9. Enable IPv4 Address Masquerading
To translate IPv4 addresses to a single external address, start the firewall-config tool and select the network zone whose addresses are to be translated. Select the Masquerading tab and select the check box to enable the translation of IPv4 addresses to a single address.

Note

To enable masquerading for IPv6, please use a rich rule.
4.5.3.1.10. Configure Port Forwarding
To forward inbound network traffic, or packets, for a specific port to an internal address or alternative port, first enable IP address masquerading, then select the Port Forwarding tab.
Select the protocol of the incoming traffic and the port or range of ports on the upper section of the window. The lower section is for setting details about the destination.
To forward traffic to a local port (a port on the same system), select the Local forwarding check box. Enter the local port or range of ports for the traffic to be sent to.
To forward traffic to another IPv4 address, select the Forward to another port check box. Enter the destination IP address and port or port range. The default is to send to the same port if the port field is left empty. Click OK to apply the changes.
4.5.3.1.11. Configuring the ICMP Filter
To enable or disable an ICMP filter, start the firewall-config tool and select the network zone whose messages are to be filtered. Select the ICMP Filter tab and select the check box for each type of ICMP message you want to filter. Clear the check box to disable a filter. This setting is per direction and the default allows everything.
To edit an ICMP type, start the firewall-config tool and then select Permanent mode from the drop-down selection menu labeled Configuration. Additional icons appear at the bottom of the Services window. Select Yes in the following dialog to enable masquerading and to make forwarding to another machine working.
To enable inverting the ICMP Filter, click the Invert Filter check box on the right. Only marked ICMP types are now accepted, all other are rejected. In a zone using the DROP target, they are dropped.

4.5.3.2. Configuring the Firewall Using the Command-Line Tool, firewall-cmd

The command-line tool firewall-cmd is part of the firewalld application which is installed by default. You can verify that it is installed by checking the version or displaying the help output. Enter the following command to check the version:
~]$ firewall-cmd --version
Enter the following command to view the help output:
~]$ firewall-cmd --help
We list a selection of commands below, for a full list see the man firewall-cmd(1) man page.

Note

In order to make a command permanent or persistent, add the --permanent option to all commands apart from the --direct commands (which are by their nature temporary). Note that this not only means the change will be permanent but that the change will only take effect after firewall reload, service restart, or after system reboot. Settings made with firewall-cmd without the --permanent option take effect immediately, but are only valid till next firewall reload, system boot, or firewalld service restart. Reloading the firewall does not in itself break connections, but be aware you are discarding temporary changes by doing so.
In order to make a command both persistent and take effect immediately, enter the command twice, once with the --permanent and once without. This is because a firewall reload takes more time than just repeating a command because it has to reload all configuration files and recreate the whole firewall configuration. While reloading, the policy for built-in chains is set to DROP for security reasons and is then reset to ACCEPT at the end. Service disruption is therefore possible during the reload.

Important

The --permanent --add-interface option is supposed to be used only for interfaces that are not managed by the NetworkManager utility. This is because NetworkManager, or the legacy network service, adds interfaces into zones automatically according to the ZONE= directive in the ifcfg interface configuration file. See the Red Hat Enterprise Linux 7 Networking Guide for information on NetworkManager and working with ifcfg files.

4.5.3.3. View the Firewall Settings Using the Command-Line Interface (CLI)

To get a text display of the state of firewalld, enter the following command:
~]$ firewall-cmd --state
To view the list of active zones, with a list of the interfaces currently assigned to them, enter the following command:
~]$ firewall-cmd --get-active-zones
public
  interfaces: em1
To find out the zone that an interface, for example em1, is currently assigned to, enter the following command:
~]$ firewall-cmd --get-zone-of-interface=em1
public
To find out all the interfaces assigned to a zone, for example the public zone, enter the following command as root:
~]# firewall-cmd --zone=public --list-interfaces
			em1 wlan0
This information is obtained from NetworkManager and only shows interfaces, not connections.
To find out all the settings of a zone, for example the public zone, enter the following command as root:
~]# firewall-cmd --zone=public --list-all
public
  interfaces: 
  services: mdns dhcpv6-client ssh
  ports: 
  forward-ports: 
  icmp-blocks: source-quench
To view the list of services currently loaded, enter the following command as root:
~]# firewall-cmd --get-services
cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba dhcpv6-client dns openvpn imaps samba-client http https ntp vnc-server telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp libvirt-tls
This will list the names of the predefined services loaded from /usr/lib/firewalld/services/ as well as any custom services that are currently loaded. Note that the configuration files themselves are named service-name.xml.
If custom services have been created but not loaded, they can be listed as follows:
~]# firewall-cmd --permanent --get-services
This will list all services, including custom services configured in /etc/firewalld/services/, even if they are not yet loaded.

4.5.3.4. Change the Firewall Settings Using the Command-Line Interface (CLI)

4.5.3.4.1. Drop All Packets (Panic Mode)
To start dropping all incoming and outgoing packets, enter the following command as root:
~]# firewall-cmd --panic-on
All incoming and outgoing packets will be dropped. Active connections will be terminated after a period of inactivity; the time taken depends on the individual session time out values.
To start passing incoming and outgoing packets again, enter the following command as root:
~]# firewall-cmd --panic-off
After disabling panic mode, established connections might work again if panic mode was enabled for a short period of time.
To find out if panic mode is enabled or disabled, enter the following command:
~]$ firewall-cmd --query-panic
Prints yes with exit status 0 if enabled and no with exit status 1 otherwise.
4.5.3.4.2. Reload the Firewall Using the Command-Line Interface (CLI)
To reload the firewall without interrupting user connections (without losing state information), enter the following command as root:
~]# firewall-cmd --reload
A firewall reload involves reloading all configuration files and recreating the whole firewall configuration. While reloading, the policy for built-in chains is set to DROP for security reasons and is then reset to ACCEPT at the end. Service disruption is therefore possible during the reload.
To reload the firewall and interrupt user connections, discarding state information, enter the following command as root:
~]# firewall-cmd --complete-reload
This command should normally only be used in case of severe firewall problems. For example, if there are state information problems and no connection can be established but the firewall rules are correct.
4.5.3.4.3. Add an Interface to a Zone Using the Command-Line Interface (CLI)
To add an interface to a zone (for example, to add em1 to the public zone), enter the following command as root:
~]# firewall-cmd --zone=public --add-interface=em1
To make this setting persistent, repeat the commands adding the --permanent option.
4.5.3.4.4. Add an Interface to a Zone by Editing the Interface Configuration File
To add an interface to a zone by editing the ifcfg-em1 configuration file (for example, to add em1 to the work zone), add the following line to ifcfg-em1 as root:
ZONE=work
Note that if you omit the ZONE option, or use ZONE=, or ZONE='', then the default zone will be used.
NetworkManager will automatically reconnect and the zone will be set accordingly.
4.5.3.4.5. Configure the Default Zone by Editing the firewalld Configuration File
As root, open /etc/firewalld/firewalld.conf and edit the file as follows:
# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=home
Reload the firewall by entering the following command as root:
~]# firewall-cmd --reload
This will reload the firewall without losing state information (TCP sessions will not be terminated), but service disruption is possible during the reload.
4.5.3.4.6. Set the Default Zone by Using the Command-Line Interface (CLI)
To set the default zone (to public, for example), enter the following command as root:
~]# firewall-cmd --set-default-zone=public
This change will take immediate effect and in this case it is not necessary to reload the firewall.
4.5.3.4.7. Open Ports in the Firewall Using the Command-Line Interface (CLI)
To list all open ports for a zone (dmz, for example), enter the following command as root:
~]# firewall-cmd --zone=dmz --list-ports
Note that this will not show ports opened as a result of the --add-services command.
To add a port to a zone (for example, to allow TCP traffic to port 8080 to the dmz zone), enter the following command as root:
~]# firewall-cmd --zone=dmz --add-port=8080/tcp
To make this setting persistent, repeat the command adding the --permanent option.
To add a range of ports to a zone (for example, to allow the ports from 5060 to 5061 to the public zone, enter the following command as root:
~]# firewall-cmd --zone=public --add-port=5060-5061/udp
To make this setting persistent, repeat the command adding the --permanent option.
4.5.3.4.8. Add a Service to a Zone Using the Command-Line Interface (CLI)
To add a service to a zone (for example, to allow SMTP to the work zone), enter the following command as root:
~]# firewall-cmd --zone=work --add-service=smtp
To make this setting persistent, repeat the command adding the --permanent option.
4.5.3.4.9. Remove a Service from a Zone Using the Command-Line Interface (CLI)
To remove a service from a zone (for example, to remove SMTP from the work zone), enter the following command as root:
~]# firewall-cmd --zone=work --remove-service=smtp
To make this change persistent, repeat the command adding the --permanent option. This change will not break established connections. If that is your intention, you can use the --complete-reload option, but this will break all established connections—not just for the service you have removed.
4.5.3.4.10. Add a Service to a Zone by Editing XML Files
To view the default zone files, enter the following command as root:
~]# ls /usr/lib/firewalld/zones/
block.xml  drop.xml      home.xml      public.xml   work.xml
dmz.xml    external.xml  internal.xml  trusted.xml
These files must not be edited. They are used by default if no equivalent file exists in the /etc/firewalld/zones/ directory.
To view the zone files that have been changed from the default, enter the following command as root:
~]# ls /etc/firewalld/zones/
external.xml  public.xml  public.xml.old
In the example shown above, the work zone file does not exist. To add the work zone file, enter the following command as root:
~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
You can now edit the file in the /etc/firewalld/zones/ directory. If you delete the file, firewalld will fall back to using the default file in /usr/lib/firewalld/zones/.
To add a service to a zone (for example, to allow SMTP to the work zone), add the following line to the /etc/firewalld/zones/work.xml file as root:
<service name="smtp"/>
4.5.3.4.11. Remove a Service from a Zone by Editing XML files
An editor running with root privileges is required to edit the XML zone files. To view the files for previously configured zones, enter the following command as root:
~]# ls /etc/firewalld/zones/
external.xml  public.xml  work.xml
To remove a service from a zone (for example, to remove SMTP from the work zone), use an editor with root privileges to edit the /etc/firewalld/zones/work.xml file to remove the following line:
<service name="smtp"/>
If no other changes have been made to the work.xml file, it can be removed and firewalld will use the default /usr/lib/firewalld/zones/work.xml configuration file after the next reload or system boot.
4.5.3.4.12. Configure IP Address Masquerading
To check if IP masquerading is enabled (for the external zone, for example), enter the following command as root:
~]# firewall-cmd --zone=external --query-masquerade
The command prints yes with exit status 0 if enabled. It prints no with exit status 1 otherwise. If zone is omitted, the default zone will be used.
To enable IP masquerading, enter the following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To make this setting persistent, repeat the command adding the --permanent option.
To disable IP masquerading, enter the following command as root:
~]# firewall-cmd --zone=external --remove-masquerade
To make this setting persistent, repeat the command adding the --permanent option.
4.5.3.4.13. Configure Port Forwarding Using the Command-Line Interface (CLI)
To forward inbound network packets from one port to an alternative port or address, first enable IP address masquerading for a zone (external, for example), by entering the following command as root:
~]# firewall-cmd --zone=external --add-masquerade
To forward packets to a local port (a port on the same system), enter the following command as root:
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753
In this example, the packets intended for port 22 are now forwarded to port 3753. The original destination port is specified with the port option. This option can be a port or port range, together with a protocol. The protocol, if specified, must be one of either tcp or udp. The new local port (the port or range of ports to which the traffic is being forwarded to) is specified with the toport option. To make this setting persistent, repeat the commands adding the --permanent option.
To forward packets to another IPv4 address, usually an internal address, without changing the destination port, enter the following command as root:
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55
In this example, the packets intended for port 22 are now forwarded to the same port at the address given with the toaddr. The original destination port is specified with the port option. This option can be a port or port range, together with a protocol. The protocol, if specified, must be one of either tcp or udp. The new destination port (the port or range of ports to which the traffic is being forwarded to) is specified with the toport option. To make this setting persistent, repeat the command adding the --permanent option.
To forward packets to another port at another IPv4 address, usually an internal address, enter the following command as root:
~]# firewall-cmd --zone=external \
      --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55
In this example, the packets intended for port 22 are now forwarded to port 2055 at the address given with the toaddr option. The original destination port is specified with the port option. This option can be a port or port range, together with a protocol. The protocol, if specified, must be one of either tcp or udp. The new destination port, the port or range of ports to which the traffic is being forwarded to, is specified with the toport option. To make this setting persistent, repeat the command adding the --permanent option.

4.5.3.5. Configuring the Firewall Using XML Files

The configuration settings for firewalld are stored in XML files in the /etc/firewalld/ directory. Do not edit the files in the /usr/lib/firewalld/ directory (the files define the default settings). You will need root user permissions to view and edit the XML files. The XML files are explained in three man pages:
  • firewalld.icmptype(5) man page — Describes XML configuration files for ICMP filtering.
  • firewalld.service(5) man page — Describes XML configuration files for firewalld service.
  • firewalld.zone(5) man page — Describes XML configuration files for firewalld zone configuration.
The XML files can be created and edited directly or created indirectly using the graphical and command-line tools. Organizations can distribute them in RPM files which can make management and version control easier. Tools such as Puppet can distribute such configuration files.

4.5.3.6. Using the Direct Interface

It is possible to add and remove chains during runtime by using the --direct option with the firewall-cmd tool. A few examples are presented here, see the firewall-cmd(1) man page for more information.
It is dangerous to use the direct interface if you are not very familiar with iptables as you could inadvertently cause a breach in the firewall.
The direct interface mode is intended for services or applications to add specific firewall rules during runtime. The rules can be made permanent by adding the --permanent option using the firewall-cmd --permanent --direct command or by modifying /etc/firewalld/direct.xml. See man firewalld.direct(5) for information on the /etc/firewalld/direct.xml file.
4.5.3.6.1. Adding a Custom Rule Using the Direct Interface
To add a custom rule to the IN_public_allow chain, run the following command as root:
~]# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \
        0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the setting persistent.
4.5.3.6.2. Removing a Custom Rule Using the Direct Interface
To remove a custom rule from the IN_public_allow chain, run the following command as root:
~]# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \
        0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the --permanent option to make the setting persistent.
4.5.3.6.3. Listing Custom Rules Using the Direct Interface
To list the rules in the IN_public_allow chain, run the following command as root:
~]# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Note that this command (the --get-rules option) only lists rules previously added using the --add-rule option. It does not list existing iptables rules added by other means.

4.5.3.7. Configuring Complex Firewall Rules with the "Rich Language" Syntax

With the rich language syntax, complex firewall rules can be created in a way that is easier to understand than the direct-interface method. In addition, the settings can be made permanent. The language uses keywords with values and is an abstract representation of iptables rules. Zones can be configured using this language, the current configuration method will still be supported.
4.5.3.7.1. Format of the Rich Language Commands
All the commands in this section need to be run as root. The format of the command to add a rule is as follows:
firewall-cmd [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
This will add a rich language rule rule for zone zone. This option can be specified multiple times. If the zone is omitted, the default zone is used. If a timeout is supplied, the rule or rules only stay active for the amount of time specified and will be removed automatically afterwards. The time value can be followed by s (seconds), m (minutes), or h (hours) to specify the unit of time. The default is seconds.
To remove a rule:
firewall-cmd [--zone=zone] --remove-rich-rule='rule'
This will remove a rich language rule rule for zone zone. This option can be specified multiple times. If the zone is omitted, the default zone is used.
To check if a rule is present:
firewall-cmd [--zone=zone] --query-rich-rule='rule'
This will return whether a rich language rule rule has been added for the zone zone. The command prints yes with exit status 0 if enabled. It prints no with exit status 1 otherwise. If the zone is omitted, the default zone is used.
For information about the rich language representation used in the zone configuration files, see the firewalld.zone(5) man page.
4.5.3.7.2. Understanding the Rich Rule Structure
The format or structure of the rich rule commands is as follows:
rule [family="rule family"]
    [ source address="address" [invert="True"] ]
    [ destination address="address" [invert="True"] ]
    [ element ]
    [ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ]
    [ audit ]
    [ action ]
A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.
4.5.3.7.3. Understanding the Rich Rule Command Options
family
If the rule family is provided, either ipv4 or ipv6, it limits the rule to IPv4 or IPv6 respectively. If the rule family is not provided, the rule is added for both IPv4 and IPv6. If source or destination addresses are used in a rule, then the rule family needs to be provided. This is also the case for port forwarding.
Source and Destination Addresses
source
By specifying the source address the origin of a connection attempt can be limited to the source address. A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6. The network family (IPv4 or IPv6) will be automatically discovered. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported. It is possible to invert the sense of the source address command by adding invert="true" or invert="yes"; all but the supplied address will match.
destination
By specifying the destination address the target can be limited to the destination address. The destination address uses the same syntax as the source address. The use of source and destination addresses is optional and the use of a destination addresses is not possible with all elements. This depends on the use of destination addresses, for example in service entries.
Elements
The element can be only one of the following element types: service, port, protocol, masquerade, icmp-block and forward-port.
service
The service element is one of the firewalld provided services. To get a list of the predefined services, run the following command:
~]$ firewall-cmd --get-services
If a service provides a destination address, it will conflict with a destination address in the rule and will result in an error. The services using destination addresses internally are mostly services using multicast. The command takes the following form:
service name=service_name
port
The port element can either be a single port number or a port range, for example, 5060-5062, followed by the protocol, either as tcp or udp. The command takes the following form:
port port=number_or_range protocol=protocol
protocol
The protocol value can be either a protocol ID number or a protocol name. For allowed protocol entries, see /etc/protocols. The command takes the following form:
protocol value=protocol_name_or_ID
icmp-block
Use this command to block one or more ICMP types. The ICMP type is one of the ICMP types firewalld supports. To get a listing of supported ICMP types, run the following command:
~]$ firewall-cmd --get-icmptypes
Specifying an action is not allowed here. icmp-block uses the action reject internally. The command takes the following form:
icmp-block name=icmptype_name
masquerade
Turns on IP masquerading in the rule. A source address can be provided to limit masquerading to this area, but not a destination address. Specifying an action is not allowed here.
forward-port
Forward packets from a local port with protocol specified as tcp or udp to either another port locally, to another machine, or to another port on another machine. The port and to-port can either be a single port number or a port range. The destination address is a simple IP address. Specifying an action is not allowed here. The forward-port command uses the action accept internally. The command takes the following form:
forward-port port=number_or_range protocol=protocol /
            to-port=number_or_range to-addr=address
Logging
log
Log new connection attempts to the rule with kernel logging, for example in syslog. You can define a prefix text that will be added to the log message as a prefix. Log level can be one of emerg, alert, crit, error, warning, notice, info or debug. The use of log is optional. It is possible to limit logging as follows:
log [prefix=prefix text] [level=log level] limit value=rate/duration
The rate is a natural positive number [1, ..], the duration of s, m, h, d. s means seconds, m minutes, h hours and d days. The maximum limit value is 1/d which means at maximum one log entry per day.
audit
Audit provides an alternative way for logging using audit records sent to the service auditd. The audit type can be one of ACCEPT, REJECT or DROP but it is not specified after the command audit as the audit type will be automatically gathered from the rule action. Audit does not have its own parameters, but limit can be added optionally. The use of audit is optional.
Action
accept|reject|drop
An action can be one of accept, reject or drop. The rule can only contain an element or a source. If the rule contains an element, then new connections matching the element will be handled with the action. If the rule contains a source, then everything from the source address will be handled with the action specified.
accept | reject [type=reject type] | drop
With accept all new connection attempts will be granted. With reject they will be rejected and their source will get a reject message. The reject type can be set to use another value. With drop all packets will be dropped immediately and no information is sent to the source.
4.5.3.7.4. Using the Rich Rule Log Command
Logging can be done with the Netfilter log target and also with the audit target. A new chain is added to all zones with a name in the format zone_log, where zone is the zone name. This is processed before the deny chain in order to have proper ordering. The rules or parts of them are placed in separate chains, according to the action of the rule, as follows:
zone_log
zone_deny
zone_allow
All logging rules will be placed in the zone_log chain, which will be parsed first. All reject and drop rules will be placed in the zone_deny chain, which will be parsed after the log chain. All accept rules will be placed in the zone_allow chain, which will be parsed after the deny chain. If a rule contains log and also deny or allow actions, the parts of the rule that specify these actions are placed in the matching chains.
4.5.3.7.4.1. Using the Rich Rule Log Command Example 1
Enable new IPv4 and IPv6 connections for authentication header protocol AH:
rule protocol value="ah" accept
4.5.3.7.4.2. Using the Rich Rule Log Command Example 2
Allow new IPv4 and IPv6 connections for protocol FTP and log 1 per minute using audit:
rule service name="ftp" log limit value="1/m" audit accept
4.5.3.7.4.3. Using the Rich Rule Log Command Example 3
Allow new IPv4 connections from address 192.168.0.0/24 for protocol TFTP and log 1 per minute using syslog:
rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept
4.5.3.7.4.4. Using the Rich Rule Log Command Example 4
New IPv6 connections from 1:2:3:4:6:: for protocol RADIUS are all rejected and logged at a rate of 3 per minute. New IPv6 connections from other sources are accepted:
rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject
rule family="ipv6" service name="radius" accept
4.5.3.7.4.5. Using the Rich Rule Log Command Example 5
Forward IPv6 packets received from 1:2:3:4:6:: on port 4011 with protocol TCP to 1::2:3:4:7 on port 4012.
rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
4.5.3.7.4.6. Using the Rich Rule Log Command Example 6
Whitelist a source address to allow all connections from this source.
rule family="ipv4" source address="192.168.2.2" accept
See the firewalld.richlanguage(5) man page for more examples.

4.5.3.8. Firewall Lockdown

Local applications or services are able to change the firewall configuration if they are running as root (for example, libvirt). With this feature, the administrator can lock the firewall configuration so that either no applications, or only applications that are added to the lockdown whitelist, are able to request firewall changes. The lockdown settings default to disabled. If enabled, the user can be sure that there are no unwanted configuration changes made to the firewall by local applications or services.
4.5.3.8.1. Configuring Firewall Lockdown
Using an editor running as root, add the following line to the /etc/firewalld/firewalld.conf file as follows:
Lockdown=yes
Reload the firewall using the following command as root:
~]# firewall-cmd --reload
Try to enable the imaps service in the default zone using the following command as an administrative user (a user in the wheel group; usually the first user on the system). You will be prompted for the user password:
~]$ firewall-cmd --add-service=imaps
Error: ACCESS_DENIED: lockdown is enabled
To enable the use of firewall-cmd, run the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/firewall-cmd*'
Add the --permanent option if you want to make it persistent.
Reload the firewall as root:
~]# firewall-cmd --reload
Try to enable the imaps service again in the default zone by entering the following command as an administrative user. You will be prompted for the user password:
~]$ firewall-cmd --add-service=imaps
This time the command succeeds.
4.5.3.8.2. Configure Lockdown with the Command-Line Client
To query whether lockdown is enabled, enter the following command as root:
~]# firewall-cmd --query-lockdown
Prints yes with exit status 0, if lockdown is enabled, prints no with exit status 1 otherwise.
To enable lockdown, enter the following command as root:
~]# firewall-cmd --lockdown-on
To disable lockdown, enter the following command as root:
~]# firewall-cmd --lockdown-off
4.5.3.8.3. Configure Lockdown Whitelist Options with the Command Line
The lockdown whitelist can contain commands, security contexts, users and user IDs. If a command entry on the whitelist ends with an asterisk *, then all command lines starting with that command will match. If the * is not there then the absolute command including arguments must match.
The context is the security (SELinux) context of a running application or service. To get the context of a running application use the following command:
~]$ ps -e --context
That command returns all running applications. Pipe the output through the grep tool to get the application of interest. For example:
~]$ ps -e --context | grep example_program
To list all command lines that are on the whitelist, enter the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-commands
To add a command command to the whitelist, enter the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
To remove a command command from the whitelist, enter the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
To query whether the command command is on the whitelist, enter the following command as root:
~]# firewall-cmd --query-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
Prints yes with exit status 0, if true, prints no with exit status 1 otherwise.
To list all security contexts that are on the whitelist, enter the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-contexts
To add a context context to the whitelist, enter the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-context=context
Add the --permanent option to make it persistent.
To remove a context context from the whitelist, enter the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-context=context
Add the --permanent option to make it persistent.
To query whether the context context is on the whitelist, enter the following command as root:
~]# firewall-cmd --query-lockdown-whitelist-context=context
Prints yes with exit status 0, if true, prints no with exit status 1 otherwise.
To list all user IDs that are on the whitelist, enter the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-uids
To add a user ID uid to the whitelist, enter the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-uid=uid
Add the --permanent option to make it persistent.
To remove a user ID uid from the whitelist, enter the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-uid=uid
Add the --permanent option to make it persistent.
To query whether the user ID uid is on the whitelist, enter the following command:
~]$ firewall-cmd --query-lockdown-whitelist-uid=uid
Prints yes with exit status 0, if true, prints no with exit status 1 otherwise.
To list all user names that are on the whitelist, enter the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-users
To add a user name user to the whitelist, enter the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-user=user
Add the --permanent option to make it persistent.
To remove a user name user from the whitelist, enter the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-user=user
Add the --permanent option to make it persistent.
To query whether the user name user is on the whitelist, enter the following command:
~]$ firewall-cmd --query-lockdown-whitelist-user=user
Prints yes with exit status 0, if true, prints no with exit status 1 otherwise.
4.5.3.8.4. Configure Lockdown Whitelist Options with Configuration Files
The default whitelist configuration file contains the NetworkManager context and the default context of libvirt. Also the user ID 0 is in the list.
<?xml version="1.0" encoding="utf-8"?>
<whitelist>
  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
  <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
  <user id="0"/>
</whitelist>
Here follows an example whitelist configuration file enabling all commands for the firewall-cmd utility, for a user called user whose user ID is 815:
<?xml version="1.0" encoding="utf-8"?>
<whitelist>
  <command name="/usr/bin/python -Es /bin/firewall-cmd*"/>
  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
  <user id="815"/>
  <user name="user"/>
</whitelist>
In this example we have shown both user id and user name but only one is required. Python is the interpreter and therefore prepended to the command line. You can also use a very specific command, for example:
/usr/bin/python /bin/firewall-cmd --lockdown-on
In that example only the --lockdown-on command will be allowed.

Note

In Red Hat Enterprise Linux 7, all utilities are now placed in /usr/bin/ and the /bin/ directory is sym-linked to the /usr/bin/ directory. In other words, although the path for firewall-cmd when run as root might resolve to /bin/firewall-cmd, /usr/bin/firewall-cmd can now be used. All new scripts should use the new location but be aware that if scripts that run as root have been written to use the /bin/firewall-cmd path then that command path must be whitelisted in addition to the /usr/bin/firewall-cmd path traditionally used only for non-root users.
The * at the end of the name attribute of a command means that all commands that start with this string will match. If the * is not there then the absolute command including arguments must match.

4.5.4. Using the iptables Service

To use the iptables and ip6tables services instead of firewalld, first disable firewalld by running the following command as root:
~]# systemctl disable firewalld
~]# systemctl stop firewalld
Then install the iptables-services package by entering the following command as root:
~]# yum install iptables-services
The iptables-services package contains the iptables service and the ip6tables service.
Then, to start the iptables and ip6tables services, run the following commands as root:
~]# systemctl start iptables
~]# systemctl start ip6tables
To enable the services to start on every system start, enter the following commands:
~]# systemctl enable iptables
~]# systemctl enable ip6tables

4.5.4.1. IPTables and IP Sets

The ipset utility is used to administer IP sets in the Linux kernel. An IP set is a framework for storing IP addresses, port numbers, IP and MAC address pairs, or IP address and port number pairs. The sets are indexed in such a way that very fast matching can be made against a set even when the sets are very large. IP sets enable simpler and more manageable configurations as well as providing performance advantages when using iptables. The iptables matches and targets referring to sets create references which protect the given sets in the kernel. A set cannot be destroyed while there is a single reference pointing to it.
The use of ipset enables iptables commands, such as those below, to be replaced by a set:
~]# iptables -A INPUT -s 10.0.0.0/8 -j DROP
~]# iptables -A INPUT -s 172.16.0.0/12 -j DROP
~]# iptables -A INPUT -s 192.168.0.0/16 -j DROP
The set is created as follows:
~]# ipset create my-block-set hash:net
~]# ipset add my-block-set 10.0.0.0/8
~]# ipset add my-block-set 172.16.0.0/12
~]# ipset add my-block-set 192.168.0.0/16
The set is then referenced in an iptables command as follows:
~]# iptables -A INPUT -m set --set my-block-set src -j DROP
If the set is used more than once a saving in configuration time is made. If the set contains many entries a saving in processing time is made.
4.5.4.1.1. Using IP Sets with firewalld
To use IP sets with firewalld, a permanent direct rule is required to reference the set, and a custom service must be created and started before firewalld starts for every ipset. You can add permanent direct rules with the /etc/firewalld/direct.xml file.

Procedure 4.1. Configuring a Custom Service for an IP Set

Configure a custom service to create and load the IP set structure before firewalld starts.
  1. Using an editor running as root, create a file as follows:
    ~]# vi /etc/systemd/system/ipset_name.service
    [Unit]
    Description=ipset_name
    Before=firewalld.service
    
    [Service]
    Type=oneshot
    RemainAfterExit=yes
    ExecStart=/usr/local/bin/ipset_name.sh start
    ExecStop=/usr/local/bin/ipset_name.sh stop
    
    [Install]
    WantedBy=basic.target
  2. Use the IP set permanently in firewalld:
    ~]# vi /etc/firewalld/direct.xml
    <?xml version="1.0" encoding="utf-8"?>
    <direct>
       <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set
    --match-set <replaceable>ipset_name</replaceable> src -j DROP</rule>
    </direct>
  3. A firewalld reload is required to activate the changes:
    ~]# firewall-cmd --reload
    This will reload the firewall without losing state information (TCP sessions will not be terminated), but service disruption is possible during the reload.
4.5.4.1.2. Installing ipset
To install the ipset utility, run the following command as root:
~]# yum install ipset
To see the usage message:
~]$ ipset --help
ipset v6.11

Usage: ipset [options] COMMAND
output truncated
4.5.4.1.3. ipset Commands
The format of the ipset command is as follows:
ipset [options] command [command-options]
Where command is one of:
create | add | del | test | destroy | list | save | restore | flush | rename | swap | help | version | - 
Allowed options are:
-exist | -output [ plain | save | xml ] | -quiet | -resolve | -sorted | -name | -terse
The create command is used to create a new data structure to store a set of IP data. The add command adds new data to the set, the data added is referred to as an element of the set.
The -exist option suppresses error message if the element already exists, and it has a special role in updating a time out value. To change a time out, use the ipset add command and specify all the data for the element again, changing only the time out value as required, and using the -exist option.
The test option is for testing if the element already exists within a set.
The format of the create command is as follows:
ipset create set-name type-name [create-options]
The set-name is a suitable name chosen by the user, the type-name is the name of the data structure used to store the data comprising the set. The format of the type-name is as follows:
method:datatype[,datatype[,datatype]]
The allowed methods for storing data are:
 bitmap | hash | list 
The allowed data types are:
ip | net | mac | port | iface 
When adding, deleting, or testing entries in a set, the same comma separated data syntax must be used for the data that makes up one entry, or element, in the set. For example:
ipset add set-name ipaddr,portnum,ipaddr

Note

A set cannot contain IPv4 and IPv6 addresses at the same time. When a set is created it is bound to a family, inet for IPv4 or inet6 for IPv6, and the default is inet.

Example 4.2. Create an IP Set

To create an IP set consisting of a source IP address, a port, and destination IP address, run a command as follows:
~]# ipset create my-set hash:ip,port,ip
Once the set is created, entries can be added as follows:
~]# ipset add my-set 192.168.1.2,80,192.168.2.2
~]# ipset add my-set 192.168.1.2,443,192.168.2.2
The set types have the following optional parameters in common. They must be specified when the set is created in order for them to be used:
  • timeout — The value given with the create command will be the default value for the set created. If a value is given with the add command, it will be the initial non-default value for the element.
  • counters — If the option is given with the create command then packet and byte counters are created for every element in the set. If no value is given with the add command then the counters start from zero.
  • comment — If the option is given with the create command then a quoted string of text can be passed with the add command to document the purpose of the element being added. Note that quotation marks are not allowed within the string, and escape characters will have no effect within IP set.

Example 4.3. List an IP Set

To list the contents of a specific IP Set, my-set, run a command as follows:
~]# ipset list my-set
Name: my-set
Type: hash:ip,port,ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8360
References: 0
Members:
192.168.1.2,tcp:80,192.168.2.2
192.168.1.2,tcp:443,192.168.2.2
Omit the set name to list all sets.

Example 4.4. Test the Elements of an IP Set

Listing the contents of large sets is time consuming. You can test for the existence of an element as follows:
~]# ipset test my-set 192.168.1.2,80,192.168.2.2
192.168.1.2,tcp:80,192.168.2.2 is in set my-set.
4.5.4.1.4. IP Set Types
bitmap:ip
Stores an IPv4 host address, a network range, or an IPv4 network addresses with the prefix-length in CIDR notation if the netmask option is used when the set is created. It can optionally store a timeout value, a counter value, and a comment. It can store up to 65536 entries. The command to create the bitmap:ip set has the following format:
ipset create set-name range start_ipaddr-end_ipaddr |ipaddr/prefix-length [netmask prefix-length] [timeout value] [counters] [comment]

Example 4.5. Create an IP Set for a Range of Addresses Using a Prefix Length

To create an IP set for a range of addresses using a prefix length, make use of the bitmap:ip set type as follows:
~]# ipset create my-range bitmap:ip range 192.168.33.0/28
Once the set is created, entries can be added as follows:
~]# ipset add my-range 192.168.33.1
Review the members of the list:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
To add a range of addresses:
~]# ipset add my-range 192.168.33.2-192.168.33.4
Review the members of the list:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
192.168.33.2
192.168.33.3
192.168.33.4

Example 4.6. Create an IP Set for a Range of Addresses Using a Netmask

To create an IP set for a range of address using a netmask, make use of the bitmap:ip set type as follows:
~]# ipset create my-big-range bitmap:ip range 192.168.124.0-192.168.126.0 netmask 24
Once the set is created, entries can be added as follows:
~]# ipset add my-big-range 192.168.124.0
If you attempt to add an address, the range containing that address will be added:
~]# ipset add my-big-range 192.168.125.150
~]# ipset list my-big-range
Name: my-big-range
Type: bitmap:ip
Header: range 192.168.124.0-192.168.126.255 netmask 24
Size in memory: 84
References: 0
Members:
192.168.124.0
192.168.125.0
bitmap:ip,mac
Stores an IPv4 address and a MAC address as a pair. It can store up to 65536 entries.
ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr | ipaddr/prefix-length [timeout value ] [counters] [comment]

Example 4.7. Create an IP Set for a Range of IPv4 MAC Address Pairs

To create an IP set for a range of IPv4 MAC address pairs, make use of the bitmap:ip,mac set type as follows:
~]# ipset create my-range bitmap:ip,mac range 192.168.1.0/24
It is not necessary to specify a MAC address when creating the set.
Once the set is created, entries can be added as follows:
~]# ipset add my-range 192.168.1.1,12:34:56:78:9A:BC
bitmap:port
Stores a range of ports. It can store up to 65536 entries.
ipset create my-port-range bitmap:port range start_port-end_port [timeout value ] [counters] [comment]
The set match and SET target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers. The protocol can optionally be specified together with the port. The proto only needs to be specified if a service name is used, and that name does not exist as a TCP service.

Example 4.8. Create an IP Set for a Range of Ports

To create an IP set for a range of ports, make use of the bitmap:port set type as follows:
~]# ipset create my-permitted-port-range bitmap:port range 1024-49151
Once the set is created, entries can be added as follows:
~]# ipset add my-permitted-port-range 5060-5061
hash:ip
Stores a host or network address in the form of a hash. By default, an address specified without a network prefix length is a host address. The all-zero IP address cannot be stored.
ipset create my-addresses hash:ip [family[ inet | inet6 ]] [hashsize value] [maxelem value ] [netmask prefix-length] [timeout value ]
The inet family is the default, if family is omitted addresses will be interpreted as IPv4 addresses. The hashsize value is the initial hash size to use and defaults to 1024. The maxelem value is the maximum number of elements which can be stored in the set, it defaults to 65536.
The netfilter tool searches for a network prefix which is the most specific, it tries to find the smallest block of addresses that match.

Example 4.9. Create an IP Set for IP Addresses

To create an IP set for IP addresses, make use of the hash:ip set type as follows:
~]# ipset create my-addresses hash:ip
Once the set is created, entries can be added as follows:
~]# ipset add my-addresses 10.10.10.0
If additional options such as netmask and timeout are required, they must be specified when the set is created. For example:
~]# ipset create my-busy-addresses hash:ip maxelem 24 netmask 28 timeout 100
The maxelem option restricts to total number of elements in the set, thus conserving memory space.
The timeout option means that elements will only exist in the set for the number of seconds specified. For example:
~]# ipset add my-busy-addresses 192.168.60.0 timeout 100
The following output shows the time counting down:
~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 90
~]# ipset list my-busy-addresses
Name: my-busy-addresses
Type: hash:ip
Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100
Size in memory: 8300
References: 0
Members:
192.168.60.0 timeout 83
The element will be removed from the set when the timeout period ends.
See the ipset(8) manual page for more examples.

4.5.5. Additional Resources

The following sources of information provide additional resources regarding firewalld.

4.5.5.1. Installed Documentation

  • firewalld(1) man page — Describes command options for firewalld.
  • firewalld.conf(5) man page — Contains information to configure firewalld.
  • firewall-cmd(1) man page — Describes command options for the firewalld command-line client.
  • firewalld.icmptype(5) man page — Describes XML configuration files for ICMP filtering.
  • firewalld.service(5) man page — Describes XML configuration files for firewalld service.
  • firewalld.zone(5) man page — Describes XML configuration files for firewalld zone configuration.
  • firewalld.direct(5) man page — Describes the firewalld direct interface configuration file.
  • firewalld.lockdown-whitelist(5) man page — Describes the firewalld lockdown whitelist configuration file.
  • firewall.richlanguage(5) man page — Describes the firewalld rich language rule syntax.
  • firewalld.zones(5) man page — General description of what zones are and how to configure them.