Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

5.6. Controlling Traffic

5.6.1. Predefined Services

Services can be added and removed using the graphical firewall-config tool, firewall-cmd, and firewall-offline-cmd.
Alternatively, you can edit the XML files in the /etc/firewalld/services/ directory. If a service is not added or changed by the user, then no corresponding XML file is found in /etc/firewalld/services/. The files in the /usr/lib/firewalld/services/ directory can be used as templates if you want to add or change a service.

5.6.2. Disabling All Traffic in Case of Emergency using CLI

In an emergency situation, such as a system attack, it is possible to disable all network traffic and cut off the attacker.
To immediately disable networking traffic, switch panic mode on:
~]# firewall-cmd --panic-on
Switching off panic mode reverts the firewall to its permanent settings. To switch panic mode off:
~]# firewall-cmd --panic-off
To see whether panic mode is switched on or off, use:
~]# firewall-cmd --query-panic

5.6.3. Controlling Traffic with Predefined Services using CLI

The most straightforward method to control traffic is to add a predefined service to firewalld. This opens all necessary ports and modifies other settings according to the service definition file.
  1. Check that the service is not already allowed:
    ~]# firewall-cmd --list-services
    ssh dhcpv6-client
  2. List all predefined services:
    ~]# firewall-cmd --get-services
    RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry ...
    [output truncated]
  3. Add the service to the allowed services:
    ~]# firewall-cmd --add-service=<service-name>
  4. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent

5.6.4. Controlling Traffic with Predefined Services using GUI

To enable or disable a predefined or custom service, start the firewall-config tool and select the network zone whose services are to be configured. Select the Services tab and select the check box for each type of service you want to trust. Clear the check box to block a service.
To edit a service, start the firewall-config tool and select Permanent from the menu labeled Configuration. Additional icons and menu buttons appear at the bottom of the Services window. Select the service you want to configure.
The Ports, Protocols, and Source Port tabs enable adding, changing, and removing of ports, protocols, and source port for the selected service. The modules tab is for configuring Netfilter helper modules. The Destination tab enables limiting traffic to a particular destination address and Internet Protocol (IPv4 or IPv6).

Note

It is not possible to alter service settings in Runtime mode.

5.6.5. Adding New Services

Services can be added and removed using the graphical firewall-config tool, firewall-cmd, and firewall-offline-cmd. Alternatively, you can edit the XML files in /etc/firewalld/services/. If a service is not added or changed by the user, then no corresponding XML file are found in /etc/firewalld/services/. The files /usr/lib/firewalld/services/ can be used as templates if you want to add or change a service.
To add a new service in a terminal, use firewall-cmd, or firewall-offline-cmd in case of not active firewalld. enter the following command to add a new and empty service:
~]$ firewall-cmd --new-service=service-name
To add a new service using a local file, use the following command:
~]$ firewall-cmd --new-service-from-file=service-name.xml
You can change the service name with the additional --name=service-name option.
As soon as service settings are changed, an updated copy of the service is placed into /etc/firewalld/services/.
As root, you can enter the following command to copy a service manually:
~]# cp /usr/lib/firewalld/services/service-name.xml /etc/firewalld/services/service-name.xml
firewalld loads files from /usr/lib/firewalld/services in the first place. If files are placed in /etc/firewalld/services and they are valid, then these will override the matching files from /usr/lib/firewalld/services. The overriden files in /usr/lib/firewalld/services are used as soon as the matching files in /etc/firewalld/services have been removed or if firewalld has been asked to load the defaults of the services. This applies to the permanent environment only. A reload is needed to get these fallbacks also in the runtime environment.

5.6.6. Controlling Ports using CLI

Ports are logical devices that enable an operating system to receive and distinguish network traffic and forward it accordingly to system services. These are usually represented by a daemon that listens on the port, that is it waits for any traffic coming to this port.
Normally, system services listen on standard ports that are reserved for them. The httpd daemon, for example, listens on port 80. However, system administrators by default configure daemons to listen on different ports to enhance security or for other reasons.

Opening a Port

Through open ports, the system is accessible from the outside, which represents a security risk. Generally, keep ports closed and only open them if they are required for certain services.
To get a list of open ports in the current zone:
  1. List all allowed ports:
    ~]# firewall-cmd --list-ports
  2. Add a port to the allowed ports to open it for incoming traffic:
    ~]# firewall-cmd --add-port=port-number/port-type
  3. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent
The port types are either tcp, udp, sctp, or dccp. The type must match the type of network communication.

Closing a Port

When an open port is no longer needed, close that port in firewalld. It is highly recommended to close all unnecessary ports as soon as they are not used because leaving a port open represents a security risk.
To close a port, remove it from the list of allowed ports:
  1. List all allowed ports:
    ~]# firewall-cmd --list-ports
    [WARNING]
    ====
    This command will only give you a list of ports that have been opened as ports. You will not be able to see any open ports that have been opened as a service. Therefore, you should consider using the --list-all option instead of --list-ports.
    ====
  2. Remove the port from the allowed ports to close it for the incoming traffic:
    ~]# firewall-cmd --remove-port=port-number/port-type
  3. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent

5.6.7. Opening Ports using GUI

To permit traffic through the firewall to a certain port, start the firewall-config tool and select the network zone whose settings you want to change. Select the Ports tab and click the Add button on the right-hand side. The Port and Protocol window opens.
Enter the port number or range of ports to permit. Select tcp or udp from the list.

5.6.8. Controlling Traffic with Protocols using GUI

To permit traffic through the firewall using a certain protocol, start the firewall-config tool and select the network zone whose settings you want to change. Select the Protocols tab and click the Add button on the right-hand side. The Protocol window opens.
Either select a protocol from the list or select the Other Protocol check box and enter the protocol in the field.

5.6.9. Opening Source Ports using GUI

To permit traffic through the firewall from a certain port, start the firewall-config tool and select the network zone whose settings you want to change. Select the Source Port tab and click the Add button on the right-hand side. The Source Port window opens.
Enter the port number or range of ports to permit. Select tcp or udp from the list.