Show Table of Contents
5.1. Getting Started with
Chapter 5. Using Firewalls
5.1. Getting Started with
A firewall is a way to protect machines from any unwanted traffic from outside. It enables users to control incoming network traffic on host machines by defining a set of firewall rules. These rules are used to sort the incoming traffic and either block it or allow through.
firewalldis a firewall service daemon that provides a dynamic customizable host-based firewall with a
D-Businterface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed.
firewallduses the concepts of zones and services, that simplify the traffic management. Zones are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone.
Services use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open.
firewalldblocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default.
Figure 5.1. The Firewall Stack
firewalldcan be used to separate networks into different zones according to the level of trust that the user has decided to place on the interfaces and traffic within that network. A connection can only be part of one zone, but a zone can be used for many network connections.
firewalldof the zone of an interface. You can assign zones to interfaces with NetworkManager, with the firewall-config tool, or the
firewall-cmdcommand-line tool. The latter two only edit the appropriate NetworkManager configuration files. If you change the zone of the interface using
firewall-cmdor firewall-config, the request is forwarded to NetworkManager and is not handled by
The predefined zones are stored in the
/usr/lib/firewalld/zones/directory and can be instantly applied to any available network interface. These files are copied to the
/etc/firewalld/zones/directory only after they are modified. The following table describes the default settings of the predefined zones:
- Any incoming network connections are rejected with an icmp-host-prohibited message for
IPv4and icmp6-adm-prohibited for
IPv6. Only network connections initiated from within the system are possible.
- For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
- Any incoming network packets are dropped without any notification. Only outgoing network connections are possible.
- For use on external networks with masquerading enabled, especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
- For use at home when you mostly trust the other computers on the network. Only selected incoming connections are accepted.
- For use on internal networks when you mostly trust the other computers on the network. Only selected incoming connections are accepted.
- For use in public areas where you do not trust other computers on the network. Only selected incoming connections are accepted.
- All network connections are accepted.
- For use at work where you mostly trust the other computers on the network. Only selected incoming connections are accepted.
One of these zones is set as the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in
firewalldis set to be the
publiczone. The default zone can be changed.
The network zone names have been chosen to be self-explanatory and to allow users to quickly make a reasonable decision. To avoid any security problems, review the default zone configuration and disable any unnecessary services according to your needs and risk assessments.
5.1.2. Predefined Services
A service can be a list of local ports, protocols, source ports, and destinations, as well as a list of firewall helper modules automatically loaded if a service is enabled. Using services saves users time because they can achieve several tasks, such as opening ports, defining protocols, enabling packet forwarding and more, in a single step, rather than setting up everything one after another.
Service configuration options and generic file information are described in the
firewalld.service(5)man page. The services are specified by means of individual XML configuration files, which are named in the following format:
service-name.xml. Protocol names are preferred over service or application names in
5.1.3. Runtime and Permanent Settings
Any changes committed in runtime mode only apply while
firewalldis running. When
firewalldis restarted, the settings revert to their permanent values.
To make the changes persistent across reboots, apply them again using the
--permanentoption. Alternatively, to make changes persistent while
firewalldis running, use the
If you set the rules while
firewalldis running using only the
--permanentoption, they do not become effective before
firewalldis restarted. However, restarting
firewalldcloses all open ports and stops the networking traffic.
5.1.4. Modifying Settings in Runtime and Permanent Configuration using CLI
Using the CLI, you do not modify the firewall settings in both modes at the same time. You only modify either runtime or permanent mode. To modify the firewall settings in the permanent mode, use the
--permanentoption with the
firewall-cmd --permanent <other options>
Without this option, the command modifies runtime mode.
To change settings in both modes, you can use two methods:
- Change runtime settings and then make them permanent as follows:
firewall-cmd <other options>~]#
- Set permanent settings and reload the settings into runtime mode:
firewall-cmd --permanent <other options>~]#
The first method allows you to test the settings before you apply them to the permanent mode.
It is possible, especially on remote systems, that an incorrect setting results in a user locking themselves out of a machine. To prevent such situations, use the
--timeoutoption. After a specified amount of time, any change reverts to its previous state. Using this options excludes the
For example, to add the
SSHservice for 15 minutes:
firewall-cmd --add-service=ssh --timeout 15m