Chapter 5. Using Firewalls
firewallddaemon provides a dynamically managed firewall with support for network “zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for
IPv6firewall settings. It supports Ethernet bridges and IP set and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly. The complete communication with
firewalldis done using
5.1. Introduction to firewalld
IndividualCallsis set to
firewalld.conffile or if the rules cannot be applied with the restore commands as a fallback solution. Using the normal commands results in significant slow down.
firewall, and press Enter. The firewall-config tool appears. You will be prompted for an administrator password.
firewalldis dynamic rather than static because changes to the configuration can be made anytime and are immediately set live. There is no need to save or apply the changes. No unintended disruption of existing network connections occurs as no part of the firewall has to be reloaded.
man firewall-cmd(1). Permanent changes need to be made as explained in the
firewalld(1)man page. Note that the
firewall-cmdcommand can be run by the
rootuser and also by an administrative user, in other words, a member of the
wheelgroup. In the latter case, the command will be authorized through the polkit mechanism.
firewall-offline-cmdcan only be used by the
rootuser to alter the permanent environment. It is not talking to
firewalld, but it is using a part of the
firewalldcore and the I/O backends to alter the configuration. It is not recommended to use this tool while
firewalldis active. It could be used, but changes done with the
firewall-offline-cmdare not applied immediately to
firewalld. The changes are applied to the permanent environment after
firewalldwas able to detect file changes in the file system. For example, the
firewall-offline-cmdcommand is used while installing to set up the firewall. It can also be used in the post-installation stage to alter the firewall configuration before the freshly installed system has been booted.
firewalldis stored in various XML files in
/etc/firewalld/. This allows a great deal of flexibility as the files can be edited, written to, backed up, used as templates for other installations, and so on. The configuration in
/usr/lib/firewalld/is the default and also the fallback configuration, while the configuration in
/etc/firewalld/is the system specific configuration.
5.1.1. Comparison of firewalld to system-config-firewall and iptables
firewalldand the iptables (and ip6tables) services are:
- The iptables service stores configuration in
firewalldstores it in various XML files in
/etc/firewalld/. Note that the
/etc/sysconfig/iptablesfile does not exist as
firewalldis installed by default on Red Hat Enterprise Linux.
- With the iptables service, every single change means flushing all the old rules and reading all the new rules from
/etc/sysconfig/iptables, while with
firewalldthere is no recreating of all the rules. Only the differences are applied. Consequently,
firewalldcan change the settings during runtime without existing connections being lost.
firewalldis not able to import firewall settings from the
/etc/sysconfig/ip*tablesfiles. To import lokkit or system-config-firewall settings, use the firewall-offline-cmd and the
/etc/sysconfig/system-config-firewallfile. Custom rules files cannot be imported to
firewalld. The imported settings are applied to the default zone.
Figure 5.1. The Firewall Stack
5.1.2. Understanding Network Zones
firewalldcan be used to separate networks into different zones based on the level of trust the user has decided to place on the interfaces and traffic within that network. NetworkManager informs
firewalldto which zone an interface belongs. An interface's assigned zone can be changed by NetworkManager or via the firewall-config tool, which can open the relevant NetworkManager window for you. You can also use the
firewall-cmdcommand-line tool. If an interface is controlled by NetworkManager and the user changes the zone of the interface using
firewall-offline-cmd, or firewall-config, then this request is forwarded to NetworkManager and is not handled by
/etc/firewalld/are a range of preset settings, which can be quickly applied to a network interface. They are listed below with a brief explanation.
- Any incoming network packets are dropped; there is no reply. Only outgoing network connections are possible.
- Any incoming network connections are rejected with an icmp-host-prohibited message for
IPv4and icmp6-adm-prohibited for
IPv6. Only network connections initiated from within the system are possible.
- For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
- For use on external networks with masquerading enabled, especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
- For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
- For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
- For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
- For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
- All network connections are accepted.
firewalldis set to be the
Choosing a Network Zone
5.1.3. Understanding Predefined Services
firewalld.service(5)man page. The services are specified by means of individual XML configuration files, which are named in the following format:
service-name.xml. Protocol names are preferred over service or application names in
firewall, and press Enter. The firewall-config tool appears. You will be prompted for an administrator password. You can now view the list of services under the Services tab.
/usr/lib/firewalld. Make sure to change the attributes accordingly after an addition of custom private files.
/usr/lib/firewalld/services/must not be edited. Only the files in
/etc/firewalld/services/should be edited.
firewall-offline-cmd. Alternatively, you can edit the XML files in
/etc/firewalld/services/. If a service has not been added or changed by the user, then no corresponding XML file will be found in
/etc/firewalld/services/. The files
/usr/lib/firewalld/services/can be used as templates if you want to add or change a service.
firewall-offline-cmdin case of not active
firewalld. enter the following command to add a new and empty service:
firewall-cmd --permanent --new-service=service-name
firewall-cmd --permanent --new-service-from-file=service-name.xml
root, you can enter the following command to copy a service manually:
cp /usr/lib/firewalld/services/service-name.xml /etc/firewalld/services/service-name.xml
firewalldloads files from
/usr/lib/firewalld/servicesin the first place. If files are placed in
/etc/firewalld/servicesand they are valid, then these will override the matching files from
/usr/lib/firewalld/services. The overriden files in
/usr/lib/firewalld/serviceswill be used as soon as the matching files in
/etc/firewalld/serviceshave been removed or if
firewalldhas been asked to load the defaults of the services. This applies to the permanent environment only. A reload is needed to get these fallbacks also in the runtime environment.
5.1.4. Understanding the Direct Interface
firewalldhas direct interface, which enables directly passing rules to iptables, ip6tables and ebtables. It is primarily intended for use by applications. It is not recommended and it is dangerous to use the direct interface if you are not very familiar with iptables, as you could inadvertently cause a breach in the firewall. As long as the tracked interface parts are used, it is still possible to query
firewalldand see the changes made by an application using this mode. The untracked passthrough mode is only intended for services that completely take care of the own rule set, such as libvirt and docker. The direct interface is used by adding the
--directoption to the
--permanentoption using the
firewall-cmd --permanent --directcommand or by modifying
/etc/firewalld/direct.xml. If the rules are not made permanent, then they need to be applied every time after receiving the start, restart, or reload message from
D-Bus. With the direct interface, it is possible to add chains, rules, and tracked and untracked passthrough rules. You can also use direct rules in zone-specific chains.