Chapter 5. Using Firewalls

The firewalld daemon provides a dynamically managed firewall with support for network zones to assign a level of trust to a network and its associated connections and interfaces. It has support for IPv4 and IPv6 firewall settings. It supports Ethernet bridges and IP set and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly. The complete communication with firewalld is done using D-Bus.

Note

To expand your expertise, you might also be interested in the Red Hat Server Hardening (RH413) training course.

5.1. Introduction to firewalld

The firewall daemon uses the restore commands of iptables, ip6tables, and ebtables by default to speed up all firewall actions that are changing the rule set. The normal commands are used if the configuration setting IndividualCalls is set to yes in the firewalld.conf file or if the rules cannot be applied with the restore commands as a fallback solution. Using the normal commands results in significant slow down.
To use the graphical firewall-config tool, press the Super key to enter the Activities Overview, type firewall, and press Enter. The firewall-config tool appears. You will be prompted for an administrator password.
The sidebar on the left shows the Active Bindings of the active zones. These are grouped by Connections, which are handled by NetworkManager, Interfaces, and Sources.
The firewall-config tool has a drop-down selection menu labeled Configuration. This enables selecting between Runtime and Permanent mode. Notice that if you select Permanent, an additional row of icons appears in the left-hand corner. These icons only appear in permanent configuration mode because a service's parameters cannot be changed in Runtime mode. This setting does not affect the Active Bindings sidebar.
The firewall service provided by firewalld is dynamic rather than static because changes to the configuration can be made anytime and are immediately set live. There is no need to save or apply the changes. No unintended disruption of existing network connections occurs as no part of the firewall has to be reloaded.
A command-line client, firewall-cmd, is provided. It can be used to make permanent and non-permanent runtime changes as explained in man firewall-cmd(1). Permanent changes need to be made as explained in the firewalld(1) man page. Note that the firewall-cmd command can be run by the root user and also by an administrative user, in other words, a member of the wheel group. In the latter case, the command will be authorized through the polkit mechanism.
The command-line client firewall-offline-cmd can only be used by the root user to alter the permanent environment. It is not talking to firewalld, but it is using a part of the firewalld core and the I/O backends to alter the configuration. It is not recommended to use this tool while firewalld is active. It could be used, but changes done with the firewall-offline-cmd are not applied immediately to firewalld. The changes are applied to the permanent environment after firewalld was able to detect file changes in the file system. For example, the firewall-offline-cmd command is used while installing to set up the firewall. It can also be used in the post-installation stage to alter the firewall configuration before the freshly installed system has been booted.
The firewall-applet application is able to quickly launch the NetworkManager configuration tab for the network connection in use. You can make changes to the assigned firewall zone using the General tab. This applet is not installed by default in Red Hat Enterprise Linux.
The configuration for firewalld is stored in various XML files in /usr/lib/firewalld/ and /etc/firewalld/. This allows a great deal of flexibility as the files can be edited, written to, backed up, used as templates for other installations, and so on. The configuration in /usr/lib/firewalld/ is the default and also the fallback configuration, while the configuration in /etc/firewalld/ is the system specific configuration.
All applications communicate with firewalld using the D-Bus interface.

5.1.1. Comparison of firewalld to system-config-firewall and iptables

The essential differences between firewalld and the iptables (and ip6tables) services are:
  • The iptables service stores configuration in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables, while firewalld stores it in various XML files in /usr/lib/firewalld/ and /etc/firewalld/. Note that the /etc/sysconfig/iptables file does not exist as firewalld is installed by default on Red Hat Enterprise Linux.
  • With the iptables service, every single change means flushing all the old rules and reading all the new rules from /etc/sysconfig/iptables, while with firewalld there is no recreating of all the rules. Only the differences are applied. Consequently, firewalld can change the settings during runtime without existing connections being lost.
Both use iptables tool to talk to the kernel packet filter.

Note

firewalld is not able to import firewall settings from the /etc/sysconfig/ip*tables files. To import lokkit or system-config-firewall settings, use the firewall-offline-cmd and the /etc/sysconfig/system-config-firewall file. Custom rules files cannot be imported to ⁠firewalld. The imported settings are applied to the default zone.
The Firewall Stack

Figure 5.1. The Firewall Stack

5.1.2. Understanding Network Zones

firewalld can be used to separate networks into different zones based on the level of trust the user has decided to place on the interfaces and traffic within that network. NetworkManager informs firewalld to which zone an interface belongs. An interface's assigned zone can be changed by NetworkManager or via the firewall-config tool, which can open the relevant NetworkManager window for you. You can also use the firewall-cmd command-line tool. If an interface is controlled by NetworkManager and the user changes the zone of the interface using firewall-cmd, firewall-offline-cmd, or firewall-config, then this request is forwarded to NetworkManager and is not handled by ⁠firewalld.
The zone settings in /etc/firewalld/ are a range of preset settings, which can be quickly applied to a network interface. They are listed below with a brief explanation.
drop
Any incoming network packets are dropped; there is no reply. Only outgoing network connections are possible.
block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
public
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external
For use on external networks with masquerading enabled, especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone.

Choosing a Network Zone

The network zone names have been chosen to be self-explanatory and to allow users to quickly make a reasonable decision. A review of the default configuration settings should be made and unnecessary services disabled according to your needs and risk assessments.
The zone names and settings are proposals and can be changed according to the needs. A built-in zone cannot be removed, but it is possible to revert the zone configuration back to the initial defaults by loading the zone defaults either in the permanent configuration of firewall-config or firewall-cmd.

5.1.3. Understanding Predefined Services

A service can be a list of local ports, protocols, source ports, and destinations as well as a list of firewall helper modules automatically loaded if a service is enabled. The use of predefined services makes it easier for the user to enable and disable access to a service. Using the predefined services or custom-defined services, as opposed to opening ports or ranges of ports, may make administration easier. Service configuration options and generic file information are described in the firewalld.service(5) man page. The services are specified by means of individual XML configuration files, which are named in the following format: service-name.xml. Protocol names are preferred over service or application names in firewalld.
To view the list of services using the graphical firewall-config tool, press the Super key to enter the Activities Overview, type firewall, and press Enter. The firewall-config tool appears. You will be prompted for an administrator password. You can now view the list of services under the Services tab.
To list all services available on the system, enter the following command:
~]$ firewall-cmd --get-services
To get the settings of a service, use the following command:
~]$ firewall-cmd --info-service=service-name
To list only the default predefined services available using the command-line, enter the following command:
~]$ ls /usr/lib/firewalld/services/

Note

The root user is not needed to list files in /usr/lib/firewalld. Make sure to change the attributes accordingly after an addition of custom private files.
Files in /usr/lib/firewalld/services/ must not be edited. Only the files in /etc/firewalld/services/ should be edited.
To list the system or user-created services, enter the following command as root:
~]# ls /etc/firewalld/services/
Services can be added and removed using the graphical firewall-config tool, firewall-cmd, and firewall-offline-cmd. Alternatively, you can edit the XML files in /etc/firewalld/services/. If a service has not been added or changed by the user, then no corresponding XML file will be found in /etc/firewalld/services/. The files /usr/lib/firewalld/services/ can be used as templates if you want to add or change a service.
To add a new service in a terminal, use firewall-cmd, or firewall-offline-cmd in case of not active firewalld. enter the following command to add a new and empty service:
~]$ firewall-cmd --permanent --new-service=service-name
To add a new service using a local file, use the following command:
~]$ firewall-cmd --permanent --new-service-from-file=service-name.xml
You can change the service name with the additional --name=service-name option.
As soon as service settings are changed, an updated copy of the service is placed into /etc/firewalld/services/.
As root, you can enter the following command to copy a service manually:
~]# cp /usr/lib/firewalld/services/service-name.xml /etc/firewalld/services/service-name.xml
firewalld loads files from /usr/lib/firewalld/services in the first place. If files are placed in /etc/firewalld/services and they are valid, then these will override the matching files from /usr/lib/firewalld/services. The overriden files in /usr/lib/firewalld/services will be used as soon as the matching files in /etc/firewalld/services have been removed or if firewalld has been asked to load the defaults of the services. This applies to the permanent environment only. A reload is needed to get these fallbacks also in the runtime environment.

5.1.4. Understanding the Direct Interface

firewalld has direct interface, which enables directly passing rules to iptables, ip6tables and ebtables. It is primarily intended for use by applications. It is not recommended and it is dangerous to use the direct interface if you are not very familiar with iptables, as you could inadvertently cause a breach in the firewall. As long as the tracked interface parts are used, it is still possible to query firewalld and see the changes made by an application using this mode. The untracked passthrough mode is only intended for services that completely take care of the own rule set, such as libvirt and docker. The direct interface is used by adding the --direct option to the firewall-cmd command.
The direct interface mode is intended for services or applications to add specific firewall rules during runtime. The rules can be made permanent by adding the --permanent option using the firewall-cmd --permanent --direct command or by modifying /etc/firewalld/direct.xml. If the rules are not made permanent, then they need to be applied every time after receiving the start, restart, or reload message from firewalld using D-Bus. With the direct interface, it is possible to add chains, rules, and tracked and untracked passthrough rules. You can also use direct rules in zone-specific chains.