Firewalld on RHEL7: I’m a person who is nuts about security. Seeing multiple layers of security being circumvented on a network is just against the reasons I’m security-centric all times. Some System administrators can’t take few minutes of their time to close the front door, and this always impact negatively on network systems.

In this guide, we’ll look at defense in depth- covering both port security and use of firewalls to secure Linux servers. Since we can’t cover everything in this tutorial, We’ll concentrate on firewalld basics and demos on various configurations.

What is Firewalld?

Firewalld is a dynamic firewall service that manages the Linux kernel netfilter subsystem using low-level iptables,ip6tables and ebtables commands. Firewalld is the default firewall service used in Red Hat Enterprise Linux 7 (RHEL) family of Linux distributions. It has support for IPv4 and IPv6 firewall settings.

The firewall service provided by firewalld is dynamic rather than static because the changes made to the configuration are immediately implemented, there is no need to apply or save the changes. This is an advantage since unintended disruption of existing network connections can’t occur.

Firewalld separates all incoming traffic into zones, and each zone have its own set of rules.

Firewalld logic used for incoming connection

Firewalld has to determine the zone to use for an incoming connection. To do this, the following order is followed, the first rule that matches wins:

  1. If the source address of an incoming packet matches a source rule setup for a zone, that packet is routed through the zone.
  2. If an incoming interface for a packet matches a filter setup for a zone, that zone will be used.
  3. Else the default zone is used.

Note: The default zone for any new network interface will be set to the public zone.

Where are the configuration files?

The configuration files for firewalld are stored in various XML files in /usr/lib/firewalld/ and /etc/firewalld/ directories. These files can be edited,written to, backed up and used as templates for other installations.

If a configuration file having same name is stored in both locations, the version from /etc/firewalld/ will be used, this means administrators can override default zones and settings.

How to manage firewalld?

As a way to make changes to firewall service, three ways are available:

  1. Using the command line client, firewall-cmd. It is used to make both permanent and run-time changes. A root user or any member of wheel group can run firewall-cmd command, polkit mechanism is used to authorize the command.
  2. Using the graphical tool firewall-config
  3. Using the configuration files in /etc/firewalld/

NOTE:

The firewalld.service and iptables.service,ip6tables.service and ebtables.service services conflict with each other. It is a good practice to mask the other services before running firewalld service . This can be done with below commands:

for SERVICE in iptables ip6tables ebtables; do
systemctl mask ${SERVICE}.service
done
}

How is firewalld different from iptables?

  • Firewalld stores its configuration files in various XML files in /usr/lib/firewalld/ and /etc/firewalld/ while iptables service stores them in /etc/sysconfig/iptables. The file /etc/sysconfig/iptables does not exist on RHEL 7 since it comes with firewalld by default.
  • With the iptables service, old rules has to be flushed when every single change is made, the rules has to be re-read from /etc/sysconfig/iptables. With firewalld only the differences are applied and settings can be changed during run time without losing existing connections.

Firewalld vs IPtables Working DiagramFirewalld vs IPtables Working Diagram

Configuring firewall settings with firewall-cmd

firewall-cmd is installed as part of the main firewalld package. Almost all commands will work on the runtime configuration, unless the --permanent option is specified. The zone where the rules are applied is specified using the option --zone=<ZONE>. Default zone is used if --zone is omitted.

Changes are activated with firewall-cmd --reload if they are applied to the --permanentpermanent configuration.

The following table shows a number of frequently used firewall-cmd commands, along with explanation:

Command Command Explanation
--get-zones List all available zones
--get-default-zone Get the current default zone
--get-active-zones List all zones with an interface or source tied to them and are currently in use.
--set-default-zone=<ZONE> Set the default zone. This will change both the runtime and permanent configuration.
--list-all-zones Retrieve all information for all zones – interfaces,ports,services,sources e.t.c.
--list-all [--zone=<ZONE>] List all configured services,ports,sources and interfaces for <ZONE>. Default zone is used if no --zone= option is used.
--add-interface=<INTERFACE> [--zone=<ZONE>] Route all traffic coming through <INTERFACE> to the specified zone. Default zone used if no --zone= option is provided.
--change-interface=<INTERFACE> [--zone=<ZONE>] Associate an interface with the <ZONE> instead of its current zone. Default zone used if no --zone= option is provided.
--add-source=<CIDR> [--zone=<ZONE>] Route all the traffic that comes from the IP address/network <CIDR> to the specified zone. Default zone used if no zone is provided.
--remove-source=<CIDR> [--zone=<ZONE> Remove a rule that routes all traffic coming from specified IP address or network <CIDR> from specified zone. Default zone used if no zone option is given.
--get-services List all predefined services
--add-service=<SERVICE> Allow traffic to the <SERVICE>. Default zone is used if no --zone=option is provided.
--remove-service=<SERVICE> Remove <SERVICE> from the allowed list for the zone. Default zone is used if no --zone= option is provided.
--add-port=<PORT/PROTOCOL> Allow traffic to the <PORT/PROTOCOL> port(s). Default zone is used if no --zone= option is provided.
--remove-port=<PORT/PROTOCOL> Remove <PORT/PROTOCOL> port(s) from the allowed list for the zone. Default zone is used if no --zone= option is provided.
--reload Drop the runtime configuration and apply the persistent configuration.

Understanding Network Zones

Firewalls can separate networks into different zones based on the level of trust the user has decided to place. A number of predefined zones are shipped with firewalld, and each has its intended usage. The table below explains more:

Zone Default Configuration
trusted By default, it allows all incoming traffic
home By default, reject incoming traffic unless it matches the ssh,ipp-client,mdns,samba-client,dhcpv6-client predefined services or related to outgoing traffic
public By default, reject incoming traffic unless it matches the ssh,dhcpv6-client predefined services or related to outgoing traffic. This is the default zone for newly added network interfaces.
internal By default, reject incoming traffic unless it matches the ssh,ipp-client,mdns,samba-client,dhcpv6-client predefined services or related to outgoing traffic – same as home zone.
work By default, reject incoming traffic unless it matches the ssh,ipp-client,dhcpv6-client predefined services or related to outgoing traffic
dmz By default, reject incoming traffic unless it matches the ssh predefined services or related to outgoing traffic. Mostly used in demilitarized zone for computers that are publicly-accessible with limited access to the internal network
external By default, reject incoming traffic unless it matches the ssh predefined service or is related to outgoing traffic. The outgoing traffic for IPv4 forwarded through this zone is masqueraded to resemble traffic originating from the IPv4 address of the outgoing network interface.
block By default, rejects all incoming traffic unless related to outgoing traffic
drop By default, drops all incoming traffic unless it is related to outgoing traffic – do not respond with ICMP errors.

Using firewall-cmd examples

Consider examples below to help you strengthen your knowledge on how firewall-cmd is used. First verify that firewalld is enabled and running on your system.

systemctl status firewalld.service

If not running, you can start and enable it using:

systemctl start firewalld
systemctl enable firewalld

1. Set the default zone to dmz.

firewall-cmd --set-default-zone=dmz
firewall-cmd --get-default-zone 

2. Assign all traffic coming from the 192.168.100.0/24 network to the trusted zone and verify.

firewall-cmd --permanent --zone=trusted --add-source=192.168.100.0/24
firewall-cmd --reload
firewall-cmd --list-all --zone=trusted
firewall-cmd --get-active-zones 

3. Open up http and https traffic for the internal zone.

firewall-cmd --permanent --add-service={http,https} --zone=internal
firewall-cmd --reload
firewall-cmd --list-services --zone=internal 

To remove permanent service from a zone:

firewall-cmd --permanent [--zone=<zone>] --remove-service=<service>

4. Transition eth0 interface to the “internal” zone for the current session:

firewall-cmd --zone=internal --change-interface=eth0

5. Add eth1 interface to home zone:

 firewall-cmd --zone=home --add-interface=eth1

Other options for interface management:

Query if an interface is in a zone:

 firewall-cmd [--zone=<zone>] --query-interface=<interface>

Remove an interface from a zone:

 firewall-cmd [--zone=<zone>] --remove-interface=<interface>

6. Enable masquerading in a home zone

 firewall-cmd --zone=home --add-masquerade

Disable masquerading in a zone

 firewall-cmd [--zone=<zone>] --remove-masquerade

Query masquerading in a zone

firewall-cmd [--zone=<zone>] --query-masquerade

Disable masquerading permanently in a zone

firewall-cmd --permanent [--zone=<zone>] --remove-masquerade

7. Enable port 3306/tcp for mysql permanently in the home zone

firewall-cmd --permanent --zone=home --add-port=3306/tcp

Disable a port and protocol combination permanently in a zone

firewall-cmd --permanent [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>

8. Block echo-reply messages in the public zone

 firewall-cmd --zone=public --add-icmp-block=echo-reply

9. Forward ssh to host 192.168.10.5 in the internal zone

 firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=192.168.10.5

References

  1. Man pages:
man firewall-cmd 
man firewalld
man firewalld.zones
man firewall.zone
man firewall-config