OEL/RHEL 7 – firewalld

How cool is getting Linux. Hope it won’t look like Windows soon. If they put a butterfly or shiny window in the “start menu” I’m out of the game.
The “new” firewalld is cool and dynamic, but my servers are square, boring and static. Maybe if I’m using RHEL/OEL 7 in my laptop it will be worthy. For me this is just one unneeded layer of complexity on top of iptables, but this is just my opinion. Maybe you can find it useful in some cases, maybe if you use your server for wifi client or whatever. To be honest, I like the reload function, which is not bad, but still not a big deal. You can achieve this with iptables as well. Of course here is easier.

So, it’s here, in production and we shall use it and know it well. If we take a look at this graphic we will find out that everything points to iptables:

firewall_stack

iptable is good, old, well tested and widely used software. If you tough that iptables is complex /which is not, it just need it’s time/, then the firewalld will not look easier for you. Actually in my opinion you shall know iptables if you want to know in details what the firewalld is doing.

So what shall we know about firewalld? Well there is a lot, but the general stuffs are the zones, services and few firewall-cmd commands.

Zones
The zones are just zones with different rules. Imagine the annoying window in Windows that popups every time when you connect to a new wireless network /this one that you click whatever when you see it/. So, the same, but in Linux.
The point of this “thing” is to have different rules in different zones and to be able to switch between them easily.
By default the firewall is using the public zone. To check which zones are in use we can use the flowing spell:

[root@K-lab ~]# firewall-cmd --get-active-zones
public
  interfaces: eno1
[root@K-lab ~]#

In my case is just one, for one interface, but actually we can have more than one zone activated for different interfaces.

To put it in another way, the zone is just an abstraction of iptables rules that apply on some interface. For example if our public zone permits traffic on port 22 and 80, then all interfaces in this zone will permit traffic on those ports.

Ok, if we want to know what zones we have:

[root@K-lab ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@K-lab ~]#

If we want to know the default zone:

[root@K-lab ~]# firewall-cmd --get-default-zone
public
[root@K-lab ~]#

If we want to know what is configured in some zone:

[root@K-lab ~]# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: eno1
  sources:
  services:
  ports: 443/tcp 80/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

[root@K-lab ~]# firewall-cmd --zone=drop --list-all
drop
  interfaces:
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

[root@K-lab ~]#

If we want to change the target of the zone /to drop,reject or accept the packages by default/:

[root@K-lab ~]# firewall-cmd --permanent --zone=public --set-target=DROP
success
[root@K-lab ~]#

To let the bots timeout and save some CPU…

Services

firewalld have some predefined services, but don’t expect too much. They are just XML files in some directory. That means that they are not deeply integrated with services configuration. For example if you start sshd on port 9922 the firewalld will open the default port 22.

If you want to add service to zone use:

[root@K-lab ~]# firewall-cmd --zone=public --add-service=ssh
success
[root@K-lab ~]#

To remove service:

[root@K-lab ~]# firewall-cmd --zone=public --remove-service=ssh
success
[root@K-lab ~]#

To list the enabled services use the –list-all for the zone.

Keep in mind that there is a run-time and and permanent configuration. With the –permanent option all changes are applied to the configuration files and without the –permanent option the changes are applied to the run-time configuration only. So if we restart the service, the permanent configuration will be applied and the run-time configuration will be lost.

Reloading the configuration

Restarting the firewalld is a bit “rude”, they say.
Here is a better way for reloading the configuration. The first one is –reload:

[root@K-lab ~]# firewall-cmd --reload
success
[root@K-lab ~]#

In this way all connections states are preserved. That’s cool, but it’s not something that you cannot achieve only with iptables. Anyway here it’s made in easy and lazy way. Nothing bad, actually is the only thing I like in the firewalld. For now.

The other way is:

[root@K-lab ~]# firewall-cmd --complete-reload
success
[root@K-lab ~]#

which is dropping the connections states, which means connections may drop.


Ok, long story short. In my opinion that’s enough to know about firewalld. But if you really want to know what is going on better use iptables:

[root@K-lab ~]# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   29  2264 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  178 11330 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  178 11330 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  178 11330 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 162 packets, 7972 bytes)
 pkts bytes target     prot opt in     out     source               destination
  162  7972 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 FWDI_public  all  --  eno1   *       0.0.0.0/0            0.0.0.0/0
    0     0 FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 FWDO_public  all  --  *      eno1    0.0.0.0/0            0.0.0.0/0
    0     0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FWDI_public (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FWDO_public (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination
  178 11330 IN_public  all  --  eno1   *       0.0.0.0/0            0.0.0.0/0
    0     0 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IN_public (2 references)
 pkts bytes target     prot opt in     out     source               destination
  178 11330 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  178 11330 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  178 11330 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   40  3050 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW
  138  8280 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination
[root@K-lab ~]#

Way better ( :;

Of course if we check the RHEL documentation, we can easily switch to iptables-services. But as good pawns we are not going back. We will use firewalld, right.
The only thing I cannot understand is why –zone? Why not just -z or -Z? Anyway, some people want to watch the world burn, so two dashes is not a big deal right.

Kovachev

Advertisements

2 thoughts on “OEL/RHEL 7 – firewalld

  1. In my opinion, the zones make only sense in mobile and multi homed scenarios, i.e. using a laptop at home, on a cellular/mobile network, at friends house, at wifi hot spots. Same hold true for multi homed servers with more than a single nic. these servers usually do the firewall stuff.
    But for an ordinary pc@home, the zones do not make any sense. Just use the default one.
    In contrast to microsoft, who define for you in which zone a nic is located at, you are still in control of your linux box – hurray!

    1. Well I don’t find zones useful for multi nic server, apart from configuring zone once and applying it on many interfaces. But still u can do this quite easily with simple iptables script. I don’t really need that additional layer on my servers. Anyway it’s in there and I’ll probably use it. Thanks for stoping by.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s