Firewall CentOS

Introduction

firewalld is a firewall management tool for Linux operating systems.

It provides firewall functions by acting as an interface for the Linux kernel netfilter platform using the nftables userspace utility (up to version v0.6.0 iptables backend), acting as an alternative to the net command line program.

The name firewalld follows the Unix naming convention for system daemons by adding the letter "d". firewalld is written in Python .

It was supposed to be moved to C++ , but the transfer project was abandoned in January 2015.

Check the current status

To check the status of firewalld execute

sudo systemctl status -l firewalld

● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2024-04-24 00:00:01 EEST; 2h 55min ago 1713957042 Docs: man:firewalld(1) Main PID: 783 (firewalld) Tasks: 2 CGroup: /system.slice/firewalld.service └─783 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid Apr 24 14:12:42 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 24 14:12:42 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon. Apr 24 14:12:42 localhost.localdomain firewalld[783]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.

Firewall

List of open ports

firewall-cmd --list-ports

8443/tcp 3389/tcp 2222/tcp

List of active zones

firewall-cmd --get-active-zones

public interfaces: enp0s3 enp0s8

Full list

sudo firewall-cmd --list-all

public (active) target: default icmp-block-inversion: no interfaces: enp0s3 enp0s8 sources: services: dhcpv6-client http https ssh ports: 8443/tcp 3389/tcp 2222/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

Open the port

sudo firewall-cmd --zone=public --add-port=19999/tcp --permanent

sucess

Then you need to restart the firewall

sudo firewall-cmd --reload

sucess

Check the result

sudo firewall-cmd --list-ports

8443/tcp 3389/tcp 2222/tcp 19999/tcp

If you are suddenly wondering what kind of port 19999 is using it Locust

Block the port

sudo firewall-cmd --remove-port=22/tcp --permanent
sudo firewall-cmd --remove-port=53/udp --permanent
sudo firewall-cmd --reload

Разрешить сервис

sudo firewall-cmd --add-service=https
sudo firewall-cmd --reload

Заблокировать сервис

sudo firewall-cmd --remove-service=https
sudo firewall-cmd --reload

Добавить IP в "белый" список

To добавить один IP address

sudo firewall-cmd --permanent --add-source=192.168.56.101

To добавить всю подсеть 255.255.255.0 выполнить

sudo firewall-cmd --permanent --add-source=192.168.2.0/24
sudo firewall-cmd --reload

Удалить IP из "белого" списка

To удалить один IP address

sudo firewall-cmd --permanent --remove-source=192.168.2.50
sudo firewall-cmd --reload

To удалить всю подсеть 255.255.255.0 выполнить

sudo firewall-cmd --permanent --remove-source=192.168.2.50/24
sudo firewall-cmd --reload

Заблокировать IP

To заблокировать входящие соединения с определённого IP addressа воспользуйтесь rich-rule

sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.2.50' reject"
sudo firewall-cmd --reload

Посмотреть все rich-rules

To посмотреть все существующие rich-rules execute

sudo firewall-cmd --list-rich-rules

rule family="ipv4" source address="192.168.56.109" reject

Удалить правило

To удалить существующий rich-rule execute

sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.56.109" reject'
sudo firewall-cmd --reload

sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'