Firewall CentOS
Introduction
firewalld is a firewall management tool for Linux operating systems.
It provides firewall functions by acting as an interface for the Linux kernel netfilter platform using the nftables userspace utility (up to version v0.6.0 iptables backend),
acting as an alternative to the net command line program.
The name firewalld follows the Unix naming convention for system daemons by adding the letter "d".
firewalld is written in
Python
.
It was supposed to be moved to
C++
, but the transfer project was abandoned in January 2015.
Check the current status
To check the status of firewalld execute
sudo systemctl status -l firewalld
● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2024-04-24 00:00:01 EEST; 2h 55min ago 1713957042 Docs: man:firewalld(1) Main PID: 783 (firewalld) Tasks: 2 CGroup: /system.slice/firewalld.service └─783 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid Apr 24 14:12:42 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon... Apr 24 14:12:42 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon. Apr 24 14:12:42 localhost.localdomain firewalld[783]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
Firewall
List of open ports
firewall-cmd --list-ports
8443/tcp 3389/tcp 2222/tcp
List of active zones
firewall-cmd --get-active-zones
public interfaces: enp0s3 enp0s8
Full list
sudo firewall-cmd --list-all
public (active) target: default icmp-block-inversion: no interfaces: enp0s3 enp0s8 sources: services: dhcpv6-client http https ssh ports: 8443/tcp 3389/tcp 2222/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Open the port
sudo firewall-cmd --zone=public --add-port=19999/tcp --permanent
sucess
Then you need to restart the firewall
sudo firewall-cmd --reload
sucess
Check the result
sudo firewall-cmd --list-ports
8443/tcp 3389/tcp 2222/tcp 19999/tcp
If you are suddenly wondering what kind of port 19999 is using it Locust
Block the port
sudo firewall-cmd --remove-port=22/tcp --permanent
sudo firewall-cmd --remove-port=53/udp --permanent
sudo firewall-cmd --reload
Разрешить сервис
sudo firewall-cmd --add-service=https
sudo firewall-cmd --reload
Заблокировать сервис
sudo firewall-cmd --remove-service=https
sudo firewall-cmd --reload
Добавить IP в "белый" список
To добавить один IP address
sudo firewall-cmd --permanent --add-source=192.168.56.101
To добавить всю подсеть 255.255.255.0 выполнить
sudo firewall-cmd --permanent --add-source=192.168.2.0/24
sudo firewall-cmd --reload
Удалить IP из "белого" списка
To удалить один IP address
sudo firewall-cmd --permanent --remove-source=192.168.2.50
sudo firewall-cmd --reload
To удалить всю подсеть 255.255.255.0 выполнить
sudo firewall-cmd --permanent --remove-source=192.168.2.50/24
sudo firewall-cmd --reload
Заблокировать IP
To заблокировать входящие соединения с определённого IP addressа воспользуйтесь rich-rule
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.2.50' reject"
sudo firewall-cmd --reload
Посмотреть все rich-rules
To посмотреть все существующие rich-rules execute
sudo firewall-cmd --list-rich-rules
rule family="ipv4" source address="192.168.56.109" reject
Удалить правило
To удалить существующий rich-rule execute
sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.56.109" reject'
sudo firewall-cmd --reload
sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" port protocol="tcp" port="3306" accept'