Category: FirewallD

Jun 13

Firewalld Rich Rule

To add a so called rich rule to firewalld I did the following.

Check existing rules after a recent upgrade to Fedora 22. 55555/tcp was a custom app not Fedora default.

# firewall-cmd --get-default-zone
FedoraServer

# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (default)
  interfaces:
  sources:
  services: cockpit dhcpv6-client http smtp ssh
  ports: 55555/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Lets remove some rules.

# firewall-cmd --permanent --zone=FedoraServer --remove-port=55555/tcp
success
# firewall-cmd --permanent --zone=FedoraServer --remove-service=cockpit
success
# firewall-cmd --permanent --zone=FedoraServer --remove-service=dhcpv6-client
success

Add custom rule non-permanent.
** Note x.x.x.x is a placeholder for a real public IP. Most likely you won't need a public IP but a non-routable Class C or B on your internal network.

# firewall-cmd --zone=FedoraServer --add-rich-rule="rule family="ipv4" source address="x.x.x.x/32" port protocol="tcp" port="55555" accept"
success

Or if you need it permanently added remember to use --permanent.

Restart the firewall.

# systemctl restart firewalld.service
# firewall-cmd --zone=FedoraServer --list-all
FedoraServer (default)
  interfaces:
  sources:
  services: http smtp ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source address="x.x.x.x/32" port port="55555" protocol="tcp" accept

Comments Off on Firewalld Rich Rule
comments

Mar 24

FirewallD on Fedora

Somewhere between Fedora 18 and 20 the default firewall switched to FirewallD.  FirewallD is a replacement to the default iptables firewall.  Lots more detail at the links referenced below but in my mind the big advantages are zones and the fact that changes can be made to the running firewall without restart, load, unload and therefore becomes stateful.

This is just a quick reminder for myself to what I did to add a port to the public zone.  I was setting up SPICE for accessing a Windows 7 KVM guest and needed the firewall to allow port 5901.

I will play with the other zones at some point. Ideally I don't want to allow 5901 to the public zone just the internal zone.

Get some information on the FirewallD service.

# systemctl | grep firewall
firewalld.service                                                                                          loaded active running   firewalld - dynamic firewall daemon

# firewall-cmd --state
running

#  firewall-cmd --get-zones
block dmz drop external home internal public trusted work

#  firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

#  firewall-cmd --get-default-zone
public

Add the vnc-server service that covers the ports I am interested in. Add rules also to the permanent profile not just running profile.

# firewall-cmd --zone=public --add-service=vnc-server
success

# firewall-cmd --permanent --zone=public --add-service=vnc-server
success

# firewall-cmd --reload
success

Hints:
You can also use firewall-config which is a native firewall GUI.
Using nmap to verify the open ports.

More detail here:
https://fedoraproject.org/wiki/Features/firewalld-default
https://fedoraproject.org/wiki/FirewallD?rd=FirewallD/

Comments Off on FirewallD on Fedora
comments