RHEL Firewalld Notes

From Michael's Information Zone
Revision as of 08:47, 18 October 2019 by Michael.mast (talk | contribs)
Jump to navigation Jump to search

Purpose

General notes to self on firewalld configurations. Most of the time my servers are simple enough that I do not need to make changes to zones and what not.

Create Groups

[1]Easier to manage groups than to create a bunch of individual rules.

sudo firewall-cmd --permanent --new-ipset=sftp_group --type=hash:net
sudo firewall-cmd --permanent --ipset=sftp_group --add-entry=xxx.xxx.xxx.xxx
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source ipset=sftp_group service name=ssh accept'

Rich Rules

From my notes working with Amazon Linux 2. The following will allow http/s from all, drop ssh from all, but allow ssh from a subnet and IP that I source from.[2]

sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=xxx.xxx.xxx.0/24 service name=ssh accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=xxx.xxx.xxx.xxx service name=ssh accept'
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload

Here is an example of allowing a specific port, in this case I wanted nxfilter to receive netflow data from a specific host.

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port=2055 protocol=udp source address=xxx.xxx.xxx.xxx accept'

Zones

[3][4]

firewall-cmd --permanent --zone=dmz --change-interface=eth0
firewall-cmd --permanent --zone=dmz --remove-service=ssh
firewall-cmd --permanent --zone=dmz --add-service=http
firewall-cmd --permanent --zone=dmz --add-source=xxx.xxx.xxx.xxx
firewall-cmd --reload