RHEL Firewalld Notes

From Michael's Information Zone
Jump to navigation Jump to search

Purpose

General notes to self on firewalld configurations. Most of the time my servers are simple enough that I do not need to make changes to zones and what not.

Create Groups

[1]Easier to manage groups than to create a bunch of individual rules.

sudo firewall-cmd --permanent --new-ipset=sftp_group --type=hash:net
sudo firewall-cmd --permanent --ipset=sftp_group --add-entry=xxx.xxx.xxx.xxx
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source ipset=sftp_group service name=ssh accept'

Rich Rules

From my notes working with Amazon Linux 2. The following will allow http/s from all, drop ssh from all, but allow ssh from a subnet and IP that I source from.[2]

sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=xxx.xxx.xxx.0/24 service name=ssh accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=xxx.xxx.xxx.xxx service name=ssh accept'
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload

Here is an example of allowing a specific port, in this case I wanted nxfilter to receive netflow data from a specific host.

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port=2055 protocol=udp source address=xxx.xxx.xxx.xxx accept'

Zones

[3][4]

firewall-cmd --permanent --zone=dmz --change-interface=eth0
firewall-cmd --permanent --zone=dmz --remove-service=ssh
firewall-cmd --permanent --zone=dmz --add-service=http
firewall-cmd --permanent --zone=dmz --add-source=xxx.xxx.xxx.xxx
firewall-cmd --reload

Block All ICMP on the Public Zone

firewall-cmd --zone=public --add-icmp-block={address-unreachable,bad-header,beyond-scope,communication-prohibited,destination-unreachable,echo-reply,echo-request,failed-policy,fragmentation-needed,host-precedence-violation,host-prohibited,host-redirect,host-unknown,host-unreachable,ip-header-bad,neighbour-advertisement,neighbour-solicitation,network-prohibited,network-redirect,network-unknown,network-unreachable,no-route,packet-too-big,parameter-problem,port-unreachable,precedence-cutoff,protocol-unreachable,redirect,reject-route,required-option-missing,router-advertisement,router-solicitation,source-quench,source-route-failed,time-exceeded,timestamp-reply,timestamp-request,tos-host-redirect,tos-host-unreachable,tos-network-redirect,tos-network-unreachable,ttl-zero-during-reassembly,ttl-zero-during-transit,unknown-header-type,unknown-option}