CategoryFirewall

firewalld – firewall-cmd

Redhat and CentOS distros are using firewalld aka firewall-cmd as base firewall manager.

at first, you can check if the firewall is working or not

$ firewall-cmd --state

in firewalld you have two states: running or current configuration and permanent. some commands requires this switch. for example creating new zone

$ firewall-cmd --permanent 

firewall-cmd consists of several zones which any of them can contain several sources or you can connect each of these zones to interfaces.

you can get list of zones by:

$ firewall-cmd --get-zones

you can get the default zone by:

$ firewall-cmd --get-default-zone

also you can check what zones are active.this is very helpful when you have several zones and you want to know which zones are connected to sources, interfaces , etc

$ firewall-cmd --get-active-zones

creating new zone.

remember you have to add the –permanent switch in order to add a new zone. you can only create in permanent mode.

$ firewall-cmd --permanent --new-zone=my-custom-zone

interfaces:

you can add any interface in your network to zones.

you can get list of interfaces with:

$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:11:22:99:88:55 brd ff:ff:ff:ff:ff:ff

and add to the zone

$ firewall-cmd --zone=public --add-interface=eno1

Sources:

you can add several IP addresses to a zone like this:

$ firewall-cmd --zone=company --add-source=192.168.1.12/32
# or
$ firewall-cmd --zone=another-zone --add-source=10.25.12.0/24

Ports:

you can add port to a zone so any requests comming to that zone will see this port open

$ firewall-cmd --zone=mongo-server --add-port=23070/tcp

Services:

you can decide which service are going to be connected through an specified zone.they are like presets so you don’t need to remember the port name for that service.

for example in order to let access to your MySql, you only have to add the mysql service to the zone and not the 3306 port itself.this is good specially when you are going to query several zones and seeing them by eyes and you can quickly know which zone allows what service, instead of thinking for a while to know what was that port number for ๐Ÿ™‚

$ firewall-cmd --zone=company --add-source=mysql

or add several services

$ firewall-cmd --zone=company --add-source=mysql --add-source=ssh

Ports:

if there is no saved service exist for your port or you are using an unusual port number, you can add by port number

and don’t forget, you have to specify the protocol

$ firewall-cmd --zone=company --add-port=1234/tcp

or

$ firewall-cmd --add-port=1234/tcp --add-port=4321/udp

UFW – Uncomplecated FireWall

itโ€™s very easy to work with ufw

say we want to allow a port from everywhere
ufw allow 22/tcp

and allow a certain ip address
ufw allow from 192.168.1.10
or
ufw allow from 192.168.1.0/24

a certain port from certain IP
ufw allow from 192.168.1.10 port 8888

you can even set the protocol in there
ufw allow from 192.168.1.10 port 8888 proto tcp

it can be used for setting the destination.
ufw allow from 192.168.1.10 port 8888 proto tcp to 192.168.1.10 port 8888

a complete rule :
ufw allow from 192.168.1.10 port 8888 to 192.168.1.1 port 8888