Firewalld Basic

Firewalld is the new concept and default tool to manage the host based Firewall in Centos/RHEL7.0.
In earlier version, iptables was used to manage the firewall. The iptables service still exist, but it
should not be used to manage the firewall.

Firewalld has several advantages over iptables. Such as iptables uses three separate services for IPv4
(iptables), IPv6 (ip6tables) and software bridging (ebtables). While firewalld uses single service for all
three settings. Firewalld uses DBus messing system which allows us add remove rules / ports from
running firewall. With this feature, we don’t have to restart the firewall each time when we make
changes. Such a facility was not available in iptables. Unless you have any specific reason to use
iptables, always use firewalld service to manage the firewall.

Disabling iptables service

Firewalld is incompatible with iptables and should never be used with it. Running both
services simultaneously will mess-up the firewall. Whatever service you choose, disable
and mask the other.

There are three iptables services:-

1. iptables for IPv4 configuration

2. ip6tables for IPv6 configuration
3. ebtables for software bridge

We can disable these services individually with following commands

systemctl disable iptables

systemctl disable ip6tables
systemctl disable ebtables
OR

To mask all iptables services we can use following commands

systemctl mask iptables

systemctl mask ip6tables
systemctl mask ebtables
 Zone
For easier management firewalld categorizes the incoming traffic in Zone based on
interface and source address. Zones are created to handle the similar traffic separately.
Let’s understand it with an example.

Suppose we have a server which has two LAN cards. First LAN card is connected with
public network (such as internet) and second LAN card is connected with private
network. Server has following security requirements :-

 Open HTTP port (80) and block all remaining ports for public network.
 Open FTP port (21) and block all remaining ports for private network.

Trusted : This zone allows all incoming traffic. On trust scale, it stands on first position. Use this zone
to handle the traffic on which you can trust blindly because it filters nothing.

Home- This zone is customized for home network. It allows return traffic with following services ssh,
mdns, ipp-client, samba-client and dhcpv6-client.

Internal - This zone is similar to home zone but it is customized for internal network. It also allows
return traffic with following services ssh, mdns, ipp-client, samba-client and dhcpv6-client.

Work- This zone is customized for work network. It allows return traffic with following services ssh,
ipp-client and dhcpv6-client.

Public - This zone is customized for public network. It allows return traffic with following services ssh
and dhcpv6-client. This is the default zone unless you change the setting.

External - This zone is customized for masquerading. It allows return traffic and ssh service
only.

Dmz - This zone is customized to limit the access to internal network. It allows return traffic and
ssh service only.

Block - This zone rejects all incoming traffic with “icmp-host-prohibited” message. It allows only
return traffic. On trust scale it stands on second last position.

Drop - This zone rejects all incoming traffic without sending any error message. It allows only return
traffic. On trust scale it stands on last position.
 Firewalld Rich Rules

Rich rules provide a much greater level of control through more custom granular options. Rich rules
can also be used to configure logging, masquerading, port forwarding, and rate limiting.

Packets arriving from particular host match with deny rule first and once the deny rule
is matched, packet will be destroyed immediately. So even host has a allowed
permission in second rule, packets from it will be never allowed. Proper ordering to
allow a single host from network would be following :-

 Rule A :- Allow particular host network

 Rule B :- Deny all hosts from network

How to add Rich Rules

Our first requirement says "Allow Telnet connection only from 192.168.1.101/24. Limit this
connection one per minute. Drop Telnet connection from remaining hosts.".

firewall-cmd --add-rich-rule=’rule family=ipv4 source

address=192.168.1.101/32 service name=telnet limit value=1/m accept’

Let’s understand this command step by step

Command / Option/ Argument Descriptions

firewall-cmd- main command

--add-rich-rule- This option tells main command that we want to perform add operation

Rule- The rule keyword represents the starting point of rule. Rules start with single quote followed
by a rule keyword and end with a single quote ( ‘rule…………’).

-s 192.168.1.101/32- This is a filter condition which says apply the rule if packet is coming from
source 192.168.1.101/24. Don’t confuse with /32. It is not a subnet mask. It is a wildcard mask. In
rich rules we use wildcard mask instead of subnet mask. To specify a particular host /32 wildcard
mask is used.

service name=telnet- This is also a filter condition which says apply the rule if packet is coming for
telnet service

limit value=1/m -Allow only one connection in a minute

accept- Allow the packet if filter conditions are match.

Following command will create rich rule for second requirement which says "Allow SSH
connection from network 192.168.1.0/24. Log each access with "SSH Access" prefix"
firewall-cmd --add-rich-rule=’rule family=ipv4 source
address=192.168.1.0/24 service name=ssh log prefix=“SSH Access”
level= “notice” accept’

Following command will create rich rule for third requirement (Allow FTP connection only
from 192.168.1.2/24. Reject FTP connections from remaining systems.).
firewall-cmd --add-rich-rule=’rule family=ipv4 source
address=192.168.1.2/32 port port=21 protocol=tcp accept’

Following command will create rich rule for last requirement (Reject ping requests from
all hosts with error message. ).

firewall-cmd --add-rich-rule=’rule protocol value=icmp reject’

How to remove Rich Rules

To remove this rule replace --add-rich-rule option with --remove-rich-rule.

firewall-cmd --remove-rich-rule=’rule protocol value=icmp reject’

--add-rich-rule=’RULE’ can be used to add a specified rule, here we are allowing traffic from the
range 10.0.0.0/24 into only 192.168.0.10/32 through TCP ports 8080 through to 8090.
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --add-rich-rule='rule
family=ipv4 source address=10.0.0.0/24 destination address=192.168.0.10/32 port
port=8080-8090 protocol=tcp accept'
--remove-rich-rule can be used to remove the rule, essentially it’s the same syntax as --add-rich-rule
but with removing to remove the already existing rule.
[root@centos7 ~]# firewall-cmd --permanent --zone=testing --remove-rich-rule='rule
family=ipv4 source address=10.0.0.0/24 destination address=192.168.0.10/32 port
port=8080-8090 protocol=tcp accept'

Rich rules can also be used to send messages to a log file, and this logging can also be rate limited.
Here we log SSH connections from 192.168.0.0/24 but at a rate of no more than 50 log entries per
minute. Only logs of level ‘info’ or more important will be logged.

[root@centos7 ~]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source

address="192.168.0.0/24" service name="ssh" log prefix="ssh" level="info" limit value="50/m"
accept'