====== FirewallD ====== ===== Zonas ===== * **Drop:** Any incoming packets are dropped, if we use this drop zone. This is same as we use to add iptables -j drop. If we use the drop rule, means there is no reply, only outgoing network connections will be available. * **Block:** Block zone will deny the incoming network connections are rejected with an icmp-host-prohibited. Only established connections within the server will be allowed. * **Public:** To accept the selected connections we can define rules in public zone. This will only allow the specific port to open in our server other connections will be dropped. * **External:** This zone will act as router options with masquerading is enabled other connections will be dropped and will not accept, only specified connection will be allowed. * **DMZ:** If we need to allow access to some of the services to public, you can define in DMZ zone. This too have the feature of only selected incoming connections are accepted. * **Work:** In this zone, we can define only internal networks i.e. private networks traffic are allowed. * **Home:** This zone is specially used in home areas, we can use this zone to trust the other computers on networks to not harm your computer as every zone. This too allow only the selected incoming connections. * **Internal:** This one is similar to work zone with selected allowed connections. * **Trusted:** If we set the trusted zone all the traffic are accepted. ==== Aplicando zona ==== # firewall-cmd --add-interface=[INTERFACE] --zone=internal --permanent === CentOS === Editar a interface em ''/etc/sysconfig/network-scripts/ifcfg-[INTERFACE]'' e incluir : [...] ZONE=internal === Debian === Criar o arquivo ''/etc/network/if-pre-up.d/firewalld-zone-internal'' : nmcli connection modify [INTERFACE] connection.zone internal Permissão de execução: # chmod +x /etc/network/if-pre-up.d/firewalld-zone-internal ===== Principais comandos ===== ==== Liberar serviço ==== Em **public** (quando não informamos a zona): # firewall-cmd --add-service=http --permanent Em outra zona: # firewall-cmd --zone=internal --add-service=http --permanent ==== Liberar porta ==== # firewall-cmd --add-port=1234/[tcp ou udp] --permanent ==== Recarregar as regras do firewall ==== # firewall-cmd --reload ==== Listar zonas ativas do FirewallD ==== # firewall-cmd --get-active-zones ==== Listar serviços disponíveis para o FirewallD ==== # firewall-cmd --get-services ==== Liberar serviço a uma rede ou IP ==== # firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.0.0.0/8" service name="http" accept" ==== Liberar porta a uma rede ou IP ==== # firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="146.164.0.0/16" port port=9101 protocol=tcp accept" Pode-se também liberar um range de portas: # firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="146.164.0.0/16" port port=9101-9109 protocol=tcp accept" **Obs.:** O parâmetro ''--remove-rich-rule'' remove as regras citadas acima. ==== Ativar modo "pânico" ==== O modo pânico bloqueia qualquer a passagem de dados, tanto as conexões de entrada quanto as de saída. # firewall-cmd --panic-on Para desligar o modo pânico, o comando é: # firewall-cmd --panic-off Para verificar se o modo pânico está ativo ou não: # firewall-cmd --query-panic ==== Habilitar Masquerade no firewall (NAT) ==== # firewall-cmd --zone=external --add-masquerade Verificar se o recurso masquerade está liberado no firewall: # firewall-cmd --zone=external --query-masquerade ==== Utilizando redirecionamento de porta no FirewallD ==== # firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=192.168.0.132 ==== Serviços ICMP ==== Listando os serviços ICMP disponíveis no FirewallD: # firewall-cmd --get-icmptypes Verificando se um serviço ICMP está ou não bloqueado: # firewall-cmd --zone=public --query-icmp-block=echo-reply Bloqueando um serviço ICMP: # firewall-cmd --zone=public --add-icmp-block=echo-reply ==== Trabalhando com regras Chain ==== Listar regras: # firewall-cmd --direct --get-rules ipv4 filter IN_public_allow Adicionar uma nova regra: # firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT Remover uma regra já existente: # firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT ===== Referências ===== * https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html * http://www.tecmint.com/firewalld-rules-for-centos-7/ * https://www.rootusers.com/how-to-use-firewalld-rich-rules-and-zones-for-filtering-and-nat/