TIC-Wiki - Documentação da Superintendência de TIC

Ferramentas do usuário

Ferramentas do site

Visitou: firewalld
linux:firewalld

Tabela de conteúdos

FirewallD

Zonas

  • Drop: Any incoming packets are dropped, if we use this drop zone. This is same as we use to add iptables -j drop. If we use the drop rule, means there is no reply, only outgoing network connections will be available.
  • Block: Block zone will deny the incoming network connections are rejected with an icmp-host-prohibited. Only established connections within the server will be allowed.
  • Public: To accept the selected connections we can define rules in public zone. This will only allow the specific port to open in our server other connections will be dropped.
  • External: This zone will act as router options with masquerading is enabled other connections will be dropped and will not accept, only specified connection will be allowed.
  • DMZ: If we need to allow access to some of the services to public, you can define in DMZ zone. This too have the feature of only selected incoming connections are accepted.
  • Work: In this zone, we can define only internal networks i.e. private networks traffic are allowed.
  • Home: This zone is specially used in home areas, we can use this zone to trust the other computers on networks to not harm your computer as every zone. This too allow only the selected incoming connections.
  • Internal: This one is similar to work zone with selected allowed connections.
  • Trusted: If we set the trusted zone all the traffic are accepted.

Aplicando zona

# firewall-cmd --add-interface=[INTERFACE] --zone=internal --permanent

CentOS

Editar a interface em /etc/sysconfig/network-scripts/ifcfg-[INTERFACE] e incluir : 

[...]
ZONE=internal

Debian

Criar o arquivo /etc/network/if-pre-up.d/firewalld-zone-internal : 

nmcli connection modify [INTERFACE] connection.zone internal

Permissão de execução: 

# chmod +x /etc/network/if-pre-up.d/firewalld-zone-internal

Principais comandos

Liberar serviço

Em public (quando não informamos a zona): 

# firewall-cmd --add-service=http --permanent

Em outra zona: 

# firewall-cmd --zone=internal --add-service=http --permanent

Liberar porta

# firewall-cmd --add-port=1234/[tcp ou udp] --permanent

Recarregar as regras do firewall

# firewall-cmd --reload

Listar zonas ativas do FirewallD

# firewall-cmd --get-active-zones

Listar serviços disponíveis para o FirewallD

# firewall-cmd --get-services

Liberar serviço a uma rede ou IP

# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="10.0.0.0/8" service name="http" accept"

Liberar porta a uma rede ou IP

# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="146.164.0.0/16" port port=9101 protocol=tcp accept"

Pode-se também liberar um range de portas: 

# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="146.164.0.0/16" port port=9101-9109 protocol=tcp accept"

Obs.: O parâmetro –remove-rich-rule remove as regras citadas acima.

Ativar modo "pânico"

O modo pânico bloqueia qualquer a passagem de dados, tanto as conexões de entrada quanto as de saída. 

# firewall-cmd --panic-on

Para desligar o modo pânico, o comando é: 

# firewall-cmd --panic-off

Para verificar se o modo pânico está ativo ou não: 

# firewall-cmd --query-panic

Habilitar Masquerade no firewall (NAT)

# firewall-cmd --zone=external --add-masquerade

Verificar se o recurso masquerade está liberado no firewall: 

# firewall-cmd --zone=external --query-masquerade

Utilizando redirecionamento de porta no FirewallD

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=2222:toaddr=192.168.0.132

Serviços ICMP

Listando os serviços ICMP disponíveis no FirewallD: 

# firewall-cmd --get-icmptypes

Verificando se um serviço ICMP está ou não bloqueado: 

# firewall-cmd --zone=public --query-icmp-block=echo-reply

Bloqueando um serviço ICMP: 

# firewall-cmd --zone=public --add-icmp-block=echo-reply

Trabalhando com regras Chain

Listar regras: 

# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow

Adicionar uma nova regra: 

# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT

Remover uma regra já existente: 

# firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 25 -j ACCEPT

Referências

linux/firewalld.txt · Última modificação: 27/04/2021 12:05 por 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki