poniedziałek, 17 listopada 2014

RHCSE - firewall

Short reference to firewalld:

Disable firewalld and install iptables service:

systemctl disable firewalld
yum install iptables-services
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables

Reverse - use firewalld instead of iptables:

systemctl disable iptables
systemctl enable firewalld
systemctl start firewalld

Working with firewall-cmd:

firewall-cmd  --list-all-zones  (to list all avaliable zones) or firewall-cms --get-zones

Zones list with description (https://fedoraproject.org/wiki/FirewallD#Dynamic_firewall_with_FirewallD)
drop - Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block - Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
public - For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
external - For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmz - For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work - For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home - For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal - For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted - All network connections are accepted.

firewall-cmd --get-services (to list all avaliable services)

Managment of zone / interface:

 firewall-cmd --get-zone-of-interface=p3p1 (get zone assigned to p3p1 interface - old eht0 in my environment)
 firewall-cmd [--zone=] --add-interface=
 firewall-cmd [--zone=] --change-interface=
 firewall-cmd [--zone=] --remove-interface=
 firewall-cmd [--zone=] --query-interface=

Panic mode:

firewall-cmd --panic-on
firewall-cmd --panic-ooff

Zone / service management:

If no zone is specified default zone is used  (firewall-cmd --get-default-zone)
firewall-cmd [--zone=] --add-service=

To delete --remove-service and to query --query-service

If there is no service and you have to open specified port just use:
--add-port --remove-port --query-port

For router:

firewall-cmd [--zone=] --add-masquerade / --remove-masquerade / --query-masquerade

How to make changes pernament:

All changes made by firewall-cmd work with no need of restart of firewall service, but are not pernament by default. If you need save them use --pernamet parameter of firewall-cmd.

Configuration files:

Current configuration files of zonez are kept in: /etc/firewalld/zones, but default settings in /usr/lib/firewalld



Autor: o

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)