Working with firewalld zones

Firewalld is a rather unique animal, in that it comes with several pre-configured zones and services. If you look in the /usr/lib/firewalld/zones directory of your CentOS machine, you'll see the zones files, all in .xml format:

[donnie@localhost ~]$ cd /usr/lib/firewalld/zones
 [donnie@localhost zones]$ ls
 block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml
 trusted.xml work.xml
 [donnie@localhost zones]$

Each zone file specifies which ports are to be open and which ones are to be blocked for various given scenarios. Zones can also contain rules for ICMP messages, forwarded ports, masquerading information, and rich language rules.

For example, the .xml file for the public zone, which is set as the default, looks like this:

<?xml version="1.0" encoding="utf-8"?> 
<zone> 
 <short>Public</short> 
 <description>For use in public areas. You do not trust the other 
computers on networks to not harm your computer. Only selected incoming 
connections are accepted.</description> 
 <service name="ssh"/> 
 <service name="dhcpv6-client"/> 
</zone>

In the service name lines, you can see that the only open ports are for Secure Shell access and for DHCPv6 discovery. If you look at the home.xml file, you'll see that it also opens the ports for Multicast DNS, as well as the ports that allow this machine to access shared directories from either Samba servers or Windows servers:

<?xml version="1.0" encoding="utf-8"?> 
<zone> 
 <short>Home</short> 
 <description>For use in home areas. You mostly trust the other computers 
on networks to not harm your computer. Only selected incoming connections 
are accepted.</description> 
 <service name="ssh"/>
 <service name="mdns"/> 
 <service name="samba-client"/> 
 <service name="dhcpv6-client"/> 
</zone>

The firewall-cmd utility is what you would use to configure firewalld. You can use it to view the list of zone files on your system, without having to cd into the zone file directory:

[donnie@localhost ~]$ sudo firewall-cmd --get-zones
 [sudo] password for donnie:
 block dmz drop external home internal public trusted work
 [donnie@localhost ~]$

A quick way to see how each zone is configured is to use the --list-all-zones option:

[donnie@localhost ~]$ sudo firewall-cmd --list-all-zones
 block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
. . .
. . .

Of course, this is only a portion of the output because the listing for all zones is more than we can display here. It's likely that you'll only want to see information about one particular zone:

 [donnie@localhost ~]$ sudo firewall-cmd --info-zone=internal
 internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh mdns samba-client dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
 source-ports:
  icmp-blocks:
  rich rules:
 [donnie@localhost ~]$

So, the internal zone allows the ssh, mdns, samba-client, and dhcpv6-client services. This is handy for setting up client machines on your internal LAN.

Any given server or client will have one or more installed network interface adapters. Each adapter in a machine can be assigned one, and only one, firewalld zone. To see the default zone, use the following code:

[donnie@localhost ~]$ sudo firewall-cmd --get-default-zone
 public
 [donnie@localhost ~]$

This is great, except that it doesn't tell you anything about which network interface is associated with this zone. To see that information, use the following code:

[donnie@localhost ~]$ sudo firewall-cmd --get-active-zones
 public
  interfaces: enp0s3
 [donnie@localhost ~]$

When you install Red Hat or CentOS for the first time, the firewall will already be active with the public zone as the default. Now, let's say that you're setting up your server in the DMZ and you want to make sure that its firewall is locked down for that. You can change the default zone to the dmz zone. Let's take a look at the dmz.xml file to see what that does for us:

<?xml version="1.0" encoding="utf-8"?> 
<zone> 
 <short>DMZ</short> 
 <description>For computers in your demilitarized zone that are publicly- 
accessible with limited access to your internal network. Only selected 
incoming connections are accepted.</description> 
 <service name="ssh"/> 
</zone>

So, the only thing that the DMZ allows through is Secure Shell. Okay; that's good enough for now, so let's set the dmz zone as the default:

[donnie@localhost ~]$ sudo firewall-cmd --set-default-zone=dmz
 [sudo] password for donnie:
 success
[donnie@localhost ~]$

Let's verify it:

[donnie@localhost ~]$ sudo firewall-cmd --get-default-zone
 dmz
[donnie@localhost ~]$

And we're all good. However, an internet-facing server in the DMZ probably needs to allow more than just SSH connections. This is where we'll use the firewalld services. But before we look at that, let's consider one more important point.

You never want to modify the files in the /usr/lib/firewalld directory. Whenever you modify the firewalld configuration, you'll see the modified files show up in the /etc/firewalld directory. So far, all we've modified is the default zone. Due to this, we'll see the following in /etc/firewalld:

[donnie@localhost ~]$ sudo ls -l /etc/firewalld
 total 12
 -rw-------. 1 root root 2003 Oct 11 17:37 firewalld.conf
 -rw-r--r--. 1 root root 2006 Aug 4 17:14 firewalld.conf.old
 . . .

We can do a diff on those two files to see the difference between them:

[donnie@localhost ~]$ sudo diff /etc/firewalld/firewalld.conf /etc/firewalld/firewalld.conf.old
 6c6
 < DefaultZone=dmz
 ---
 > DefaultZone=public
 [donnie@localhost ~]$

So, the newer of the two files shows that the dmz zone is now the default.

To find out more about firewalld zones, enter the man firewalld.zones command.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.237.255