By completing this lab, you'll get some practice with basic firewalld commands:
- Log into either your CentOS 7 or CentOS 8 virtual machine and run the following commands. Observe the output after each one:
sudo firewall-cmd --get-zones
sudo firewall-cmd --get-default-zone
sudo firewall-cmd --get-active-zones
- Briefly view the man pages that deal with firewalld.zones:
man firewalld.zones
man firewalld.zone
(Yes, there are two of them. One explains the zone configuration files, while the other explains the zones themselves.)
- Look at the configuration information for all of the available zones:
sudo firewall-cmd --list-all-zones
- Look at the list of predefined services. Then, look at the information about the dropbox-lansync service:
sudo firewall-cmd --get-services
sudo firewall-cmd --info-service=dropbox-lansync
- Set the default zone to dmz. Look at the information concerned the zon, add the http and https services, and then look at the zone information again:
sudo firewall-cmd --permanent --set-default-zone=dmz
sudo firewall-cmd --permanent --add-service={http,https}
sudo firewall-cmd --info-zone=dmz
sudo firewall-cmd --permanent --info-zone=dmz
- Reload the firewall configuration and look at zone information again. Also, look at the list of services that are being allowed:
sudo firewall-cmd --reload
sudo firewall-cmd --info-zone=dmz
sudo firewall-cmd --list-services
- Permanently open port 10000/tcp and view the results:
sudo firewall-cmd --permanent --add-port=10000/tcp
sudo firewall-cmd --list-ports
sudo firewall-cmd --reload
sudo firewall-cmd --list-ports
sudo firewall-cmd --info-zone=dmz
- Remove the port that you just added:
sudo firewall-cmd --permanent --remove-port=10000/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-ports
sudo firewall-cmd --info-zone=dmz
- Add a rich language rule to block a geographic range of IPv4 addresses:
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="200.192.0.0/24" service name="http" drop'
- Block the host-redirect and network-redirect ICMP types:
sudo firewall-cmd --add-icmp-block={host-redirect,network-redirect}
- Add the directive to log all dropped packets:
sudo firewall-cmd --set-log-denied=all
- View both the runtime and permanent configurations and note the differences between them:
sudo firewall-cmd --info-zone=public
sudo firewall-cmd --info-zone=public --permanent
- Make the runtime configuration permanent and verify that it took effect:
sudo firewall-cmd --runtime-to-permanent
sudo firewall-cmd --info-zone=public --permanent
- On CentOS 7, you can view the complete list of effective firewall rules by using the following command:
sudo iptables -L
- On CentOS 8, you can view the complete list of effective firewall rules by using the following command:
sudo nft list ruleset
- Create the direct rules in order to block invalid packets from the mangle table's PREROUTING chain:
sudo firewall-cmd --direct --add-rule ipv4 mangle PREROUTING 0 -m conntrack --ctstate INVALID -j DROP
sudo firewall-cmd --direct --add-rule ipv4 mangle PREROUTING 1 -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
sudo firewall-cmd --direct --add-rule ipv6 mangle PREROUTING 0 -m conntrack --ctstate INVALID -j DROP
sudo firewall-cmd --direct --add-rule ipv6 mangle PREROUTING 1 -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
- Verify that the rules took effect and make them permanent:
sudo firewall-cmd --direct --get-rules ipv4 mangle PREROUTING
sudo firewall-cmd --direct --get-rules ipv6 mangle PREROUTING
sudo firewall-cmd --runtime-to-permanent
- View the contents of the direct.xml file that you've just created:
sudo less /etc/firewalld/direct.xml
- Perform XMAS Nmap scans for both IPv4 and IPv6 against the virtual machine. Then, observe which rule was triggered by the scan:
sudo nmap -sX ipv4_address_of_CentOS-VM
sudo nmap -6 -sX ipv6_address_of_CentOS-VM
sudo iptables -t mangle -L -v
sudo ip6tables -t mangle -L -v
- Repeat step 19, but this time with a Windows scan:
sudo nmap -sW ipv4_address_of_CentOS-VM
sudo nmap -6 -sW ipv6_address_of_CentOS-VM
sudo iptables -t mangle -L -v
sudo ip6tables -t mangle -L -v
- View the list of main pages for firewalld:
apropos firewall
That's the end of the lab – congratulations!