How do I list firewall rules in Linux 7?
IntroductionFirewalld is a firewall management solution available for many Linux distributions which acts as a frontend for the iptables packet filtering system provided by the Linux kernel. In this guide, we will cover how to set up a firewall for your server and show you the basics of managing the firewall with the Show
Note: There is a chance that you may be working with a newer version of firewalld than was available at the time of this writing, or that your server was set up slightly differently than the example server used throughout this guide. The behavior of some of the commands explained in this guide may vary depending on your specific configuration. Basic Concepts in FirewalldBefore we begin talking about how to actually use the ZonesThe For computers that might move between networks frequently (like laptops), this kind of flexibility provides a good method of changing your rules depending on your environment. You may have strict rules in place prohibiting most traffic when operating on a public WiFi network, while allowing more relaxed restrictions when connected to your home network. For a server, these zones are not as immediately important because the network environment rarely, if ever, changes. Regardless of how dynamic your network environment may be, it is still useful to be familiar with the general idea behind each of the predefined zones for
To use the firewall, we can create rules and alter the properties of our zones and then assign our network interfaces to whichever zones are most appropriate. Rule PermanenceIn firewalld, rules can be designated as either permanent or immediate. If a rule is added or modified, by default, the behavior of the currently running firewall is modified. At the next boot, the modifications will be thrown out and the old rules will be applied. Most Install and Enable Your Firewall to Start at Boot
After you install
When the server restarts, your firewall should be brought up, your network interfaces should be put into the zones you configured (or fall back to the configured default zone), and any rules associated with the zone(s) will be applied to the associated interfaces. We can verify that the service is running and reachable by typing:
This indicates that our firewall is up and running with the default configuration. Getting Familiar with the Current Firewall RulesBefore we begin to make modifications, we should familiarize ourselves with the default environment and rules provided by the daemon. Exploring the DefaultsWe can see which zone is currently selected as the default by typing:
Since we haven’t given
Here, we can see that our example server has two network interfaces being controlled by the firewall ( How do we know what rules are associated with the public zone though? We can print out the default zone’s configuration by typing:
We can tell from the output that this zone is both the default and active and that the Exploring Alternative ZonesNow we have a good idea about the configuration for the default and active zone. We can find out information about other zones as well. To get a list of the available zones, type:
We can see the specific configuration associated with a zone by including the
You can output all of the zone definitions by using the
Selecting Zones for your InterfacesUnless you have configured your network interfaces otherwise, each interface will be put in the default zone when the firewall is booted. Changing the Zone of an InterfaceYou can transition an interface between zones during a session by using the For instance, we can transition our
Note: Whenever you are transitioning an interface to a new zone, be aware that you are probably modifying the services that will be operational. For instance, here we are moving to the “home” zone, which has SSH available. This means that our connection shouldn’t drop. Some other zones do not have SSH enabled by default and if your connection is dropped while using one of these zones, you could find yourself unable to log back in. We can verify that this was successful by asking for the active zones again:
Adjusting the Default ZoneIf all of your interfaces can best be handled by a single zone, it’s probably easier to select the best default zone and then use that for your configuration. You can change the default zone with the
Setting Rules for your ApplicationsThe basic way of defining firewall exceptions for the services you wish to make available is fairly straightforward. We’ll run through the basic idea here. Adding a Service to your ZonesThe simplest method is to add the services or ports you need to the zones you are using. Again, you can get a list of the available services with the
Note: You can get more details about each of these services by looking at their associated /usr/lib/firewalld/services/ssh.xml
You can enable a
service for a zone using the For instance, if we are running a web server serving conventional HTTP traffic, we can allow this traffic for interfaces in our “public” zone for this session by typing:
You can leave
out the
Once you have tested that everything is working as it should, you will probably want to modify the permanent firewall rules so that your service will still be available after a reboot. We can make our “public” zone change permanent by typing:
You can verify that this was successful by adding the
Your “public” zone will now allow HTTP web traffic on port 80. If your web server is configured to use SSL/TLS, you’ll also want to add the
What If No Appropriate Service Is Available?The firewall services that are included with the firewalld installation represent many of the most common requirements for applications that you may wish to allow access to. However, there will likely be scenarios where these services do not fit your requirements. In this situation, you have two options. Opening a Port for your ZonesOne way to add support for your specific application is to open up the ports that it uses in the appropriate zone(s). This is done by specifying the port or port range, and the associated protocol for the ports you need to open. For instance, if our application runs on port 5000 and uses TCP, we could add this to the “public” zone for this session using the
We can verify that this was successful using the
It is also possible to specify a sequential range of ports by separating the beginning and ending port in the range with a dash. For instance, if our application uses UDP ports 4990 to 4999, we could open these up on “public” by typing:
After testing, we would likely want to add these to the permanent firewall. You can do that by typing:
Defining a ServiceOpening ports for your zones is easy, but it can be difficult to keep track of what each one is for. If you ever decommission a service on your server, you may have a hard time remembering which ports that have been opened are still required. To avoid this situation, it is possible to define a service. Services are collections of ports with an associated name and description. Using services is easier to administer than ports, but requires a bit of upfront work. A good way to start is to copy an existing script (found in For instance, we could copy the SSH service definition to
use for our “example” service definition like this. The filename minus the
Now, you can adjust the definition found in the file you copied:
To start, the file will contain the SSH definition that you copied: /etc/firewalld/services/example.xml
The majority of this definition is actually metadata. You will want to change the short name for the service within the
For our “example” service, imagine that we need to open up port 7777 for
TCP and 8888 for UDP. By entering INSERT mode by pressing /etc/firewalld/services/example.xml
Press Reload your firewall to get access to your new service:
You can see that it is now among the list of available services:
You can now use this service in your zones as you normally would. Creating Your Own ZonesWhile the predefined zones will probably be more than enough for most users, it can be helpful to define your own zones that are more descriptive of their function. For instance, you might want to create a zone for your web server, called “publicweb”. However, you might want to have another zone configured for the DNS service you provide on your private network. You might want a zone called “privateDNS” for that. When adding a zone, you must add it to the permanent firewall configuration. You can then reload to bring the configuration into your running session. For instance, we could create the two zones we discussed above by typing:
You can verify that these are present in your permanent configuration by typing:
As stated before, these won’t be available in the current instance of the firewall yet:
Reload the firewall to bring these new zones into the active configuration:
Now, you can begin assigning the appropriate services and ports to your zones. It’s usually a good idea to adjust the active instance and then transfer those changes to the permanent configuration after testing. For instance, for the “publicweb” zone, you might want to add the SSH, HTTP, and HTTPS services:
Likewise, we can add the DNS service to our “privateDNS” zone:
We could then change our interfaces over to these new zones to test them out:
At this point, you have the opportunity to test your configuration. If these values work for you, you will want to add the same rules to the permanent configuration. You can do that by re-applying the rules with the
After permanently applying these your rules, you can restart your network and reload your firewall service:
Validate that the correct zones were assigned:
And validate that the appropriate services are available for both of the zones:
You have successfully set up your own zones! If you want to make one of these zones the default for other interfaces, remember to configure that behavior with the
ConclusionYou should now have a fairly good understanding of how to administer the firewalld service on your CentOS system for day-to-day use. The firewalld service allows you to configure maintainable rules and rule-sets that take into consideration your network environment. It allows you to seamlessly transition between different firewall policies through the use of zones and gives administrators the ability to abstract the port management into more friendly service definitions. Acquiring a working knowledge of this system will allow you to take advantage of the flexibility and power that this tool provides. Where are firewall rules stored Linux?The rules are saved in the file /etc/sysconfig/iptables for IPv4 and in the file /etc/sysconfig/ip6tables for IPv6. You may also use the init script in order to save the current rules.
Where are firewalld rules stored Centos 7?The default zones are stored under the /usr/lib/firewalld/zones/ directory.
Which command enables you to list all available firewalld?Explanation: The firewall-cmd --get-services command shows all services that are available in firewalld.
|