Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.

Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.

FIREWALLd – blocking unwanted traffic in Linux, based on zones

Firewalld alike iptables relies on Netfilter service that is responsible for packets filtering.The difference is that iptables works based on “chain of filter” rules, alike ACLs on the router, firewalld based on “zones” similar to ASA. The idea that stands behind the firewalld is that interfaces and networks are grouped into zones. Each zone has different level of trust.

Below table presents particular predefined zones and what they do with incoming and outgoing traffic. Of course we may create our own zones.

FIREWALLd – before we start 

rpm -qa firewalld – checking if firewalld daemon is installed

systemctl status firewalld – checking if the daemon is running, also we may check with “firewall-cmd –state“.

/etc/firewalld/firewalld.conf – configuration file of firewalld

systemctl mask ipatbles – turning off iptables, both iptables and firewalld use the same resources so chouldn’t be run in the same time.

Also we want firewalld make active and enable by default just after reboot:

systemctl is-active firewalld
systemctl is-enabled firewalld

firewall-cmd –[double TAB] – shows current ‘help’, with a list of commands that we may use in given moment. Similar to ‘?’ in Cisco.

/usr/lib/firewalld/services – location of predefined “services” in xml format , we may create our own service in /etc/firewalld/services

/usr/lib/firewalld/zones – location of predefined “zones”, we may create our own zones in /etc/firewalld/zones


FIREWALLd – fundamentals

Firewalld daemon runs 2 instances in the same time : runtime and permanent. Any changes that you make are being written into ‘runtime’ configuration to make them permanent you have to mark that with ‘–permanent‘ statement

firewall-cmd –add-service=http –permanent

If we make any changes in ‘permanent’ configuration we have to reloade its,  otherwise they will not be taken into consideration. Runtime confiuration always dissapear after server reboot, also will dissapear after –reload command.

firewall-cmd –reload

If we want to write ‘runtime’ to ‘permanent’ configuration we run

firewall-cmd –runtime-to-permanent


FIREWALLd – zones

As I mentioned at the beginning we have a couple of definied zones. If you run command “firewall-cmd –list-all –zone=public” you gona get below output (without a rules of course). Public is a default zone.


target default is REJECT, the other targets are ACCEPT and DROP. The traffic that don’t match the rules will be rejected.
interfaces – interfaces bound to the zone
sources – network bound to the zone
services – services allowed within a zone
ports – ports allowed within a zone
protocols – allowed protocols
masquarade – if masquarade enable on the zone
forward-ports – ports forwarding
rich rules – more granular rules based on the source and destination 

As you see we may bind interfaces or particular networks to the zone. The incoming packet that hit any of the interfaces is being assigned to the zone. The order of checking what zone the packet should be assigned to is following:

– firstly the SOURCE network is being checked on all zones 
– secondly the INTERFACE, if  is bind to any zone
– if not any of above, the packet is assigned to default zone (PUBLIC – if we didin’t change).

FIREWALLd configuration commands

The list of below commands is based on sight only and of course is much more longer. Remeber about <double TAB> that will help you out in making decision.

firewall-cmd –list-all – shows all zones and assigned to them interfaces, services, rules etc

firewall-cmd –get-zones – shows active zones

firewall-cmd –zone=internal –change-interface=eth0 – assigning interface to the particular zone, if interface is managed by Network Manager, then we have to change it by nmcli or directly in /etc/sysconfig/network-scripts/interface-name we add line : “ZONE=internal” 

firewall-cmd –add-source= – adding range of  hosts to the zone

firewall-cmd –panic-on – blocking all incoming and outgoing traffic
firewall-cmd –query-panic

firewall-cmd –get-services
– shows active services, that we may use
firewall-cmd –get-default-zone – shows default zone on the server
firewall-cmd –get-active-zones – shows zones and bound interfacs to them
firewall-cmd –set-default-zone=[name] – setting up default zone


firewall-cmd –add-service=mysql – adding service mysql to default zone
firewall-cmd –add-service={http,https,ftp} – adding the range of services

firewall-cmd –zone=public –add-port=3360/tcp
– adding allowed port 360 to default zone
firewall-cmd –add-port={3360/tcp,5000/tcp,6000tcp/tcp} – adding more ports 
firewall-cmd –add-port=5000-5010/tcp – adding the range of ports
firewall-cmd –remove-port=3360/tcp – removal port from configuration

Rich rules – enable us blocking connections based on source and destination addresses and ports, services as well, alike extended ACLs in Cisco world

firewall-cmd –add-rich-rule=’rule family=ipv4 source address= 
accept’ – allows for any connection from host

firewall-cmd –add-rich-rule=’rule family=ipv4 source address= destination address= port port=80 protocol=tcp drop’  – block connection from to on port 80 (server www)

Ports forwarding PAT 

firewall-cmd –add-forward-port=port=8080:proto=tcp:toport=80 – forwarding port 8080 to port 80 on the same server 

firewall-cmd –add-forward-port=port=8080:proto=tcp:toport=80:toaddr= – forwarding port 8080 to 80 with address redirection 


firewall-cmd –permanent –zone=public –add-masquerade – natting any IP address that will hit public zone

FIREWALLd – Let’s lab it out !

I’ve created a simple lab to try a couple of commands and solutionswithin “firewalld” in “production environment” according to below diagram


The final outcome of thge lab is : server WWW is subjected to PAT with address, so for both hosts outside will be reachable with IP address Next, host will be blocked when tries to get  access to FTP server Also host will be blocked when tries to get access to WWW server.

I assume you’ve installed ‘httpd’ daemon on and ‘vsftpd’ on server. 

1. Assigne interfaces to zones DMZ and PUBLIC on FTP server

firewall-cmd –zone=dmz –change-interface=ens37
firewall-cmd –zone=public –change-interface=ens33

because my interfaces are managed by Network Manager, I have to edit network scripts in /etc/sysconfig/network-scripts/ifcfg-ens37 and add at the end of configuration file ZONE=dmz and respectively ZONE=public to ens33

2. Enable service FTP on appropriate zone Public

firewall-cmd –permanent –zone=public –add-service=ftp

3. Create NAT rule for WWW server according to the diagram. If anyone wants to connect to WWW server will be using outside address that is mapped to

firewall-cmd –permanent –zone=public –add-masquerade

firewall-cmd –permanent –zone=public –add-forward-

4. Block host from access to WWW server ( and accept on WWW server :

Instead of add service http I add port 80 what is actually the same

firewall-cmd add-port=80/tcp permanent

firewall-cmd –zone=public –permanent –add-rich-rule=’rule family=ipv4
source address= destination address= port port=80
protocol=tcp drop’

5. Block host from access to FTP server ( of FTP server

firewall-cmd –zone=public –permanent –add-rich-rule=’rule family=ipv4
source address= destination address= service name=ftp



Onlain bookmaker bet365.com - the best bokie