«

»

FirewallD Management in CentOS 7

During a recent project where i helped a customer implementing and migrating existing workloads to a Nutanix based vSphere environment i had to refresh my firewall, firewalld, knowledge. Here are a few sections to outline

FirewallD basic information

FirewallD is available in CentOS 7 by default and can be managed using firewall-cmd command which is pretty easy to use. If you prefer, you can still use the good old iptables command. Firewalld has the concepts of zones and the available zones are:

  • block
  • dmz
  • drop
  • external
  • home
  • internal
  • public
  • trusted
  • work

The zones have different predefined configuration and each zones configuration can be listed using the following command:

  • firewall-cmd –list-all –zone=<zone> – Change zone to e.g. public or internal as i used for the below output
    screen-shot-2016-12-08-at-14-20-48

Each Network Interface Card (NIC) belongs to one zone and based on that you can have multiple zones running the same time. Each zone has a few configuration options:

  • Interfaces – VM NIC
  • Sources – Remote systems that you want to bind to a specific zone if you are using multiple zones.
  • Services – What services are allowed on this specific interface. The predefined services available are:
    screen-shot-2016-12-08-at-14-02-06
  • Ports – Open ports
  • Masquerade – used for port forward purposes.
  • forward-ports – Used with masquerade option to forward traffic on one port to another port.
  • icmp-blocks – Used to manage ICMP behaviour
  • rich rules – Used to e.g. block a specific destination

By default all network interfaces belongs to the public zone. To verify what zone(s) are active and what network interfaces that belongs to each zone you can run:

  • firewall-cmd –get-active-zones
    screen-shot-2016-12-08-at-13-49-05

To list all active zones and its current configuration use:

  • firewall-cmd –list-all
    screen-shot-2016-12-08-at-13-55-37
    Y
    ou can most likely remove the dhcpv6-client if running production systems.

There is an easy way to test and verify any firewall rules since you can add rules which takes effect immediately without being persistent during a firewall service restart (including VM reboot). That is good if you mess something up:)
To achieve this you basically skip using the –permanent parameter in the command syntax.

If i want to add the vnc-server service for testing purposes you use the following command:

  • firewall-cmd –zone=public –add-service=vnc-server

When you need to make the rule persistent during firewall restart you simply run the same command again and adding –permanent:

  • firewall-cmd –zone=public –add-service=vnc-server –permanent

Problem Description & Solution

During the migration process the customer was also moving to a new CentOS 7 image so installation and configuration was something we could easily take care of during migration tasks since 400 VMs takes some time to migrate using storage vMotion. When every piece of software was installed into the VM we had to add rules for e.g.:

  • Monitoring systems
  • Backup & Restore systems since some of the VMs require in-guest backup agents based on Recovery Point Objective (RPO) requirements.

So firewalld rich rules were used in this case to basically whitelist 4 remote systems and the following commands were used.

  • Adding Monitoring Systems for immediate testing
    • firewall-cmd –zone=public  –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.91/24″ accept’
    • firewall-cmd –zone=public  –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.92/24″ accept’
  • Adding Monitoring Systems permanent
    • firewall-cmd –permanent –zone=public  –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.91/24″ accept’
    • firewall-cmd –permanent –zone=public  –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.92/24″ accept’
  • Adding Backup and Restore Systems for immediate testing
    • firewall-cmd –zone=public  –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.111/24″ accept’
    • firewall-cmd –zone=public  –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.111/24″ accept’
  • Adding Backup and Restore Systems permanent
    • firewall-cmd –permanent –zone=public  –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.111/24″ accept’
    • firewall-cmd –permanent –zone=public  –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.111/24″ accept’
  • Verify configuration
    • firewall-cmd –list-all
      screen-shot-2016-12-09-at-09-03-56
  • Restart firewall
    • systemctl restart firewalld
  • Verify Configuration
    • firewall-cmd –list-all
      screen-shot-2016-12-09-at-09-03-56

Command Guide

Important: It’s two minus characters before the command option meaning firewall-cmd MinusMinusState

 

Command Explanation
firewall-cmd –h List all configuration options
systemctl status firewalld Verify firewalld status including information such as:

  • Loaded
  • Active
  • Main PID
  • CGROUP
    screen-shot-2016-12-08-at-13-47-40
firewall-cmd –state  Verify firewalld status and output is running or not running
systemctl start firewalld  Start firewalld
systemctl stop firewalld  Stop firewalld
systemctl restart firewalld  Restart firewalld
systemctl enable firewalld  enable firewalld
systemctl disable firewalld  disable firewalld
firewall-cmd –list-all  See active configuration:
firewall-cmd –get-active-zones  List active zone(s)
firewall-cmd –list-all –zone=<zone>   See active configuration for a specific zone
firewall-cmd –zone=<zone> –add-service=<service> –permanent

  • firewall-cmd –zone=public –add-service=vnc-server –permanent
Immediately and permanent add service to specific zone

  • Immediately and permanent add inc-server service to public zone.
firewall-cmd –zone=<zone> –remove-service=<service> –permanent

  • firewall-cmd –zone=public –remove-service=dhcpv6-client –permanent
Immediately and temporarly remove a service from a specific zone

  • Immediately and temporarly remove service dhcpv6-client from zone public
firewall-cmd –zone=<zone> –remove-service=<service> –permanent

  • firewall-cmd –zone=public –remove-service=dhcpv6-client –permanent
Permanent remove a service from a specific zone

  • Permanent remove service dhcpv6-client from zone public
firewall-cmd –permanent –add-rich-rule=’rule family=”<IPversion>” source address=”<IP/netmask>” port port=<port> protocol=”tcp/udp” accept’

  • firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.90/24″ accept’
Permanent add rich rule

  • Permanent allowing VM with IP 10.10.100.90 and netmask 255.255.255.0 to access the system on any port.
firewall-cmd –permanent –remove-rich-rule=’rule family=”<IPversion>” source address=”<IP/netmask>” port port=<port> protocol=”tcp/udp” accept’

  • firewall-cmd –permanent –zone=public  –remove-rich-rule=’rule family=”ipv4″ source address=”10.10.100.90/24″ accept’
  Permanent remove rich rule

  • Permanent remove access for VM with IP 10.10.100.90 and netmask 255.255.255.0 to the system on any port
firewall-cmd –get-icmptypes   List available icmp types
firewall-cmd –zone=<zone> –query-icmp-block=echo-reply   List icmp echo reply status
firewall-cmd –zone=<zone> –add-icmp-block=echo-reply   Block icmp echo reply

 

firewall-cmd –zone=public  –remove-rich-rule=’rule family=”ipv4″ source address=”10.5.209.90/24″ accept’