During a recent project where i helped a customer implementing and migrating existing workloads to a Nutanix based vSphere environment i had to refresh my firewall, firewalld, knowledge. Here are a few sections to outline
FirewallD basic information
FirewallD is available in CentOS 7 by default and can be managed using firewall-cmd command which is pretty easy to use. If you prefer, you can still use the good old iptables command. Firewalld has the concepts of zones and the available zones are:
- block
- dmz
- drop
- external
- home
- internal
- public
- trusted
- work
The zones have different predefined configuration and each zones configuration can be listed using the following command:
- firewall-cmd –list-all –zone=<zone> – Change zone to e.g. public or internal as i used for the below output
Each Network Interface Card (NIC) belongs to one zone and based on that you can have multiple zones running the same time. Each zone has a few configuration options:
- Interfaces – VM NIC
- Sources – Remote systems that you want to bind to a specific zone if you are using multiple zones.
- Services – What services are allowed on this specific interface. The predefined services available are:
- Ports – Open ports
- Masquerade – used for port forward purposes.
- forward-ports – Used with masquerade option to forward traffic on one port to another port.
- icmp-blocks – Used to manage ICMP behaviour
- rich rules – Used to e.g. block a specific destination
By default all network interfaces belongs to the public zone. To verify what zone(s) are active and what network interfaces that belongs to each zone you can run:
To list all active zones and its current configuration use:
- firewall-cmd –list-all
You can most likely remove the dhcpv6-client if running production systems.
There is an easy way to test and verify any firewall rules since you can add rules which takes effect immediately without being persistent during a firewall service restart (including VM reboot). That is good if you mess something up:)
To achieve this you basically skip using the –permanent parameter in the command syntax.
If i want to add the vnc-server service for testing purposes you use the following command:
- firewall-cmd –zone=public –add-service=vnc-server
When you need to make the rule persistent during firewall restart you simply run the same command again and adding –permanent:
- firewall-cmd –zone=public –add-service=vnc-server –permanent
Problem Description & Solution
During the migration process the customer was also moving to a new CentOS 7 image so installation and configuration was something we could easily take care of during migration tasks since 400 VMs takes some time to migrate using storage vMotion. When every piece of software was installed into the VM we had to add rules for e.g.:
- Monitoring systems
- Backup & Restore systems since some of the VMs require in-guest backup agents based on Recovery Point Objective (RPO) requirements.
So firewalld rich rules were used in this case to basically whitelist 4 remote systems and the following commands were used.
- Adding Monitoring Systems for immediate testing
- firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.91/24″ accept’
- firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.92/24″ accept’
- Adding Monitoring Systems permanent
- firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.91/24″ accept’
- firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.92/24″ accept’
- Adding Backup and Restore Systems for immediate testing
- firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.111/24″ accept’
- firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.111/24″ accept’
- Adding Backup and Restore Systems permanent
- firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.111/24″ accept’
- firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.10.100.111/24″ accept’
- Verify configuration
- Restart firewall
- systemctl restart firewalld
- Verify Configuration
Command Guide
Important: It’s two minus characters before the command option meaning firewall-cmd MinusMinusState
Command | Explanation |
---|---|
firewall-cmd –h | List all configuration options |
systemctl status firewalld | Verify firewalld status including information such as: |
firewall-cmd –state | Verify firewalld status and output is running or not running |
systemctl start firewalld | Start firewalld |
systemctl stop firewalld | Stop firewalld |
systemctl restart firewalld | Restart firewalld |
systemctl enable firewalld | enable firewalld |
systemctl disable firewalld | disable firewalld |
firewall-cmd –list-all | See active configuration: |
firewall-cmd –get-active-zones | List active zone(s) |
firewall-cmd –list-all –zone=<zone> | See active configuration for a specific zone |
firewall-cmd –zone=<zone> –add-service=<service> –permanent
|
Immediately and permanent add service to specific zone
|
firewall-cmd –zone=<zone> –remove-service=<service> –permanent
|
Immediately and temporarly remove a service from a specific zone
|
firewall-cmd –zone=<zone> –remove-service=<service> –permanent
|
Permanent remove a service from a specific zone
|
firewall-cmd –permanent –add-rich-rule=’rule family=”<IPversion>” source address=”<IP/netmask>” port port=<port> protocol=”tcp/udp” accept’
|
Permanent add rich rule
|
firewall-cmd –permanent –remove-rich-rule=’rule family=”<IPversion>” source address=”<IP/netmask>” port port=<port> protocol=”tcp/udp” accept’
|
Permanent remove rich rule
|
firewall-cmd –get-icmptypes | List available icmp types |
firewall-cmd –zone=<zone> –query-icmp-block=echo-reply | List icmp echo reply status |
firewall-cmd –zone=<zone> –add-icmp-block=echo-reply | Block icmp echo reply |
firewall-cmd –zone=public –remove-rich-rule=’rule family=”ipv4″ source address=”10.5.209.90/24″ accept’