If you are in need of a dynamically managed firewall with support for network/ firewall zones, and with a trust level for network connections or interfaces, then firewalld is the tool for you. It is free, open source and built into RHEL 7.
The Linux kernel includes a powerful network filtering sub-system called netfilter. This allows kernel modules to inspect every packet traversing the system. This means that any incoming, outgoing or forwarded network packet can be inspected, modified, dropped or rejected in a programmatic way, before reaching components in the user space. That is the main building block for setting up a firewall on a Red Hat Enterprise Linux 7 (RHEL 7) machine.
Interacting with netfilter
Although it is theoretically possible for systems administrators to write their own kernel modules to interact with netfilter, this is typically not done. Instead, other programs are used to interact with netfilter. One of the most common and well-known of these programs is iptables. In previous RHEL releases, iptables was the main method of interacting with the kernel netfilter sub-system.
The iptables command is a low-level tool, and it can prove to be inadequate when managing firewalls. In addition, it only adjusts IPv4 firewall issues. Other utilities such as ip6tables for IPV6 and ebtables for software bridges need to be used for more complete firewall coverage.
In RHEL 7, a new method of interacting with netfilter has been introduced – it is called firewalld, and is a system daemon that can configure and monitor the system’s firewall rules. Applications can talk to firewalld to request ports to be opened using the DBus messaging system, a feature that can be disabled or locked down. It covers IPv4, IPv6 and, potentially, ebtables settings. The firewalld daemon is installed from the firewalld package. This package is part of a base install, but not part of the minimal install.
Firewalld simplifies firewall management by classifying all network traffic into zones. Based on criteria such as the source IP address of a packet or the incoming network’s interface, traffic is divided into the firewall rules for the appropriate zone. Each zone can have its own list of ports and services to be opened or closed.
Note: For laptops or other machines that regularly change networks, NetworkManager can be used to automatically set the firewall zone for a connection. The zones can be customised with rules appropriate for particular connections.
This is especially useful when travelling between home, work and public wireless networks. Users might want their system’s sshd service to be reachable when connected to their home and corporate networks, but not when connected to the public wireless network in the local coffee shop.
Every packet that comes into the system will be first checked for its source address. If that source address is tied to a specific zone, the rules for that zone will be parsed. If the source address is not tied to a zone, the zone for the incoming network interface will be used.
If the network interface is not associated with a zone for some reason, the default zone will be used. The default zone is not a separate zone in itself but is one of the other zones. The public zone is used by default, but this can be changed by a systems administrator.
Most zones will allow traffic through the firewall that matches a list of particular ports and protocols (‘631/udp’) or predefined services (‘ssh’). If the traffic does not match a permitted port/protocol or service, it will generally be rejected. The trusted zone, which permits all traffic by default, is one exception to this.
Firewalld ships with a number of predefined zones, suitable for various purposes. The default zone is set to public and interfaces are assigned to public if no changes are made. The lo interface is treated as if it were in a trusted zone. Details of the configuration of these zones on installation follow, but the systems administrator may then customise these zones to have different settings. By default, all zones permit any incoming traffic that is part of a communication initiated by the system, and all outgoing traffic.Default configuration of firewalld zones
Listed below are the ways in which some of the firewalld zones are configured.
- Trusted: Allows all incoming traffic.
- Home: Rejects incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client predefined services.
- Internal: Rejects incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client predefined services – as in the case of the home zone.
- Work: Rejects incoming traffic unless related to outgoing traffic or matching the ssh, ipp-client or dhcpv6-client predefined services.
- Public: Rejects incoming traffic unless related to outgoing traffic or matching the ssh or dhcpv6-client predefined services. This is the default zone for newly added network interfaces.
- External: Rejects incoming traffic unless related to outgoing traffic or matching the ssh predefined service. Outgoing IPv4 traffic forwarded through this zone masquerades to look like it originated from the IPv4 address of the outgoing network interface.
- Dmz: Rejects incoming traffic unless related to outgoing traffic or matching the ssh predefined service.
- Block: Rejects all incoming traffic unless related to outgoing traffic.
- Drop: Drops all incoming traffic unless related to outgoing traffic (does not even respond with ICMP errors).
For a list of all available predefined zones and their intended uses, you can consult the firewalld.zones(5) manual page.
Firewalld also ships with a number of predefined services. These services’ definitions can be used to easily permit traffic for a particular network service to pass through the firewall. Given below are details of the predefined services that are used in the default configuration of firewall zones.
- ssh: Local SSH server. Traffic to 22/tcp.
- dhcpv6-client: Local DHCPv6 client. Traffic to 546/udp on the fe80::/64 IPv6 network.
- ipp-client: Local Windows file and print sharing client. Traffic to 137/udp and 138/udp.
- mdns: Multi-cast DNS(mDNS) local-link name resolution. Traffic to 5353/udp to the 18.104.22.168(IPv4) or ff02::fb(IPv6) multicast address.
Note: There are many other predefined services. The firewall-cmd –get-services command will list them. The configuration files that define the ones included on the firewalld package can be found in the /usr/lib/firewalld/services directory, in a format defined by the firewalld.zone(5) man page.
The easiest options for systems administrators new to firewalld are to either use predefined services or to explicitly specify the port/protocol they wish to permit. The firewall-config graphical tool can also be used to review predefined services and to define additional services.
Configuring the firewall settings
There are three main ways for systems administrators to interact with firewalld:
- By directly editing configuration files in /etc/firewalld
- By using the graphical firewall-config tool
- By using firewall-cmd from the command line
Configuring firewall settings with firewall-config
Firewall-config is a graphical tool that can be used to alter and inspect both the running, in-memory configuration for firewalld, as well as the persistent, on-disk configuration. The firewall-config tool can be installed from the firewall-config package.
Once installed, firewall-config can be launched from the command lines as firewall-config, or from the Applications menu under Applications>Sundry>Firewall. If firewall-config is started by an unprivileged user, it will prompt for the root password, before allowing the user to continue.
On the main screen of firewall-config, a sysadmin can select between modifying the current, in-memory configuration, or the persistent, on-disk configuration that will be used after a restart/ reload of firewalld. This is achieved with the Configuration drop-down menu. In most cases, sysadmins will want to adjust the persistent (permanent) configuration, and then use the Options> Reload Firewalld menu entry to activate their changes.
To modify a zone, select the one in the Zone menu on the left. Network interfaces and source IP addresses/ranges can be assigned in the Interfaces and Sources tabs, respectively, which are on the right.
Ports can be opened by either putting a checkmark in front of them in the Services tab, or by adding a new port in the Ports tab for that zone.
If a specific set of ports has to be opened in multiple zones, a sysadmin can also define a service for those ports. This can be done in the Services tab at the top of the window.
The default zone for otherwise unspecified connections can be changed by going to Options>Change>Default Zone.
Important: Any changes made in the permanent configuration will not become active until the next time the firewalld service unit is restarted or reloaded. Likewise, any changes made in the runtime configurations will not survive a reload or restart of the firewalld service.
Configuring firewall settings with firewall-cmd
For those sysadmins who prefer to work on the command line or who cannot use a graphical environment for some reason, there is also a command line client to interact with the firewall, which is firewalld-cmd.
Firewall-cmd is installed as part of the main firewalld package. Firewalld-cmd can perform the same actions that firewall-config can.
Shown below are a number of frequently used firewall-cmd commands, along with explanations about them. Note that unless otherwise specified, almost all commands will work on the runtime configuration, unless the –permanent option is specified. Many of the commands listed take the –zone=<ZONE> option to determine which zone they affect.
- –get-default-zone: Queries the current default zone.
- –set-default-zone=<ZONE>: Sets the default zone. This changes both the runtime and the permanent configuration.
- –get-zones: Lists all available zones.
- –get-active-zones: Lists all zones currently in use (that have an interface or source tied to them), along with their interface and source information.
- –add-source=<CIDR> [–zone=<ZONE>]: Routes all traffic coming from the IP address or network/netmask <CIDR> to the specified zone. If no –zone= option is provided, the default zone will be used.
- –remove-source=<CIDR> [–zone=<ZONE>]: Removes the rule routing all traffic coming from the IP address or network/netmask <CIDR> from the specified zone. If no –zone= option is provided, the default zone will be used
- –add-interface=<INTERFACE> [–zone=<ZONE>]: Routes all traffic coming from <INTERFACE> to the specified zone. If no –zone= option is provided, the default zone will be used.
- –change-interface=<INTERFACE> [–zone=<ZONE>]: Associates the interface with <ZONE> instead of its current zone. If no –zone= option is provided, the default zone will be used.
- –list-all [–zone=<ZONE>]: Lists all configured interfaces, sources, services and ports for <ZONE>. If no –zone= option is provided, the default zone will be used.
- –list-all-zones: Retrieves all information for all zones (interfaces, sources, ports, services, etc).
- –add-service=<SERVICE> [–zone=<ZONE>]: Allows traffic to <SERVICE>. If no –zone= option is provided, the default zone will be used.
- –add-port=<PORT/PROTOCOL> [–zone=<ZONE]: Allows traffic to the <PORT/PROTOCOL> ports. If no –zone= option is provided, the default zone will be used.
- –remove-service=<SERVICE> [–zone=<ZONE>]: Removes <SERVICE> from the allowed list for the zone. If no –zone= option is provided, the default zone will be used.
- –remove-port=<PORT/PROTOCOL> [–zone=<ZONE>]: Removes the <PORT/PROTOCOL> ports from the allowed list for the zone. If no –zone= option is provided, the default zone will be used.
- –reload: Drops the runtime configuration and applies the persistent change.
The following example shows the default zone being set to dmz — all traffic coming from the 192.168.0.0/24 network being associated to the internal zone, and the network ports for mysql being opened on the internal zone.
# firewall-cmd --set-default-zone=dmz # firewall-cmd --permanent –zone=internal –add-source=192.168.0.0/24 #firewall-cmd --permanent –zone=internal –add-service=mysql #firewall-cmd –reload
Note: For situations where the basic syntax of firewalld is not enough, systems administrators can also add rich rules and a more expressive syntax, to write more complex rules. If even the rich rule syntax is not enough, sysadmins can also use direct configuration rules, which is basically raw iptables syntax that will be mixed with the firewalld rules.