Firewall Configuration Stacks
- Firewalld relies on iptables to push commands to Linux kernel
- There was program system-config-firewall (GUI tool) that talked to iptables (service) to execute actual iptables commands.
- Now, these are replaced with firewall-config and firewall-cmd. They talk through firewalld (service controlled as any service using systemctl)
- Firewalld uses concept of zones (zone is basically a piece of your network)
- Each interface on a machine is allocated to a zone (one of many)
- trusted - allows all traffic in
- public, internal, dmz, home, work - Allow selected connections
- drop, block - All traffic is blocked
- external - masquerading
Configuring firewalld with cmd:
Find about active zones
# firewall-cmd --get-active-zone
See settings for a zone
# firewall-cmd --zone=public --list-all
To open new port
# firewall-cmd --add-port=7541/tcp
See status again
# firewall-cmd --zone=public --list-all
Open a port in different zone (DMZ for example)
# firewall-cmd --zone=dmz --add-port=7541/tcp
To open a port for a service that a firewalld knows about:
# firewall-cmd --zone=dmz --add-service=dns
- All of these changes affect current runtime settings
- To make permanent changes, add --permanent argument
Lets now test if we have successfuly closed our http port
From target machine:
# nmap -p- centosIP
We notice http is open and we can access webpage- Closed STATE in nmap means that ports are closed but no service is listening on them. And also it is telling that that port is not guarded by firewall
- Filtered STATE in nmap means that ports are filtered with firewall. Nmap cannot get packets to these ports at all (Firewall blocking nmap)
# firewall-cmd --remove-port=80/tcp
Or
# firewall-cmd --remove-service=http
Now, we cannot access webpage on CentOS