Static Firewall (system-config-firewall/lokkit)
The actual static firewall model with system-config-firewall and
lokkit will still be available and usable, but not at the same time as
the daemon is running. The user or admin can decide which firewall
solution should be used by enabling the corresponding services.
Planned is to add a selector for the firewall solution to be used
at install time or in first boot. The configuration of the other
solution will stay intact and can be enabled simply by switching to the
other model.
The firewall daemon is independent to system-config-firewall, but should not be used at the same time.
Using static firewall rules with the iptables and ip6tables services
If you want to use your own static firewall rules with the iptables
and ip6tables services, install iptables-services and disable firewalld
and enable iptables and ip6tables:
yum install iptables-services
systemctl mask firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service
Use /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for your static firewall rules.
Note: The package iptables and iptables-services do not provide
firewall rules for use with the services. The services are available for
compatibility and people that want to use their own firewall rules. You
can install and use system-config-firewall to create rules with the
services though. To be able to use system-config-firewall, you have to
stop firewalld.
After creating rules for use with the services stop firewalld and start the iptables and ip6tables services:
systemctl stop firewalld.service
systemctl start iptables.service
systemctl start ip6tables.service
What is a zone?
A network zone defines the level of trust for network connections.
This is a one to many relation, which means that a connection can only
be part of one zone, but a zone can be used for many network
connections.
Most zones are mutable, but there are also immutable zones.
Immutable zones are not customizable and there is no way to overload
them.
Predefined services
A service is a combination of port and/or protocol entries.
Optionally netfilter helper modules can be added and also a IPv4 and
IPv6 destination address.
Ports and protocols
Definition of tcp or udp ports, where ports can be a single port or a port range.
ICMP blocks
Selected Internet Control Message Protocol (ICMP) messages. These
messages are either information requests or created as a reply to
information requests or in error conditions.
Masquerading
The addresses of a private network a mapped to and hidden behind a public IP address. This is a form of address translation.
Forward ports
A port is either mapped to another port and/or to another host.
Which zones are available?
These are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted:
drop (immutable)
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block (immutable)
Any incoming network connections are rejected with an
icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6.
Only network connections initiated within this system are possible.
public
For use in public areas. You do not trust the other computers on
networks to not harm your computer. Only selected incoming connections
are accepted.
external
For use on external networks with masquerading enabled especially for
routers. You do not trust the other computers on networks to not harm
your computer. Only selected incoming connections are accepted.
dmz
For computers in your demilitarized zone that are publicly-accessible
with limited access to your internal network. Only selected incoming
connections are accepted.
work
For use in work areas. You mostly trust the other computers on
networks to not harm your computer. Only selected incoming connections
are accepted.
home
For use in home areas. You mostly trust the other computers on
networks to not harm your computer. Only selected incoming connections
are accepted.
internal
For use on internal networks. You mostly trust the other computers on
the networks to not harm your computer. Only selected incoming
connections are accepted.
trusted (immutable)
All network connections are accepted.
Which zone should be used?
A public WIFI network connection for example should be mainly
untrusted, a wired home network connection should be fairly trusted.
Select the zone that best matches the network you are using.
How to configure or add zones?
To configure or add zones you can either use one of the firewalld
interfaces to handle and change the configuration. These are the
graphical configuration tool firewall-config, the command line tool
firewall-cmd or the D-BUS interface. Or you can create or copy a zone
file in one of the configuration directories.
@PREFIX@/lib/firewalld/zones is used for default and fallback
configurations and /etc/firewalld/zones is used for user created and
customized configuration files.
How to set or change a zone for a connection
The zone is stored into the ifcfg of the connection with the ZONE=
option. If the option is missing or empty, the default zone set in
firewalld is used.
If the connection is controlled by NetworkManager, you can also use nm-connection-editor to change the zone.
Network connections handled by NetworkManager
The firewall is not able to handle network connections with the name
shown by NetworkManager, it can only handle network interfaces.
Therefore NetworkManager tells firewalld to put the network interfaces
related to the connections in the zones defined by the config file
(ifcfg) of the connection before the connection comes up. If the zone is
not set in the config file, the interfaces will be put in the default
zone set by firewalld. If a connection has more than one interfaces,
both will be supplied to firewalld. Also changes in the names of
interfaces will be handled by NetworkManager and supplied to firewalld.
To simplify this connections will be used as related to zones from now on.
NetworkManager also tells firewalld to remove connections from zones again if the connection went down.
If firewalld gets started or restarted by systemd or init
scripts, firewalld notifies NetworkManager and the connections will be
added to the zones.
Network connections handled by network scripts
For connections handled by network scripts there a limitations: There
is no daemon that can tell firewalld to add connections to zones. This
is done in the ifcfg-post script only. Therefore changed in names after
this can not be supplied to firewalld. Also starting or restarting
firewalld if the connections are active already result in loose of the
relation. There are ideas to fix this also. The simplest is to push all
connections to the default zone that are not set otherwise.
The zone defines the firewall features that are enabled in this zone:
Working with firewalld
To enable or disable firewall features for example in zones, you can either use the graphical configuration tool
firewall-config or the command line client
firewall-cmd
Using firewall-cmd
The command line client
firewall-cmd supports all firewall features. For status and query modes, there is no output, but the command returns the state.
Generic use
- Get the status of firewalld
firewall-cmd --state
This returns the status of firewalld, there is no output. To get a visual state use:
firewall-cmd --state && echo "Running" || echo "Not running"
As of Fedora 19, the status seems printed just fine:
# rpm -qf $( which firewall-cmd )
firewalld-0.3.3-2.fc19.noarch
# firewall-cmd --state
not running
- Reload the firewall without loosing state information:
firewall-cmd --reload
If you are using
--complete-reload instead, the state
information will be lost. This option should only be used in case of
severe firewall problems for example if there are state information
problems that no connection can be established but the firewall rules
are correct.
- Get a list of all supported zones
firewall-cmd --get-zones
This command prints a space separated list.
- Get a list of all supported services
firewall-cmd --get-services
This command prints a space separated list.
- Get a list of all supported icmptypes
firewall-cmd --get-icmptypes
This command prints a space separated list.
- List all zones with the enabled features.
firewall-cmd --list-all-zones
The output format is:
interfaces: ..
services: ..
ports: ..
forward-ports: ..
icmp-blocks: ..
..
- Print zone with the enabled features. If zone is omitted, the default zone will be used.
firewall-cmd [--zone=] --list-all
- Get the default zone set for network connections
firewall-cmd --get-default-zone
firewall-cmd --set-default-zone=
All interfaces that are located in the default zone will be pushed in
the new default zone, that defines the limitations for new external
initiated connection attempts. Active connections are not affected.
firewall-cmd --get-active-zones
The command prints the interfaces that are set to be part of a zone in this form:
: ..
: ..
- Get zone related to an interface
firewall-cmd --get-zone-of-interface=
This prints the zone name, if the interface is part of a zone
- Add an interface to a zone
firewall-cmd [--zone=] --add-interface=
Add an interface to a zone, if it was not in a zone before. If the
zone options is omitted, the default zone will be used. The interfaces
are reapplied after reloads.
- Change the zone an interface belongs to
firewall-cmd [--zone=] --change-interface=
This is similar to the --add-interface options, but pushes the interface in the new zone even if it was in another zone before.
- Remove an interface from a zone
firewall-cmd [--zone=] --remove-interface=
- Query if an interface is in a zone
firewall-cmd [--zone=] --query-interface=
Returns if the interface is in the zone. There is no output.
- List the enabled services in a zone
firewall-cmd [ --zone= ] --list-services
- Enable panic mode to block all network traffic in case of emergency
firewall-cmd --enable-panic
firewall-cmd --disable-panic
firewall-cmd --query-panic
This returns the state of the panic mode, there is no output. To get a visual state use
firewall-cmd --query-panic && echo "On" || echo "Off"
Runtime zone handling
In the runtime mode the changes to zones are not permanent. The changes will be gone after reload or restart.
- Enable a service in a zone
firewall-cmd [--zone=] --add-service= [--timeout=]
This enables a service in a zone. If zone is not set, the default
zone will be used. If timeout is set, the service will only be enabled
for the amount of seconds in the zone. If the service is already active,
there will be no warning message.
- Example: Enable ipp-client service for 60 seconds in the home zone:
firewall-cmd --zone=home --add-service=ipp-client --timeout=60
- Example: Enable the http service in the default zone:
firewall-cmd --add-service=http
- Disable a service in a zone
firewall-cmd [--zone=] --remove-service=
This disables a service in a zone. If zone is not set, the default zone will be used.
- Example: Disable http service in the home zone:
firewall-cmd --zone=home --remove-service=http
The service will be disabled in the zone. If the service is not enabled in the zone, there will be an warning message.
- Query if a service is enabled in a zone
firewall-cmd [--zone=] --query-service=
This returns 1 if the service is enabled in the zone, otherwise 0. There is no output.
- Enable a port and protocol combination in a zone
firewall-cmd [--zone=] --add-port=[-]/ [--timeout=]
This enables a port and protocol combination. The port can be a
single port or a port range -. The
protocol can be either tcp or udp.
- Disable a port and protocol combination in a zone
firewall-cmd [--zone=] --remove-port=[-]/
- Query if a port and protocol combination in enabled in a zone
firewall-cmd [--zone=] --query-port=[-]/
This command returns if it is enabled, there is no output.
- Enable masquerading in a zone
firewall-cmd [--zone=] --add-masquerade
This enables masquerading for the zone. The addresses of a private
network are mapped to and hidden behind a public IP address. This is a
form of address translation and mostly used in routers. Masquerading is
IPv4 only because of kernel limitations.
- Disable masquerading in a zone
firewall-cmd [--zone=] --remove-masquerade
- Query masquerading in a zone
firewall-cmd [--zone=] --query-masquerade
This command returns if it is enabled, there is no output.
- Enable ICMP blocks in a zone
firewall-cmd [--zone=] --add-icmp-block=
This enabled the block of a selected Internet Control Message
Protocol (ICMP) message. ICMP messages are either information requests
or created as a reply to information requests or in error conditions.
- Disable ICMP blocks in a zone
firewall-cmd [--zone=] --remove-icmp-block=
- Query ICMP blocks in a zone
firewall-cmd [--zone=] --query-icmp-block=
This command returns if it is enabled, there is no output.
- Example: Block echo-reply messages in the public zone:
firewall-cmd --zone=public --add-icmp-block=echo-reply
- Enable port forwarding or port mapping in a zone
firewall-cmd [--zone=] --add-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=
| :toport=[-]:toaddr=
}
The port is either mapped to the same port on another host or to
another port on the same host or to another port on another host. The
port can be a singe port or a port range
-. The protocol is either tcp or udp.
toport is either port or a port range
-. toaddr is an IPv4 address. Port forwarding is
IPv4 only because of kernel limitations.
- Disable port forwarding or port mapping in a zone
firewall-cmd [--zone=] --remove-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=
| :toport=[-]:toaddr=
}
- Query port forwarding or port mapping in a zone
firewall-cmd [--zone=] --query-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=
| :toport=[-]:toaddr=
}
This command returns if it is enabled, there is no output.
- Example: Forward ssh to host 127.0.0.2 in the home zone
firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2
Permanent zone handling
The permanent options are not affecting runtime directly. These
options are only available after a reload or restart. To have runtime
and permanent setting, you need to supply both.
The --permanent option needs to be the first option for all permanent calls.
- Get a list of supported permanent services
firewall-cmd --permanent --get-services
- Get a list of supported permanent icmptypes
firewall-cmd --permanent --get-icmptypes
- Get a list of supported permanent zones
firewall-cmd --permanent --get-zones
- Enable a service in a zone
firewall-cmd --permanent [--zone=] --add-service=
This enables the service in the zone permanently. If the zone option is omitted, the default zone is used.
- Disable a service in a zone
firewall-cmd --permanent [--zone=] --remove-service=
- Query if a service is enabled in a zone
firewall-cmd --permanent [--zone=] --query-service=
This command returns if it is enabled, there is no output.
- Example: Enable service ipp-client permanently in the home zone
firewall-cmd --permanent --zone=home --add-service=ipp-client
- Enable a port and protocol combination permanently in a zone
firewall-cmd --permanent [--zone=] --add-port=[-]/
- Disable a port and protocol combination permanently in a zone
firewall-cmd --permanent [--zone=] --remove-port=[-]/
- Query if a port and protocol combination is enabled permanently in a zone
firewall-cmd --permanent [--zone=] --query-port=[-]/
This command returns if it is enabled, there is no output.
- Example: Enable port 443/tcp for https permanently in the home zone
firewall-cmd --permanent --zone=home --add-port=443/tcp
- Enable masquerading permanently in a zone
firewall-cmd --permanent [--zone=] --add-masquerade
This enables masquerading for the zone. The addresses of a private
network are mapped to and hidden behind a public IP address. This is a
form of address translation and mostly used in routers. Masquerading is
IPv4 only because of kernel limitations.
- Disable masquerading permanently in a zone
firewall-cmd --permanent [--zone=] --remove-masquerade
- Query masquerading permanently in a zone
firewall-cmd --permanent [--zone=] --query-masquerade
This command returns if it is enabled, there is no output.
- Enable ICMP blocks permanently in a zone
firewall-cmd --permanent [--zone=] --add-icmp-block=
This enabled the block of a selected Internet Control Message
Protocol (ICMP) message. ICMP messages are either information requests
or created as a reply to information requests or in error conditions.
- Disable ICMP blocks permanently in a zone
firewall-cmd --permanent [--zone=] --remove-icmp-block=
- Query ICMP blocks permanently in a zone
firewall-cmd --permanent [--zone=] --query-icmp-block=
This command returns if it is enabled, there is no output.
- Example: Block echo-reply messages in the public zone:
firewall-cmd --permanent --zone=public --add-icmp-block=echo-reply
- Enable port forwarding or port mapping permanently in a zone
firewall-cmd --permanent [--zone=] --add-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=
| :toport=[-]:toaddr=
}
The port is either mapped to the same port on another host or to
another port on the same host or to another port on another host. The
port can be a singe port or a port range
-. The protocol is either tcp or udp.
toport is either port or a port range
-. toaddr is an IPv4 address. Port forwarding is
IPv4 only because of kernel limitations.
- Disable port forwarding or port mapping permanently in a zone
firewall-cmd --permanent [--zone=] --remove-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=
| :toport=[-]:toaddr=
}
- Query port forwarding or port mapping permanently in a zone
firewall-cmd --permanent [--zone=] --query-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=
| :toport=[-]:toaddr=
}
This command returns if it is enabled, there is no output.
- Example: Forward ssh to host 127.0.0.2 in the home zone
firewall-cmd --permanent --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2
Direct options
The direct options are mostly for services and applications to be
able to add custom rules.
The rules are not saved and have to get resubmitted after reload or
restart. The arguments of the passthrough option are the
same as the corresponding iptables, ip6tables and ebtables arguments.
The --direct option needs to be the first option for all direct options.
- Pass a command through to the firewall. can be all iptables, ip6tables and ebtables command line arguments
firewall-cmd --direct --passthrough { ipv4 | ipv6 | eb }
- Add a new chain to a table
firewall-cmd --direct --add-chain { ipv4 | ipv6 | eb }
- Remove a chain with name from table
firewall-cmd --direct --remove-chain { ipv4 | ipv6 | eb }
- Query if a chain with name exists in table
. Returns 0 if true, 1 otherwise.
firewall-cmd --direct --query-chain { ipv4 | ipv6 | eb }
This command returns if it is enabled, there is no output.
- Get all chains added to table
as a space separated list.
firewall-cmd --direct --get-chains { ipv4 | ipv6 | eb }
- Add a rule with the arguments to chain in table
firewall-cmd --direct --add-rule { ipv4 | ipv6 | eb }
- Remove a rule with the arguments from chain in table
firewall-cmd --direct --remove-rule { ipv4 | ipv6 | eb }
- Query if a rule with the arguments exists in chain
in table
. Returns 0 if true, 1 otherwise.
firewall-cmd --direct --query-rule { ipv4 | ipv6 | eb }
This command returns if it is enabled, there is no output.
- Get all rules added to chain in table
as a newline separated list of arguments.
firewall-cmd --direct --get-rules { ipv4 | ipv6 | eb }
The current firewalld features
D-BUS Interface
The D-BUS interface gives information about the firewall state and
makes it possible to enable, disable and query firewall settings.
Zones
A network or firewall zone defines the trust level of the interface
used for a connection. There are several pre-defined zones provided by
firewalld. Zone configuration options and generic file information are
described in the firewalld.zone(5) man page.
Services
A service can be a list of local ports and destinations and
additionally also a list of firewall helper modules automatically loaded
if a service is enabled. The use of predefined services makes it easier
for the user to enable and disable access to a service. Service
configuration options and generic file information are described in the
firewalld.service(5) man page.
ICMP types
The Internet Control Message Protocol (ICMP) is used to exchange
information and also error messages in the Internet Protocol (IP). ICMP
types can be used in firewalld to limit the exchange of these messages.
ICMP type configuration options and generic file information are
described in the firewalld.icmptype(5) man page.
Direct interface
The direct interface is mainly used by services or applications to
add specific firewall rules. The rules are not permanent and need to get
applied after receiving the start, restart or reload message from
firewalld using D-BUS.
Runtime configuration
The runtime configuration is not permanent and will only be restored
for a reload. After restart or stop of the service or a system reboot,
these options will be gone.
Permanent configuration
The permanent configuration is stored in config files and will be restored with every machine boot or service reload or restart.
Tray Applet
The tray applet firewall-applet visualizes the firewall state
and also problems with the firewall for the user. It can also be used to
configure settings by calling firewall-config.
Graphical Configuration Tool
The configuration tool firewall-config is the main
configuration tool for the firewall daemon. It supports all features of
the firewall besides the direct interface, this is handled by the
service/application that added the rules.
Command Line client
firewall-cmd provides (most of) the configuration features of the graphical tool for the command line.
Support for ebtables
ebtables support is needed to fulfill all needs of the libvirt daemon
and to prevent access problems between ip*tables and ebtables on kernel
netfilter level. All these commands are accessing the same structures
and therefore they should not be used at the same time.
Default/Fallback configuration in /usr/lib/firewalld
This directory contains the default and fallback configuration
provided by firewalld for icmptypes, services and zones. The files
provided with the firewalld package should not get changed and the
changes are gone with an update of the firewalld package. Additional
icmptypes, services and zones can be provided with packages or by
creating files.
System configuration settings in /etc/firewalld
The system or user configuration stored here is either created by the
system administrator or by customization with the configuration
interface of firewalld or by hand. The files will overload the default
configuration files.
To manually change settings of pre-defined icmptypes, zones or
services, copy the file from the default configuration directory to the
corresponding directory in the system configuration directory and change
it accordingly.
It is not possible to overload immutable zones, because these may
not get changed. If you are loading the defaults for a zone that has a
default or fallback file, the file in /etc/firewalld will be renamed to
.old and the fallback will be used again.
Work in Progress Features
Rich Language
The rich language provides a high level language to be able to have
more complex firewall rules for IPv4 and IPv6 without the knowledge of
iptables syntax.
Fedora 19 provides milestone 2 of the rich language with D-Bus
and command line client support. The milestone 3 will also provide
support within firewall-config, the graphical configuration program.
For more information on this, please have a look at: firewalld Rich Language
Lockdown
Lockdown adds a simple configuration setting for firewalld to be able
to lock down configuration changes from local applications or services.
It is a very light version of application policies.
Fedora 19 provides milestone 2 of the lockdown feature with D-Bus
and command line client support. The milestone 3 will also provide
support within firewall-config, the graphical configuration program.
For more information on this, please have a look at: firewalld Lockdown
Permanent Direct Rules
This feature is in early state. It provides the ability to
permanently save direct rules and chains. Passthorough rules are not
part of this. See Direct options for more information on direct rules.
Migration from ip*tables and ebtables services
This feature is in an very early state. It will provide a conversion
script that creates direct permanent rules from the iptables, ip6tables
and ebtables service configurations as far as possible. A limitation
here might be the integration into the direct chains firewalld provides.
This needs lots of tests at best also from more complex firewall configurations.
Planned and Proposed Features
