A firewall is a way to protect machines from any unwanted traffic from outside. Firewalld enables users to control incoming network traffic on host machines by defining a set of firewall rules, In Simple Firewall meaning blocking and filtering. These rules are used to sort the incoming traffic and either block or allow it.
firewalld is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic means, it enables you to create, change and delete the rules without the necessity to restart the firewall daemon each time the rules are changed. firewalld uses the concepts of zones and services, that simplify the traffic management. Zones are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone. In IPtables there is tables (RAW,MANGLE,NAT,FILTER*) & In Firewalld tables are replaced with zones.
Services use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. firewalld blocks all traffic on ports that are not explicitly set as open and also By default, In Firewalld All services & ports are blocked. Some zones like trusted, allow all traffic by default.
The Linux kernel has built-in packet filtering functionality called Netfilter. In Centos 7 & RHEL 7 Two services are available to create, maintain, and display the rules stored by Netfilter called firewalld and iptables. the default firewall service is firewalld. The firewalld service has support for IPv4, IPv6, and for Ethernet bridges.
- Complete D-Bus API
- IPv4, IPv6, bridge and ipset support
- IPv4 and IPv6 NAT support
- Firewall zones
- Predefined list of zones, services and icmptypes
- Simple service, port, protocol, source port, masquerading, port forwarding, icmp filter, rich rule, interface and source address handlig in zones
- Simple service definition with ports, protocols, source ports, modules (netfilter helpers) and destination address handling
- Rich Language for more flexible and complex rules in zones
- Timed firewall rules in zones
- Simple log of denied packets
- Direct interface
- Lockdown: Whitelisting of applications that may modify the firewall
- Automatic loading of Linux kernel modules
- Integration with Puppet
- Command line clints for online and offline configuration
- Graphical configuration tool using gtk3
- Applet using Qt4
The firewalld Service allows us to separate networks into different zones according to the level of trust that the user has decided to place on the interfaces and traffic within that network. A connection can only be part of one zone, but a zone can be used for many network connections. For each zone, you can define the following features:
- Ports – Additional ports or port ranges and associated protocols that are accessible from other systems and networks.
- Services – Predefined or custom services to trust. Trusted services are a combination of ports and protocols that are accessible from other systems and networks.
- ICMP Filter – Block selected Internet Control Message Protocol messages.
- Rich Rules – Extend existing firewalld rules to include additional source and destination addresses and logging and auditing actions.
- Interfaces – Network interfaces is bound to the zone. The zone for an interface is specified with the ZONE=option in the /etc/sysconfig/network-scripts/ifcfg file. If the option is missing, the interface is bound to the default zone.
- Masquerading – Translate IPv4 addresses to a single external address. With masquerading enabled, addresses of a private network are mapped to and hidden behind a public address.
- Port Forwarding – Forward inbound network traffic from a specific port or port range to an alternative port on the local system, or to a port on another IPv4 address.
Predefined Firewalld Zones
The predefined zones are stored in the
/usr/lib/firewalld/zones/ directory as shown below and can be instantly applied to any available network interface. These files are copied to the
/etc/firewalld/zones/ directory only after they are modified.
[root@geekyvaibhav zones]# ll /usr/lib/firewalld/zones
-rw-r--r--. 1 root root 299 Aug 5 2017 block.xml
-rw-r--r--. 1 root root 293 Aug 5 2017 dmz.xml
-rw-r--r--. 1 root root 291 Aug 5 2017 drop.xml
-rw-r--r--. 1 root root 304 Aug 5 2017 external.xml
-rw-r--r--. 1 root root 369 Aug 5 2017 home.xml
-rw-r--r--. 1 root root 384 Aug 5 2017 internal.xml
-rw-r--r--. 1 root root 315 Aug 5 2017 public.xml
-rw-r--r--. 1 root root 162 Jun 11 20:03 trusted.xml
-rw-r--r--. 1 root root 311 Aug 5 2017 work.xml
The zone files contain preset settings, which can be applied to a network interface.
Example : Public.xml
If we take look on “public” zone file. by default, it allow or trust only two services SSH and dhcpv6-client service.
[root@geekyvaibhav zones]# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
A brief explanation of each zone are as follows:
- block – Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
- drop – Any incoming network packets are dropped without any notification. Only outgoing network connections are possible.
- dmz – For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
- home – For use at home when you mostly trust the other computers on the network. Only selected incoming connections are accepted.
- external – For use on external networks with masquerading enabled, especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
- public – For use in public areas where you do not trust other computers on the network. Only selected incoming connections are accepted.
- internal – For use on internal networks when you mostly trust the other computers on the network. Only selected incoming connections are accepted.
- trusted – All network connections are accepted.
- work – For use at work where you mostly trust the other computers on the network. Only selected incoming connections are accepted.
One of these zones is set as the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone. The default zone can be changed.
A Firewall service can be a list of local ports, protocols, source and destinations addresses. A firewalld service can also include Netfilter kernel modules that are automatically loaded when a service is enabled. Using services saves users time because they can achieve several tasks, such as opening ports, defining protocols, enabling packet forwarding and more, in a single step, rather than setting up everything one after another.
The firewalld software package includes a set of predefined services it is located under /usr/lib/firewalld/services directory.
Firewalld Configuration Files
Configuration files for the Firewalld is exist in two directory’s :
- /usr/lib/firewalld – This directory contains default configuration files. An upgrade of the firewalld package overwrites this directory. (Do not make changes to these files)
- /etc/firewalld – Whatever changes you made in default configuration files are stored in this directory. Files in this directory overload the default configuration files.
Firewalld Configuration options
Firewalld service has two types of configuration options:
- Permanent – Any Changes to firewall settings are written to configuration files. These changes are applied when the firewalld service restarts.
- Runtime – Any Changes to firewall settings take effect immediately but are not permanent. Changes made in runtime configuration mode are lost when the firewalld service is restarted.