Check firewalld version
firewall-cmd -V
1.1.1
Check firewalld state
firewall-cmd --state
running
firewall-cmd --reload
Open port 80/tcp with firewall-cmd:
firewall-cmd --zone=public --add-port=80/tcp
Make permanent the change on firewalld for port 80/TCP
firewall-cmd --permanent --zone=public --add-port=80/tcp
How to open a service with firewall-cmd:
This opens the service in the public zone of the runtime environment.
firewall-cmd --zone=public --add-service=http
This also opens the service in public zone of the permanent environment.
firewall-cmd --permanent --zone=public --add-service=httpGet the default zone :
firewall-cmd --get-default-zone
Get active zones :
firewall-cmd --get-active-zones
List all available zones :
firewall-cmd --get-zones
To change the default zone to trusted and then change it back (commands and outputs below):
firewall-cmd --set-default-zone=trusted
success
$ sudo firewall-cmd --set-default-zone=public
success
To assign an interface temporarily to a particular zone :
firewall-cmd --zone=internal --change-interface=eno1
success
To assign an interface to a particular zone permanently (command and output below):
firewall-cmd --permanent --zone=internal --change-interface=eno1
success
which creates the file /etc/firewalld/zones/internal.xml.
To ascertain the zone associated with a particular interface :
firewall-cmd --get-zone-of-interface=eno1
public
To get all details about a particular zone:
firewall-cmd --zone=public --list-all
-----------------------------------------------------------
Source Management
To assign a source to a zone (permanently), run this command:
firewall-cmd --permanent --zone=trusted --add-source=192.168.1.0/24
You list the sources bound to a zone with the following command:
firewall-cmd --permanent --zone=trusted --list-sources 192.168.1.0/24
-------------------------------------------------------------------
Port Redirection and NAT
- Inbound packet for port 80 needs to be re-directed to port 8080
- Specify the zone that is used for external connection with --zone=external
Command:
$ sudo firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080
Output:
success
Command:
$ sudo firewall-cmd --zone=external --list-all
------------------------------------------------------------
Service Management
So far, we have assigned particular interfaces and/or addresses to zones, but we haven't delineated what services and ports should be accessible within a zone.
To see all the services available, use this command:
$ sudo firewall-cmd --get-services
Output:
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
or, to see those currently accessible in a particular zone, run:
$ sudo firewall-cmd --list-services --zone=public
Output:
dhcpv6-client ssh
To add a service to a zone, type:
$ sudo firewall-cmd --permanent --zone=home --add-service=dhcp
Output:
success
$ sudo firewall-cmd --reload
The second command, with --reload, is needed to make the change effective. It is also possible to add new services by editing the files in /etc/firewalld/services.
No hay comentarios:
Publicar un comentario