Line 378: | Line 378: | ||
==== Direct options ==== | ==== Direct options ==== | ||
+ | |||
+ | The direct options are mostly for services and applications to be able to add custom rules. | ||
+ | The rules are not saved and have to get resubmitted after reload or restart. | ||
+ | |||
+ | The '''--direct''' option needs to be the first option for all calls. | ||
+ | |||
+ | DIRECT := --direct | ||
+ | {--passthrough TOOL <args> } | | ||
+ | { { --add-chain | --remove-chain | --query-chain } TOOL <table> | ||
+ | <chain> } | | ||
+ | { --get-chains TOOL <table> } | | ||
+ | { --add-rule TOOL <table> <chain> <priority> <args> } | | ||
+ | { { --remove-rule | --query-rule } TOOL <table> <chain> <args> } | | ||
+ | { --get-rules TOOL <table> <chain> } | ||
+ | TOOL := { ipv4 | ipv6 | eb } | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
== The current firewalld features == | == The current firewalld features == |
Revision as of 15:13, 10 December 2012
Contents
- 1 Dynamic firewall with FirewallD
- 1.1 The Daemon
- 1.2 Static Firewall (system-config-firewall/lokkit)
- 1.3 What is a zone?
- 1.4 Which zones are available?
- 1.5 Which zone should be used?
- 1.6 How to configure or add zones?
- 1.7 How to set or change a zone for a connection
- 1.8 Network connections handled by NetworkManager
- 1.9 Network connections handled by network scripts
- 1.10 Working with firewalld
- 1.11 The current firewalld features
- 1.11.1 D-BUS Interface
- 1.11.2 Zones
- 1.11.3 Services
- 1.11.4 ICMP types
- 1.11.5 Direct interface
- 1.11.6 Runtime configuration
- 1.11.7 Persistent configuration
- 1.11.8 Tray Applet
- 1.11.9 Graphical Configuration Tool
- 1.11.10 Command Line client
- 1.11.11 Support for ebtables
- 1.11.12 Default/Fallback configuration in /usr/lib/firewalld
- 1.11.13 System configuration settings in /etc/firewalld
- 1.12 Planned and Proposed Features
- 1.13 Firewall Rules
Dynamic firewall with FirewallD
firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and persistent configuration options. It also supports an interface for services or applications to add firewall rules directly.
The former firewall model with system-config-firewall/lokkit was static and every change required a complete firewall restart. This included also to unload the firewall netfilter kernel modules and to load the modules that are needed for the new configuration. The unload of the modules was breaking stateful firewalling and established connections.
The firewall daemon on the other hand manages the firewall dynamically and applies changes without restarting the whole firewall. Therefore there is no need to reload all firewall kernel modules. But using a firewall daemon requires that all firewall modifications are done with that daemon to make sure that the state in the daemon and the firewall in kernel are in sync. The firewall daemon can not parse firewall rules added by the ip*tables and ebtables command line tools.
The daemon provides information about the current active firewall settings via D-BUS and also accepts changes via D-BUS using PolicyKit authentication methods.
The Daemon
Applications, daemons and the user can request to enable a firewall feature over D-BUS. A feature could either be one of the predefined firewall features like services, port and protocol combinations, port/packet forwarding, masquerading or icmp blocking. The feature can be enabled for a certain amount of time or can be disabled by again.
With the so called direct interface other services (like for example libvirt) are able to add own rules using iptables arguments and parameters.
The netfilter firewall helpers, that are for example used for amanda, ftp, samba and tftp services, are also handled by the daemon as long as they are part of a predefined service. Loading of additional helpers is not part of the current interface. For some of the helpers onloading is only possible after all connections that are handled by the module are closed. Therefore connection tracking information is important here and needs to get into account.
Static Firewall (system-config-firewall/lokkit)
The actual static firewall model with system-config-firewall and lokkit will still be available and usable, but not at the same time as the daemon is running. The user or admin can decide which firewall solution should be used. By enabling the corresponding services.
Planned is to add a selector for the firewall solution to be used at install time or in first boot. The configuration of the other solution will stay intact and can be enabled simply by switching to the other model.
The firewall daemon is independent to system-config-firewall, but should not be used at the same time.
What is a zone?
A network zone defines the level of trust for network connections. This is a one to many relation, which means that a connection can only be part of one zone, but a zone can be used for many network connections.
Most zones are mutable, but there are also immutable zones. Immutable zones are not customizable and there is no way to overload them.
Predefined services
A service is a combination of port and/or protocol entries. Optionally netfilter helper modules can be added and also a IPv4 and IPv6 destination address.
Ports and protocols
Definition of tcp or udp ports, where ports can be a single port or a port range.
ICMP blocks
Selected Internet Control Message Protocol (ICMP) messages. These messages are either information requests or created as a reply to information requests or in error conditions.
Masquerading
The addresses of a private network a mapped to and hidden behind a public IP address. This is a form of address translation.
Forward ports
A port is either mapped to another port and/or to another host.
Which zones are available?
These are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted:
drop (immutable)
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block (immutable)
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
public
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted (immutable)
All network connections are accepted.
Which zone should be used?
A public WIFI network connection for example should be mainly untrusted, a wired home network connection should be fairly trusted. Select the zone that best matches the network you are using.
How to configure or add zones?
To configure or add zones you can either use one of the firewalld interfaces to handle and change the configuration: These are the graphical configuration tool firewall-config, the command line tool firewall-cmd or the D-BUS interface. Or you can create or copy a zone file in one of the configuration directories. /etc/firewalld/zones is used for default and fallback configurations and @PREFIX@/lib/firewalld/zones is used for user created and customized configuration files.
How to set or change a zone for a connection
The zone is stored into the ifcfg of the connection with the ZONE= option. If the option is missing or empty, the default zone set in firewalld is used.
If the connection is controlled by NetworkManager, you can also use nm-connection-editor to change the zone.
Network connections handled by NetworkManager
The firewall is not able to handle network connections with the name shown by NetworkManager, it can only handle network interfaces. Therefore NetworkManager tells firewalld to put the network interfaces related to the connections in the zones defined by the config file (ifcfg) of the connection before the connection comes up. If the zone is not set in the config file, the interfaces will be put in the default zone set by firewalld. If a connection has more than one inetrfaces, both will be supplied to firewalld. Also changes in the names of interfaces will be handled by NetworkManager and supplied to firewalld.
To simplify this connections will be used as related to zones from now on.
NetworkManager also tells firewalld to remove connections from zones again if the connection went down.
If firewalld gets started or restarted by systemd or init scripts, firewalld notifies NetworkManager and the connections will be added to the zones.
Network connections handled by network scripts
For connections handled by network scripts there a limitations: There is no daemon that can tell firewalld to add connections to zones. This is done in the ifcfg-post script only. Therefore changed in names after this can not be supplied to firewalld. Also starting or restarting firewalld if the connections are active already result in loose of the relation. There are ideas to fix this also. The simplest is to push all connections to the default zone that are not set otherwise.
The zone defines the firewall features that are enabled in this zone:
Working with firewalld
To enable or disable firewall features for example in zones, you can either use the grahical configuration tool firewall-config or the command line client firewall-cmd
Using firewall-cmd
The command line client firewall-cmd supports all firewall features. For status and query modes, there is no output, but the command returns the state.
Generic use
- Get the status of firewalld
firewall-cmd --state
This returns the status of firewalld, there is no output. To get a visual state use:
firewall-cmd --state && echo "Running" || echo "Not running"
- Reload the firewall without loosing state information:
firewall-cmd --reload
If you are using --complete-reload instead, the state information will be lost. This option should only be used in case of severe firewall problems for example if there are state information problems that no connection can be established but the firewall rules are correct.
- Get a list of all supported zones
firewall-cmd --get-zones
This command prints a space separated list.
- Get a list of all supported services
firewall-cmd --get-services
This command prints a space separated list.
- Get a list of all supported icmptypes
firewall-cmd --get-icmptypes
This command prints a space separated list.
- Get the default zone set for network connections
firewall-cmd --get-default-zone
- Set the default zone
firewall-cmd --set-default-zone=<zone>
All interfaces that are located in the default zone will be pushed in the new default zone, that defines the limitations for new external initiated connection attempts. Active connections are not affected.
- Get active zones
firewall-cmd --get-active-zones
The command prints the interfaces that are set to be part of a zone in this form:
<zone1>: <interface1> <interface2> .. <zone2>: <interface3> ..
- Get zone related to an interface
firewall-cmd --get-zone-of-interface=<interface>
This prints the zone name, if the interface is part of a zone
- Add an interface to a zone
firewall-cmd [--zone=<zone>] --add-interface=<interface>
Add an interface to a zone, if it was not in a zone before. If the zone options is ommited, the default zone will be used. The interfaces are reapplied after reloads.
- Change the zone an interface belongs to
firewall-cmd [--zone=<zone>] --change-interface=<interface>
This is simipar to the --add-interface options, but pushes the interface in the new zone even if it was in another zone before.
- Remove an interface from a zone
firewall-cmd [--zone=<zone>] --remove-interface=<interface>
- Query if an interface is in a zone
firewall-cmd [--zone=<zone>] --query-interface=<interface>
Returns if the interface is in the zone. There is no output.
- List the enabled services in a zone
firewall-cmd [ --zone=<zone> ] --list-services
- Enable panic mode to block all network traffic in case of emergency
firewall-cmd --enable-panic
- Disable panic mode
firewall-cmd --disable-panic
- Query panic mode
firewall-cmd --query-panic
This returns the state of the panic mode, there is no output. To get a visual state use
firewall-cmd --query-panic && echo "On" || echo "Off"
Runtime zone handling
In the runtime mode the changes to zones are not permanent. The changes will be gone after reload or restart.
- Enable a service in a zone
firewall-cmd [--zone=<zone>] --add-service=<service> [--timeout=<seconds>]
This enables a service in a zone. If zone is not set, the default zone will be used. If timeout is set, the service will only be enabled for the amount of seconds in the zone. If the service is already active, there will be no warning message.
- Example: Enable ipp-client service for 60 seconds in the home zone:
firewall-cmd --zone=home --add-service=ipp-client --timeout=60
- Example: Enable the http service in the default zone:
firewall-cmd --add-service=http
- Disable a service in a zone
firewall-cmd [--zone=<zone>] --remove-service=<service>
This disables a service in a zone. If zone is not set, the default zone will be used.
- Example: Disable http service in the home zone:
firewall-cmd --zone=home --remove-service=http
The service will be disabled in the zone. If the service is not enabled in the zone, there will be an warning message.
- Query if a service is enabled in a zone
firewall-cmd [--zone=<zone>] --query-service=<service>
This returns 1 if the service is enabled in the zone, otherwise 0. There is no output.
- Enable a port and protocol combination in a zone
firewall-cmd [--zone=<zone>] --add-port=<port>[-<port>]/<protocol> [--timeout=<seconds>]
This enables a port and protocol combination. The port can be a single port <port> or a port range <port>-<port>. The protocol can be either tcp or udp.
- Disable a port and protocol combination in a zone
firewall-cmd [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>
- Query if a port and protocol combination in enabled in a zone
firewall-cmd [--zone=<zone>] --query-port=<port>[-<port>]/<protocol>
This command returns if it is enabled, there is no output.
- Enable masquerading in a zone
firewall-cmd [--zone=<zone>] --add-masquerade
This enables masquerading for the zone. The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation and mostly used in routers. Masquerading is IPv4 only because of kernel limitations.
- Disable masquerading in a zone
firewall-cmd [--zone=<zone>] --remove-masquerade
- Query masquerading in a zone
firewall-cmd [--zone=<zone>] --query-masquerade
This command returns if it is enabled, there is no output.
- Enable ICMP blocks in a zone
firewall-cmd [--zone=<zone>] --add-icmp-block=<icmptype>
This enabled the block of a selected Internet Control Message Protocol (ICMP) message. ICMP messages are either information requests or created as a reply to information requests or in error conditions.
- Disable ICMP blocks in a zone
firewall-cmd [--zone=<zone>] --remove-icmp-block=<icmptype>
- Query ICMP blocks in a zone
firewall-cmd [--zone=<zone>] --query-icmp-block=<icmptype>
This command returns if it is enabled, there is no output.
- Example: Block echo-reply messages in the public zone:
firewall-cmd --zone=public --add-icmp-block=echo-reply
- Enable port forwarding or port mapping in a zone
firewall-cmd [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
The port is either mapped to the same port on another host or to another port on the same host or to another port on another host. The port can be a singe port <port> or a port range <port>-<port>. The protocol is either tcp or udp. toport is either port <port> or a port range <port>-<port>. toaddr is an IPv4 address. Port forwarding is IPv4 only because of kernel limitations.
- Disable port forwarding or port mapping in a zone
firewall-cmd [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
- Query port forwarding or port mapping in a zone
firewall-cmd [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
This command returns if it is enabled, there is no output.
- Example: Forward ssh to host 127.0.0.2 in the home zone
firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2
Permanent/persistent zone handling
The permanent options are not affecting runtime directly. These options are only available after a reload or restart. To have runtime and permanent setting, you need to supply both. The --permanent option needs to be the first option for all permanent calls.
- Get a list of supported permanent services
firewall-cmd --permanent --get-services
- Get a list of supported permanent icmptypes
firewall-cmd --permanent --get-icmptypes
- Get a list of supported permanent zones
firewall-cmd --permanent --get-zones
- Enable a service in a zone
firewall-cmd --permanent [--zone=<zone>] --add-service=<service>
This enables the service in the zone permanently. If the zone option is omitted, the default zone is used.
- Disable a service in a zone
firewall-cmd --permanent [--zone=<zone>] --remove-service=<service>
- Query if a service is enabled in a zone
firewall-cmd --permanent [--zone=<zone>] --query-service=<service>
This command returns if it is enabled, there is no output.
- Example: Enable service ipp-client permanently in the home zone
firewall-cmd --permanent --zone=home --add-service=ipp-client
- Enable a port and protocol combination permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --add-port=<port>[-<port>]/<protocol>
- Disable a port and protocol combination permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>
- Query if a port and protocol combination is enabled permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --query-port=<port>[-<port>]/<protocol>
This command returns if it is enabled, there is no output.
- Example: Enable port 443/tcp for https permanently in the home zone
firewall-cmd --permanent --zone=home --add-port=443/tcp
- Enable masquerading permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --add-masquerade
This enables masquerading for the zone. The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation and mostly used in routers. Masquerading is IPv4 only because of kernel limitations.
- Disable masquerading permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --remove-masquerade
- Query masquerading permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --query-masquerade
This command returns if it is enabled, there is no output.
- Enable ICMP blocks permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --add-icmp-block=<icmptype>
This enabled the block of a selected Internet Control Message Protocol (ICMP) message. ICMP messages are either information requests or created as a reply to information requests or in error conditions.
- Disable ICMP blocks permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --remove-icmp-block=<icmptype>
- Query ICMP blocks permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --query-icmp-block=<icmptype>
This command returns if it is enabled, there is no output.
- Example: Block echo-reply messages in the public zone:
firewall-cmd --permanent --zone=public --add-icmp-block=echo-reply
- Enable port forwarding or port mapping permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
The port is either mapped to the same port on another host or to another port on the same host or to another port on another host. The port can be a singe port <port> or a port range <port>-<port>. The protocol is either tcp or udp. toport is either port <port> or a port range <port>-<port>. toaddr is an IPv4 address. Port forwarding is IPv4 only because of kernel limitations.
- Disable port forwarding or port mapping permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
- Query port forwarding or port mapping permanently in a zone
firewall-cmd --permanent [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
This command returns if it is enabled, there is no output.
- Example: Forward ssh to host 127.0.0.2 in the home zone
firewall-cmd --permanent --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2
Direct options
The direct options are mostly for services and applications to be able to add custom rules. The rules are not saved and have to get resubmitted after reload or restart.
The --direct option needs to be the first option for all calls.
DIRECT := --direct {--passthrough TOOL <args> } |{ { --add-chain | --remove-chain | --query-chain } TOOL