FirewallD

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(How to configure or add zones?)
(34 intermediate revisions by 7 users not shown)
Line 1: Line 1:
 +
{{autolang|base=yes}}
 
= Dynamic firewall with FirewallD =
 
= Dynamic firewall with FirewallD =
  
FirewallD is a service daemon with a D-BUS interface that provides a dynamic managed firewall.
+
firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and persistent configuration options. It also supports an interface for services or applications to add firewall rules directly.
  
== Why A Firewall Daemon ==
+
The former firewall model with system-config-firewall/lokkit was static and every change required a complete firewall restart. This included also to unload the firewall netfilter kernel modules and to load the modules that are needed for the new configuration. The unload of the modules was breaking stateful firewalling and established connections.
 
+
The current firewall model is static and every change requires a complete firewall restart. This includes also to unload the firewall netfilter kernel modules and to load the modules that are needed for the new configuration. The unload of the modules is breaking stateful firewalling and established connections.
+
  
 
The firewall daemon on the other hand manages the firewall dynamically and applies changes without restarting the whole firewall. Therefore there is no need to reload all firewall kernel modules. But using a firewall daemon requires that all firewall modifications are done with that daemon to make sure that the state in the daemon and the firewall in kernel are in sync. The firewall daemon can not parse firewall rules added by the ip*tables and ebtables command line tools.
 
The firewall daemon on the other hand manages the firewall dynamically and applies changes without restarting the whole firewall. Therefore there is no need to reload all firewall kernel modules. But using a firewall daemon requires that all firewall modifications are done with that daemon to make sure that the state in the daemon and the firewall in kernel are in sync. The firewall daemon can not parse firewall rules added by the ip*tables and ebtables command line tools.
  
The daemon provides information about the current active firewall settings via D-BUS and also accepts changes via D-BUS using PolicyKit authentication methods. SELinux access restrictions are also planned.
+
The daemon provides information about the current active firewall settings via D-BUS and also accepts changes via D-BUS using PolicyKit authentication methods.
  
 
== The Daemon ==
 
== The Daemon ==
  
Applications, daemons and the user can request to enable a firewall feature over D-BUS. Applications, daemons and the user can request to enable a firewall feature over D-BUS. A feature could either be one of the predefined firewall features like services, port and protocol combinations, trusted interfaces/hosts/network areas, port/packet forwarding, masquerading, icmp blocking or even a custom rule. The feature can be enabled for a certain amount of time or can be disabled by again.
+
Applications, daemons and the user can request to enable a firewall feature over D-BUS. A feature could either be one of the predefined firewall features like services, port and protocol combinations, port/packet forwarding, masquerading or icmp blocking. The feature can be enabled for a certain amount of time or can be disabled by again.
  
New chains for virtualization, network settings, services, ports, masquerading, port forwarding, icmp filtering and virtualization are added to make the firewall setup more flexible, safe and robust. Adding a rule with the firewall daemon to one of these chains will most likely not interefere with rules of other chains. The order of the chains and how they are used is fixed.
+
With the so called direct interface other services (like for example libvirt) are able to add own rules using iptables arguments and parameters.
  
The netfilter firewall helpers, that are for example used for amanda, ftp, samba and tftp services, are also handled by the daemon as long as they are part of a predefined service. Loading of additional helpers is not part of the current interface. For some of the helpers onloading is only possible after all connections that are handled by the module are closed. Therefore connection tracking information is important here and needs to get into account.
+
The netfilter firewall helpers, that are for example used for amanda, ftp, samba and tftp services, are also handled by the daemon as long as they are part of a predefined service. Loading of additional helpers is not part of the current interface. For some of the helpers unloading is only possible after all connections that are handled by the module are closed. Therefore connection tracking information is important here and needs to get into account.
  
== Static Firewall (system-config-firewall) ==
+
== Static Firewall (system-config-firewall/lokkit) ==
  
The actual static firewall model with system-config-firewall will still be available and usable, but not at the same time as the daemon is running. The user or admin can decide which firewall solution should be used.  
+
The actual static firewall model with system-config-firewall and lokkit will still be available and usable, but not at the same time as the daemon is running. The user or admin can decide which firewall solution should be used by enabling the corresponding services.
  
At install time, firstboot or first network usage, there will be a selector for the firewall solution to use. If the firewall daemon will be used, it will diable the ip*tables services and also add the disabled option for system-config-firewall. The configuration will stay intact and s-c-fw can be enabled simply with "lokkit --enabled" again.
+
Planned is to add a selector for the firewall solution to be used at install time or in first boot. The configuration of the other solution will stay intact and can be enabled simply by switching to the other model.
  
 
The firewall daemon is independent to system-config-firewall, but should not be used at the same time.
 
The firewall daemon is independent to system-config-firewall, but should not be used at the same time.
  
== Planned and Proposed Features ==
+
== What is a zone? ==
 +
 
 +
A network zone defines the level of trust for network connections. This is a one to many relation, which means that a connection can only be part of one zone, but a zone can be used for many network connections.
 +
 
 +
Most zones are mutable, but there are also immutable zones. Immutable zones are not customizable and there is no way to overload them.
 +
 
 +
=== Predefined services ===
 +
 
 +
A service is a combination of port and/or protocol entries. Optionally netfilter helper modules can be added and also a IPv4 and IPv6 destination address.
 +
 
 +
=== Ports and protocols ===
 +
 
 +
Definition of tcp or udp ports, where ports can be a single port or a port range.
 +
 
 +
=== ICMP blocks ===
 +
 
 +
Selected Internet Control Message Protocol (ICMP) messages. These messages are either information requests or created as a reply to information requests or in error conditions.
 +
 
 +
=== Masquerading ===
 +
 
 +
The addresses of a private network a mapped to and hidden behind a public IP address. This is a form of address translation.
 +
 
 +
=== Forward ports ===
 +
 
 +
A port is either mapped to another port and/or to another host.
 +
 
 +
== Which zones are available? ==
 +
 
 +
These are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted:
 +
 
 +
=== drop (immutable) ===
 +
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
 +
 
 +
=== block (immutable) ===
 +
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
 +
 
 +
=== public ===
 +
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
 +
 
 +
=== external ===
 +
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
 +
 
 +
=== dmz ===
 +
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
 +
 
 +
=== work ===
 +
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
 +
 
 +
=== home ===
 +
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
 +
 
 +
=== internal ===
 +
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
 +
 
 +
=== trusted (immutable) ===
 +
All network connections are accepted.
 +
 
 +
== Which zone should be used? ==
 +
A public WIFI network connection for example should be mainly untrusted, a wired home network connection should be fairly trusted. Select the zone that best matches the network you are using.
 +
 
 +
== How to configure or add zones? ==
 +
To configure or add zones you can either use one of the firewalld interfaces to handle and change the configuration. These are the graphical configuration tool firewall-config, the command line tool firewall-cmd or the D-BUS interface. Or you can create or copy a zone file in one of the configuration directories. @PREFIX@/lib/firewalld/zones is used for default and fallback configurations and /etc/firewalld/zones is used for user created and customized configuration files.
 +
 
 +
== How to set or change a zone for a connection ==
 +
The zone is stored into the ifcfg of the connection with the ZONE= option. If the option is missing or empty, the default zone set in firewalld is used.
 +
 
 +
If the connection is controlled by NetworkManager, you can also use nm-connection-editor to change the zone.
 +
 
 +
== Network connections handled by NetworkManager ==
 +
 
 +
The firewall is not able to handle network connections with the name shown by NetworkManager, it can only handle network interfaces. Therefore NetworkManager tells firewalld to put the network interfaces related to the connections in the zones defined by the config file (ifcfg) of the connection before the connection comes up. If the zone is not set in the config file, the interfaces will be put in the default zone set by firewalld. If a connection has more than one interfaces, both will be supplied to firewalld. Also changes in the names of interfaces will be handled by NetworkManager and supplied to firewalld.
 +
 
 +
To simplify this connections will be used as related to zones from now on.
 +
 
 +
NetworkManager also tells firewalld to remove connections from zones again if the connection went down.
 +
 
 +
If firewalld gets started or restarted by systemd or init scripts, firewalld notifies NetworkManager and the connections will be added to the zones.
 +
 
 +
== Network connections handled by network scripts ==
 +
 
 +
For connections handled by network scripts there a limitations: There is no daemon that can tell firewalld to add connections to zones. This is done in the ifcfg-post script only. Therefore changed in names after this can not be supplied to firewalld. Also starting or restarting firewalld if the connections are active already result in loose of the relation. There are ideas to fix this also. The simplest is to push all connections to the default zone that are not set otherwise.
 +
 
 +
The zone defines the firewall features that are enabled in this zone:
 +
 
 +
== Working with firewalld ==
 +
 
 +
To enable or disable firewall features for example in zones, you can either use the graphical configuration tool '''firewall-config''' or the command line client '''firewall-cmd'''
 +
 
 +
=== Using firewall-cmd ===
 +
 
 +
The command line client '''firewall-cmd''' supports all firewall features. For status and query modes, there is no output, but the command returns the state.
 +
 
 +
==== Generic use ====
 +
 
 +
* Get the status of firewalld
 +
  firewall-cmd --state
 +
 
 +
This returns the status of firewalld, there is no output. To get a visual state use:
 +
  firewall-cmd --state && echo "Running" || echo "Not running"
 +
 
 +
* Reload the firewall without loosing state information:
 +
  firewall-cmd --reload
 +
 
 +
If you are using '''--complete-reload''' instead, the state information will be lost. This option should only be used in case of severe firewall problems for example if there are state information problems that no connection can be established but the firewall rules are correct.
 +
 
 +
* Get a list of all supported zones
 +
  firewall-cmd --get-zones
 +
 
 +
This command prints a space separated list.
 +
 
 +
* Get a list of all supported services
 +
  firewall-cmd --get-services
 +
 
 +
This command prints a space separated list.
 +
 
 +
* Get a list of all supported icmptypes
 +
  firewall-cmd --get-icmptypes
 +
 
 +
This command prints a space separated list.
 +
 
 +
* List all zones with the enabled features.
 +
  firewall-cmd --list-all-zones
 +
 
 +
The output format is:
 +
  <zone>
 +
    interfaces: <interface1> ..
 +
    services: <service1> ..
 +
    ports: <port1> ..
 +
    forward-ports: <forward port1> ..
 +
    icmp-blocks: <icmp type1> ..
 +
   
 +
    ..
 +
 
 +
* Print zone <zone> with the enabled features. If zone is omitted, the default zone will be used.
 +
  firewall-cmd [--zone=<zone>] --list-all
 +
 
 +
* Get the default zone set for network connections
 +
  firewall-cmd --get-default-zone
 +
 
 +
* Set the default zone
 +
  firewall-cmd --set-default-zone=<zone>
 +
 
 +
All interfaces that are located in the default zone will be pushed in the new default zone, that defines the limitations for new external initiated connection attempts. Active connections are not affected.
 +
 
 +
* Get active zones
 +
  firewall-cmd --get-active-zones
 +
 
 +
The command prints the interfaces that are set to be part of a zone in this form:
 +
  <zone1>: <interface1> <interface2> ..
 +
  <zone2>: <interface3> ..
 +
 
 +
* Get zone related to an interface
 +
  firewall-cmd --get-zone-of-interface=<interface>
 +
 
 +
This prints the zone name, if the interface is part of a zone
 +
 
 +
* Add an interface to a zone
 +
  firewall-cmd [--zone=<zone>] --add-interface=<interface>
 +
 
 +
Add an interface to a zone, if it was not in a zone before. If the zone options is omitted, the default zone will be used. The interfaces are reapplied after reloads.
 +
 
 +
* Change the zone an interface belongs to
 +
  firewall-cmd [--zone=<zone>] --change-interface=<interface>
 +
 
 +
This is similar to the --add-interface options, but pushes the interface in the new zone even if it was in another zone before.
 +
 
 +
* Remove an interface from a zone
 +
  firewall-cmd [--zone=<zone>] --remove-interface=<interface>
 +
 
 +
* Query if an interface is in a zone
 +
  firewall-cmd [--zone=<zone>] --query-interface=<interface>
 +
 
 +
Returns if the interface is in the zone. There is no output.
 +
 
 +
* List the enabled services in a zone
 +
  firewall-cmd [ --zone=<zone> ] --list-services
 +
 
 +
* Enable panic mode to block all network traffic in case of emergency
 +
  firewall-cmd --enable-panic
 +
 
 +
* Disable panic mode
 +
  firewall-cmd --disable-panic
 +
 
 +
* Query panic mode
 +
  firewall-cmd --query-panic
 +
 
 +
This returns the state of the panic mode, there is no output. To get a visual state use
 +
  firewall-cmd --query-panic && echo "On" || echo "Off"
 +
 
 +
==== Runtime zone handling ====
 +
 
 +
In the runtime mode the changes to zones are not permanent. The changes will be gone after reload or restart.
 +
 
 +
* Enable a service in a zone
 +
  firewall-cmd [--zone=<zone>] --add-service=<service> [--timeout=<seconds>]
 +
 
 +
This enables a service in a zone. If zone is not set, the default zone will be used. If timeout is set, the service will only be enabled for the amount of seconds in the zone. If the service is already active, there will be no warning message.
 +
 
 +
* '''Example:''' Enable ipp-client service for 60 seconds in the home zone:
 +
  firewall-cmd --zone=home --add-service=ipp-client --timeout=60
 +
 
 +
* '''Example:''' Enable the http service in the default zone:
 +
  firewall-cmd --add-service=http
 +
 
 +
* Disable a service in a zone
 +
  firewall-cmd [--zone=<zone>] --remove-service=<service>
 +
 
 +
This disables a service in a zone. If zone is not set, the default zone will be used.
 +
 
 +
* '''Example:''' Disable http service in the home zone:
 +
  firewall-cmd --zone=home --remove-service=http
 +
 
 +
The service will be disabled in the zone. If the service is not enabled in the zone, there will be an warning message.
 +
 
 +
* Query if a service is enabled in a zone
 +
  firewall-cmd [--zone=<zone>] --query-service=<service>
 +
 
 +
This returns 1 if the service is enabled in the zone, otherwise 0. There is no output.
 +
 
 +
* Enable a port and protocol combination in a zone
 +
  firewall-cmd [--zone=<zone>] --add-port=<port>[-<port>]/<protocol> [--timeout=<seconds>]
 +
 
 +
This enables a port and protocol combination. The port can be a single port <port> or a port range <port>-<port>. The protocol can be either '''tcp''' or '''udp'''.
 +
 
 +
* Disable a port and protocol combination in a zone
 +
  firewall-cmd [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>
 +
 
 +
* Query if a port and protocol combination in enabled in a zone
 +
  firewall-cmd [--zone=<zone>] --query-port=<port>[-<port>]/<protocol>
 +
 
 +
This command returns if it is enabled, there is no output.
 +
 
 +
* Enable masquerading in a zone
 +
  firewall-cmd [--zone=<zone>] --add-masquerade
 +
 
 +
This enables masquerading for the zone. The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation and mostly used in routers. Masquerading is IPv4 only because of kernel limitations.
 +
 
 +
* Disable masquerading in a zone
 +
  firewall-cmd [--zone=<zone>] --remove-masquerade
 +
 
 +
* Query masquerading in a zone
 +
  firewall-cmd [--zone=<zone>] --query-masquerade
 +
 
 +
This command returns if it is enabled, there is no output.
 +
 
 +
* Enable ICMP blocks in a zone
 +
  firewall-cmd [--zone=<zone>] --add-icmp-block=<icmptype>
 +
 
 +
This enabled the block of a selected Internet Control Message Protocol (ICMP) message. ICMP messages are either information requests or created as a reply to information requests or in error conditions.
 +
 
 +
* Disable ICMP blocks in a zone
 +
  firewall-cmd [--zone=<zone>] --remove-icmp-block=<icmptype>
 +
 
 +
* Query ICMP blocks in a zone
 +
  firewall-cmd [--zone=<zone>] --query-icmp-block=<icmptype>
 +
 
 +
This command returns if it is enabled, there is no output.
 +
 
 +
* '''Example:''' Block echo-reply messages in the public zone:
 +
  firewall-cmd --zone=public --add-icmp-block=echo-reply
 +
 
 +
* Enable port forwarding or port mapping in a zone
 +
  firewall-cmd [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
 +
 
 +
The port is either mapped to the same port on another host or to another port on the same host or to another port on another host. The port can be a singe port <port> or a port range <port>-<port>. The protocol is either '''tcp''' or '''udp'''. toport is either port <port> or a port range <port>-<port>. toaddr is an IPv4 address. Port forwarding is IPv4 only because of kernel limitations.
 +
 
 +
* Disable port forwarding or port mapping in a zone
 +
  firewall-cmd [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
 +
 
 +
* Query port forwarding or port mapping in a zone
 +
  firewall-cmd [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
 +
 
 +
This command returns if it is enabled, there is no output.
 +
 
 +
* '''Example:''' Forward ssh to host 127.0.0.2 in the home zone
 +
  firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2
 +
 
 +
==== Permanent/persistent zone handling ====
 +
 
 +
The permanent options are not affecting runtime directly. These options are only available after a reload or restart. To have runtime and permanent setting, you need to supply both.
 +
The '''--permanent''' option needs to be the first option for all permanent calls.
 +
 
 +
* Get a list of supported permanent services
 +
  firewall-cmd --permanent --get-services
 +
 
 +
* Get a list of supported permanent icmptypes
 +
  firewall-cmd --permanent --get-icmptypes
 +
 
 +
* Get a list of supported permanent zones
 +
  firewall-cmd --permanent --get-zones
 +
 
 +
* Enable a service in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --add-service=<service>
 +
 
 +
This enables the service in the zone permanently. If the zone option is omitted, the default zone is used.
 +
 
 +
* Disable a service in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --remove-service=<service>
 +
 
 +
* Query if a service is enabled in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --query-service=<service>
 +
 
 +
This command returns if it is enabled, there is no output.
 +
 
 +
* '''Example:''' Enable service ipp-client permanently in the home zone
 +
  firewall-cmd --permanent --zone=home --add-service=ipp-client
 +
 
 +
* Enable a port and protocol combination permanently in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --add-port=<port>[-<port>]/<protocol>
 +
 
 +
* Disable a port and protocol combination permanently in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>
 +
 
 +
* Query if a port and protocol combination is enabled permanently in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --query-port=<port>[-<port>]/<protocol>
 +
 
 +
This command returns if it is enabled, there is no output.
 +
 
 +
* '''Example:''' Enable port 443/tcp for https permanently in the home zone
 +
  firewall-cmd --permanent --zone=home --add-port=443/tcp
 +
 
 +
* Enable masquerading permanently in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --add-masquerade
 +
 
 +
This enables masquerading for the zone. The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation and mostly used in routers. Masquerading is IPv4 only because of kernel limitations.
 +
 
 +
* Disable masquerading permanently in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --remove-masquerade
 +
 
 +
* Query masquerading permanently in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --query-masquerade
 +
 
 +
This command returns if it is enabled, there is no output.
 +
 
 +
* Enable ICMP blocks permanently in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --add-icmp-block=<icmptype>
 +
 
 +
This enabled the block of a selected Internet Control Message Protocol (ICMP) message. ICMP messages are either information requests or created as a reply to information requests or in error conditions.
 +
 
 +
* Disable ICMP blocks permanently in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --remove-icmp-block=<icmptype>
 +
 
 +
* Query ICMP blocks permanently in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --query-icmp-block=<icmptype>
 +
 
 +
This command returns if it is enabled, there is no output.
 +
 
 +
* '''Example:''' Block echo-reply messages in the public zone:
 +
  firewall-cmd --permanent --zone=public --add-icmp-block=echo-reply
 +
 
 +
* Enable port forwarding or port mapping permanently in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
 +
 
 +
The port is either mapped to the same port on another host or to another port on the same host or to another port on another host. The port can be a singe port <port> or a port range <port>-<port>. The protocol is either '''tcp''' or '''udp'''. toport is either port <port> or a port range <port>-<port>. toaddr is an IPv4 address. Port forwarding is IPv4 only because of kernel limitations.
 +
 
 +
* Disable port forwarding or port mapping permanently in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
 +
 
 +
* Query port forwarding or port mapping permanently in a zone
 +
  firewall-cmd --permanent [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
 +
 
 +
This command returns if it is enabled, there is no output.
 +
 
 +
* '''Example:''' Forward ssh to host 127.0.0.2 in the home zone
 +
  firewall-cmd --permanent --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2
 +
 
 +
==== Direct options ====
 +
 
 +
The direct options are mostly for services and applications to be able to add custom rules.
 +
The rules are not saved and have to get resubmitted after reload or restart. The arguments <args> of the passthrough option are the same as the corresponding iptables, ip6tables and ebtables arguments.
 +
 
 +
The '''--direct''' option needs to be the first option for all direct options.
 +
 
 +
* Pass a command through to the firewall. <args> can be all iptables, ip6tables and ebtables command line arguments
 +
  <nowiki>firewall-cmd --direct --passthrough { ipv4 | ipv6 | eb } <args></nowiki>
 +
 
 +
* Add a new chain <chain> to a table <nowiki><table></nowiki>.
 +
  <nowiki>firewall-cmd --direct --add-chain { ipv4 | ipv6 | eb } <table> <chain></nowiki>
 +
 
 +
* Remove a chain with name <chain> from table <nowiki><table></nowiki>.
 +
  <nowiki>firewall-cmd --direct --remove-chain { ipv4 | ipv6 | eb } <table> <chain></nowiki>
 +
 
 +
* Query if a chain with name <chain> exists in table <nowiki><table></nowiki>. Returns 0 if true, 1 otherwise.
 +
  <nowiki>firewall-cmd --direct --query-chain { ipv4 | ipv6 | eb } <table> <chain></nowiki>
 +
 
 +
This command returns if it is enabled, there is no output.
 +
 
 +
* Get all chains added to table <nowiki><table></nowiki> as a space separated list.
 +
  <nowiki>firewall-cmd --direct --get-chains { ipv4 | ipv6 | eb } <table></nowiki>
 +
 
 +
* Add a rule with the arguments <args> to chain <chain> in table <nowiki><table></nowiki> with priority <priority>.
 +
  <nowiki>firewall-cmd --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args></nowiki>
 +
 
 +
* Remove a rule with the arguments <args> from chain <chain> in table <nowiki><table></nowiki>.
 +
  <nowiki>firewall-cmd --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <args></nowiki>
 +
 
 +
* Query if a rule with the arguments <args> exists in chain <chain> in table <nowiki><table></nowiki>. Returns 0 if true, 1 otherwise.
 +
  <nowiki>firewall-cmd --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <args></nowiki>
 +
 
 +
This command returns if it is enabled, there is no output.
 +
 
 +
* Get all rules added to chain <chain> in table <nowiki><table></nowiki> as a newline separated list of arguments.
 +
  <nowiki>firewall-cmd --direct --get-rules { ipv4 | ipv6 | eb } <table> <chain></nowiki>
 +
 
 +
== The current firewalld features ==
 +
 
 +
=== D-BUS Interface ===
 +
 
 +
The D-BUS interface gives information about the firewall state and makes it possible to enable, disable and query firewall settings.
 +
 
 +
=== Zones ===
 +
 
 +
A network or firewall zone defines the trust level of the interface used for a connection. There are several pre-defined zones provided by firewalld. Zone configuration options and generic file information are described in the firewalld.zone(5) man page.
 +
 
 +
=== Services ===
 +
 
 +
A service can be a list of local ports and destinations and additionally also a list of firewall helper modules automatically loaded if a service is enabled. The use of predefined services makes it easier for the user to enable and disable access to a service. Service configuration options and generic file information are described in the firewalld.service(5) man page.
 +
 
 +
=== ICMP types ===
 +
 
 +
The Internet Control Message Protocol (ICMP) is used to exchange information and also error messages in the Internet Protocol (IP). ICMP types can be used in firewalld to limit the exchange of these messages. ICMP type configuration options and generic file information are described in the firewalld.icmptype(5) man page.
  
=== Powerful D-BUS Interface ===
+
=== Direct interface ===
  
The D-BUS interface gives information about the firewall state and makes it possible to enable, disable and query firewall features. A
+
The direct interface is mainly used by services or applications to add specific firewall rules. The rules are not persistent and need to get applied after receiving the start, restart or reload message from firewalld using D-BUS.
  
=== System and Session (User) Configuration ===
+
=== Runtime configuration ===
  
The firewall system configuration is the base configuration for the whole system and can be altered with the session (user) configuration. The session configuration can be limited by policies and the system administrator.
+
The runtime configuration is not persistent and will only be restored for a reload. After restart or stop of the service or a system reboot, these options will be gone.
  
=== Permanent and Temporary Configuration ===
+
=== Persistent configuration ===
  
Permanent firewall settings are settings, that still exist after a reboot and service restart. Temporary settings will be lots after reboot and service restart. A firewall service reload will restore all settings, permanent and temporary.
+
The persistent configuration is stored in config files and will be restored with every machine boot or service reload or restart.
  
 
=== Tray Applet ===
 
=== Tray Applet ===
  
The try applet '''firewall-applet''' visualizes the firewall state and also problems with the firewall for the user. It can also be used to configure settings the user is allowed to change.
+
The tray applet '''firewall-applet''' visualizes the firewall state and also problems with the firewall for the user. It can also be used to configure settings by calling '''firewall-config'''.
  
 
=== Graphical Configuration Tool ===
 
=== Graphical Configuration Tool ===
  
The configuration tool '''firewall-config''' is the main configuration tool for the firewall daemon. It supports all features of the firewall, but firewall settings of libvirt and also NetworkManager are readonly.
+
The configuration tool '''firewall-config''' is the main configuration tool for the firewall daemon. It supports all features of the firewall besides the direct interface, this is handled by the service/application that added the rules.
 
+
It also makes it possible for the administrator to change system and user policies.
+
  
 
=== Command Line client ===
 
=== Command Line client ===
Line 57: Line 474:
 
=== Support for ebtables ===
 
=== Support for ebtables ===
  
ebtables support is needed to fullfill all needs of the libvirt daemon and to prevent access problems between ip*tables and ebtables on kernel netfilter level. All these commands are accessing the same structures and therefore they should not be used at the same time.
+
ebtables support is needed to fulfill all needs of the libvirt daemon and to prevent access problems between ip*tables and ebtables on kernel netfilter level. All these commands are accessing the same structures and therefore they should not be used at the same time.
  
=== Support for conntrack ===
+
=== Default/Fallback configuration in /usr/lib/firewalld ===
  
Conntrack is needed to be able to terminate established connections for features that get disabled. For some use cases it might not be good to terminate the connection: Enabling of a firewall service for a limited time to establish a persistent external connection.
+
This directory contains the default and fallback configuration provided by firewalld for icmptypes, services and zones. The files provided with the firewalld package should not get changed and the changes are gone with an update of the firewalld package. Additional icmptypes, services and zones can be provided with packages or by creating files.
  
=== User interaction mode ===
+
=== System configuration settings in /etc/firewalld ===
 +
The system or user configuration stored here is either created by the system administrator or by customization with the configuration interface of firewalld or by hand. The files will overload the default configuration files.
  
This is a special mode of in the firewall the user or admin can enable. All requests of applications to alter the firewall are directed to the user to get notified and granted or denied. It is possible to set a time limit for the acceptance of a connection and to limit it to hosts, networks or connections. It can be saved to behave the same in the future without notification.
+
To manually change settings of pre-defined icmptypes, zones or services, copy the file from the default configuration directory to the corresponding directory in the system configuration directory and change it accordingly.
  
An additional feature of this mode is direct external connection attempts on preselected services or ports to the user with the same features as the application initiated requests. The limitation on services and ports will also limit the amount of requests sent to the user.
+
It is not possible to overload immutable zones, because these may not get changed. If you are loading the defaults for a zone that has a default or fallback file, the file in /etc/firewalld will be renamed to <file>.old and the fallback will be used again.
  
=== Network zones: Network security model ===
+
== Planned and Proposed Features ==
  
Network zones define the level of trust for network connections. A public WIFI network connection for example should be untrusted, a wired home network connection should be fairly trusted.
+
=== Firewall Abstraction Model ===
  
The network security model can be selected initially at installation time, firstboot or when the first network connection gets established. The model describes the trust level of the whole network environment, the host is connected to, and also defines what to do with new connections.
+
Adding an abstraction layer on top of ip*tables and ebtables firewall rules makes adding rules simple and more intuitive. The abstraction layer needs to be powerful, but also simple, which makes this not an easy task. A firewall language has to gen invented for this. Firewall rules have a fixed position and querying generic information about access state, access policies for ports and other firewall features is possible.
  
There are different initial zones:
+
=== Support for conntrack ===
  
  - Home / Work
+
Conntrack is needed to be able to terminate established connections for features that get disabled. For some use cases it might not be good to terminate the connection: Enabling of a firewall service for a limited time to establish a persistent external connection.
  - Public
+
  - Connection specific
+
  
The home or work zone has the highest trust level. All incoming connections are allowed. The public zone on the other hand is fully untrusted. No incoming connection is allowed. The connection specific model requires that the user tunes the trust level of a connection according to the needs. The default is untrusted.
+
=== User interaction mode ===
  
The user or administrator is able to define new zones or adapt initial zones to change the behaviour according to the needs.  
+
This is a special mode of in the firewall the user or admin can enable. All requests of applications to alter the firewall are directed to the user to get notified and granted or denied. It is possible to set a time limit for the acceptance of a connection and to limit it to hosts, networks or connections. It can be saved to behave the same in the future without notification.
  
The network security model makes it possible to have one trust level for all connections or to have several connections with different trust levels.
+
An additional feature of this mode is direct external connection attempts on preselected services or ports to the user with the same features as the application initiated requests. The limitation on services and ports will also limit the amount of requests sent to the user.
  
 
=== User policy support ===
 
=== User policy support ===
Line 109: Line 525:
 
The first is to add it to netfilter (kernel space). This has the advantage, that it can be used by everyone, but also limits the use. To get user or system specific information into account, all these need to be implemented in kernel space also.
 
The first is to add it to netfilter (kernel space). This has the advantage, that it can be used by everyone, but also limits the use. To get user or system specific information into account, all these need to be implemented in kernel space also.
  
The other one would be to add this to a firewall daemon. These abtract rules could be used together with informations like the trust level of the network connections, the user decision to share with as specific person/host or the hard rule of the administrator to forbid sharing completely.
+
The other one would be to add this to a firewall daemon. These abstract rules could be used together with information like the trust level of the network connections, the user decision to share with as specific person/host or the hard rule of the administrator to forbid sharing completely.
  
The second solution would have the advantage that new metadata groups or changes in incorporation of trust levels, user preferences or administrator rules would not require to push a new kernel. Adding these kind of abtract rules to a firewall daemon would make it much more flexible. Even new security levels woule be easy to add without kernel updates.
+
The second solution would have the advantage that new metadata groups or changes in incorporation of trust levels, user preferences or administrator rules would not require to push a new kernel. Adding these kind of abstract rules to a firewall daemon would make it much more flexible. Even new security levels would be easy to add without kernel updates.
  
 +
=== sysctld ===
 +
 +
At the moment there are sysctl settings that are not properly applied. This happens if the module providing the setting is not loaded at boot time when rc.sysinit runs or it the module gets reloaded at runtime.
 +
Another example is net.ipv4.ip_forward, which is needed for example for specific firewall settings, libvirt and also user/admin changes. If there are two apps or daemons enabling ip_forwarding only if needed, then it could happen that one of them is turning it off again without knowing that there is another one, that still needs it tuned on.
 +
 +
The sysctl daemon could solve this by having an internal use count for settings, that will make it possible to turn it off or go to the previous setting again if the requester reverted the request to change it.
  
 
== Firewall Rules ==
 
== Firewall Rules ==
Line 122: Line 544:
 
The dynamic model has additional chains for the firewall features. These specific chains are called in a defined ordering and rules added to a chain could not interfere with reject or drop rules in chains that were called before. This makes it possible to have a more sane firewall configuration.
 
The dynamic model has additional chains for the firewall features. These specific chains are called in a defined ordering and rules added to a chain could not interfere with reject or drop rules in chains that were called before. This makes it possible to have a more sane firewall configuration.
  
Here are example rules created by the daemon in the filter table with ssh and ipp-client enabled:
+
Here are example rules created by the daemon in the filter table with ssh, ipp-client and mdns enabled in the public zone, all other zones have been removed to simplify and shorten the output:
  
 +
  *filter
 
   :INPUT ACCEPT [0:0]
 
   :INPUT ACCEPT [0:0]
 
   :FORWARD ACCEPT [0:0]
 
   :FORWARD ACCEPT [0:0]
 
   :OUTPUT ACCEPT [0:0]
 
   :OUTPUT ACCEPT [0:0]
   :FORWARD_custom - [0:0]
+
   :FORWARD_ZONES - [0:0]
   :FORWARD_forward - [0:0]
+
   :FORWARD_direct - [0:0]
   :FORWARD_icmp - [0:0]
+
   :INPUT_ZONES - [0:0]
   :FORWARD_masq - [0:0]
+
   :INPUT_direct - [0:0]
   :FORWARD_trusted - [0:0]
+
   :IN_ZONE_public - [0:0]
   :FORWARD_virt - [0:0]
+
   :IN_ZONE_public_allow - [0:0]
   :INPUT_custom - [0:0]
+
   :IN_ZONE_public_deny - [0:0]
   :INPUT_forward - [0:0]
+
   :OUTPUT_direct - [0:0]
  :INPUT_icmp - [0:0]
+
   -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  :INPUT_ports - [0:0]
+
   -A INPUT -i lo -j ACCEPT
  :INPUT_services - [0:0]
+
   -A INPUT -j INPUT_direct
  :INPUT_trusted - [0:0]
+
   -A INPUT -j INPUT_ZONES
  :INPUT_virt - [0:0]
+
   -A INPUT -p icmp -j ACCEPT
  :OUTPUT_custom - [0:0]
+
   -A INPUT -j REJECT --reject-with icmp-host-prohibited
  :OUTPUT_virt - [0:0]
+
   -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -j INPUT_virt
+
   -A FORWARD -i lo -j ACCEPT
  -A INPUT -m state --state INVALID -j REJECT --reject-with icmp-host-prohibited
+
   -A FORWARD -j FORWARD_direct
   -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  
+
   -A FORWARD -j FORWARD_ZONES
   -A INPUT -i lo -j ACCEPT  
+
   -A FORWARD -p icmp -j ACCEPT
   -A INPUT -p icmp -j INPUT_icmp
+
   -A FORWARD -j REJECT --reject-with icmp-host-prohibited
   -A INPUT -p icmp -j ACCEPT
+
   -A OUTPUT -j OUTPUT_direct
   -A INPUT -j INPUT_trusted
+
   -A IN_ZONE_public -j IN_ZONE_public_deny
  -A INPUT -j INPUT_forward
+
  -A IN_ZONE_public -j IN_ZONE_public_allow
   -A INPUT -j INPUT_services
+
   -A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
  -A INPUT -j INPUT_ports
+
   -A IN_ZONE_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
  -A INPUT -j INPUT_custom
+
  -A IN_ZONE_public_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
  -A INPUT -j REJECT --reject-with icmp-host-prohibited
+
  -A FORWARD -j FORWARD_virt
+
  -A FORWARD -m state --state INVALID -j REJECT --reject-with icmp-host-prohibited  
+
   -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT  
+
   -A FORWARD -i lo -j ACCEPT  
+
   -A FORWARD -p icmp -j FORWARD_icmp
+
   -A FORWARD -p icmp -j ACCEPT
+
   -A FORWARD -j FORWARD_trusted
+
  -A FORWARD -j FORWARD_forward
+
  -A FORWARD -j FORWARD_masq
+
  -A FORWARD -j FORWARD_custom
+
   -A FORWARD -j REJECT --reject-with icmp-host-prohibited  
+
   -A OUTPUT -j OUTPUT_virt
+
   -A OUTPUT -j OUTPUT_custom
+
   -A INPUT_services -p tcp -m tcp --dport 22 -j ACCEPT  
+
   -A INPUT_services -p udp -m udp --dport 631 -j ACCEPT  
+
 
+
The icmp block rules are added to INPUT_icmp and will reject icmp types. All other icmp types are accepted. Trusted interfaces and later on hosts or network areas are added to INPUT_trusted. INPUT_Forward will be used fot the INPUT filter part of pport/packet forwarding. Service rules will be placed into INPUT_services, user defined ports into INPUT_ports and custom rules into INPUT_custom. The chains for libvirt are missing and will be added later on either very early or late in the base chain. It is possible to have a INPUT_custom_early also if needed, for example for a special icmp filtering.
+
 
+
This model makes it more easy to add or remove rules from a specifig block without interfering with accept or drop rules from another block.
+
 
+
 
+
== Useful Extensions ==
+
 
+
=== sysctld ===
+
 
+
At the moment there are sysctl settings that are not properly applied. This happens if the module providing the setting is not loaded at boot time when rc.sysinit runs or it the module gets reloaded at runtime.
+
Another example is net.ipv4.ip_forward, which is needed for example for specific firewall settings, libvirt and also user/admin changes. If there are two apps or daemons enabling ip_forwarding only if needed, then it could happen that one of them is turning it off again without knowing that there is anotherone, that still needs it tuned on.
+
 
+
The sysctl daemon could solve this by having an internal use count for settings, that will make it possible to turn it off or go to the previous setting again if the requester reverted the request to change it.
+
 
+
== Development Phases ==
+
 
+
These phases are planned and might change over time according to requests and needs.
+
 
+
=== Phase 1 (Fedora 15) ===
+
 
+
Fedora 15 will contain the proof of concept implementation with some enhancements as a preview and test version. It will not be installed and enabled by default.
+
 
+
The list below contains the actual state in the GIT repo (2010-12-22):
+
 
+
* Nearly all system-config-firewall features are supported. Custom rule files are not supported, but simple custom rules with the custom interface
+
* Simple tray applet showing the firewall state, can also enable and disable firewall services
+
* Command line client
+
* Tray applet and command line client can not handle libvirt and NetworkManager rules
+
* No permanent firewall features (rules will be lost with service restart and reboot, but service reload keeps rules)
+
* System, but no session (user) configuration
+
* The firewall-config utility is not functional
+
* sysctl changes for ip_forwarding are not implemented
+
* Access conflicts of ip*tables and ebtables commands are not solved
+
* firewalld check in system-config-firewall version 1.2.28
+
 
+
=== Phase 2 (Fedora 16) ===
+
 
+
* Reimplementation of the server in C with system and session configuration
+
* D-BUS interface cleanup and extensions
+
* Finalize firewall-applet and firewall-config
+
* Permanent and temporary firewall rules
+
* Zone support
+
 
+
=== Phase 3 (Fedora 17) ===
+
 
+
* User Interaction Mode
+
* User Policy Support
+
  
=== Phase 4 (Fedora 18) ===
+
Used is a deny/allow model to have a clear behaviour and at best no rule interferences. Icmp blocks for example will go to the IN_ZONE_public_deny chain if set for the public zone and will be handled before the rules in the IN_ZONE_public_allow chain.
  
* Port Metadata Information (requires bigger system changes)
+
This model makes it more easy to add or remove rules from a specific block without interfering with accept or drop rules from another block.

Revision as of 17:56, 5 March 2013

Contents

Dynamic firewall with FirewallD

firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and persistent configuration options. It also supports an interface for services or applications to add firewall rules directly.

The former firewall model with system-config-firewall/lokkit was static and every change required a complete firewall restart. This included also to unload the firewall netfilter kernel modules and to load the modules that are needed for the new configuration. The unload of the modules was breaking stateful firewalling and established connections.

The firewall daemon on the other hand manages the firewall dynamically and applies changes without restarting the whole firewall. Therefore there is no need to reload all firewall kernel modules. But using a firewall daemon requires that all firewall modifications are done with that daemon to make sure that the state in the daemon and the firewall in kernel are in sync. The firewall daemon can not parse firewall rules added by the ip*tables and ebtables command line tools.

The daemon provides information about the current active firewall settings via D-BUS and also accepts changes via D-BUS using PolicyKit authentication methods.

The Daemon

Applications, daemons and the user can request to enable a firewall feature over D-BUS. A feature could either be one of the predefined firewall features like services, port and protocol combinations, port/packet forwarding, masquerading or icmp blocking. The feature can be enabled for a certain amount of time or can be disabled by again.

With the so called direct interface other services (like for example libvirt) are able to add own rules using iptables arguments and parameters.

The netfilter firewall helpers, that are for example used for amanda, ftp, samba and tftp services, are also handled by the daemon as long as they are part of a predefined service. Loading of additional helpers is not part of the current interface. For some of the helpers unloading is only possible after all connections that are handled by the module are closed. Therefore connection tracking information is important here and needs to get into account.

Static Firewall (system-config-firewall/lokkit)

The actual static firewall model with system-config-firewall and lokkit will still be available and usable, but not at the same time as the daemon is running. The user or admin can decide which firewall solution should be used by enabling the corresponding services.

Planned is to add a selector for the firewall solution to be used at install time or in first boot. The configuration of the other solution will stay intact and can be enabled simply by switching to the other model.

The firewall daemon is independent to system-config-firewall, but should not be used at the same time.

What is a zone?

A network zone defines the level of trust for network connections. This is a one to many relation, which means that a connection can only be part of one zone, but a zone can be used for many network connections.

Most zones are mutable, but there are also immutable zones. Immutable zones are not customizable and there is no way to overload them.

Predefined services

A service is a combination of port and/or protocol entries. Optionally netfilter helper modules can be added and also a IPv4 and IPv6 destination address.

Ports and protocols

Definition of tcp or udp ports, where ports can be a single port or a port range.

ICMP blocks

Selected Internet Control Message Protocol (ICMP) messages. These messages are either information requests or created as a reply to information requests or in error conditions.

Masquerading

The addresses of a private network a mapped to and hidden behind a public IP address. This is a form of address translation.

Forward ports

A port is either mapped to another port and/or to another host.

Which zones are available?

These are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted:

drop (immutable)

Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

block (immutable)

Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.

public

For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

external

For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

dmz

For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.

work

For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

home

For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

internal

For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

trusted (immutable)

All network connections are accepted.

Which zone should be used?

A public WIFI network connection for example should be mainly untrusted, a wired home network connection should be fairly trusted. Select the zone that best matches the network you are using.

How to configure or add zones?

To configure or add zones you can either use one of the firewalld interfaces to handle and change the configuration. These are the graphical configuration tool firewall-config, the command line tool firewall-cmd or the D-BUS interface. Or you can create or copy a zone file in one of the configuration directories. @PREFIX@/lib/firewalld/zones is used for default and fallback configurations and /etc/firewalld/zones is used for user created and customized configuration files.

How to set or change a zone for a connection

The zone is stored into the ifcfg of the connection with the ZONE= option. If the option is missing or empty, the default zone set in firewalld is used.

If the connection is controlled by NetworkManager, you can also use nm-connection-editor to change the zone.

Network connections handled by NetworkManager

The firewall is not able to handle network connections with the name shown by NetworkManager, it can only handle network interfaces. Therefore NetworkManager tells firewalld to put the network interfaces related to the connections in the zones defined by the config file (ifcfg) of the connection before the connection comes up. If the zone is not set in the config file, the interfaces will be put in the default zone set by firewalld. If a connection has more than one interfaces, both will be supplied to firewalld. Also changes in the names of interfaces will be handled by NetworkManager and supplied to firewalld.

To simplify this connections will be used as related to zones from now on.

NetworkManager also tells firewalld to remove connections from zones again if the connection went down.

If firewalld gets started or restarted by systemd or init scripts, firewalld notifies NetworkManager and the connections will be added to the zones.

Network connections handled by network scripts

For connections handled by network scripts there a limitations: There is no daemon that can tell firewalld to add connections to zones. This is done in the ifcfg-post script only. Therefore changed in names after this can not be supplied to firewalld. Also starting or restarting firewalld if the connections are active already result in loose of the relation. There are ideas to fix this also. The simplest is to push all connections to the default zone that are not set otherwise.

The zone defines the firewall features that are enabled in this zone:

Working with firewalld

To enable or disable firewall features for example in zones, you can either use the graphical configuration tool firewall-config or the command line client firewall-cmd

Using firewall-cmd

The command line client firewall-cmd supports all firewall features. For status and query modes, there is no output, but the command returns the state.

Generic use

  • Get the status of firewalld
 firewall-cmd --state

This returns the status of firewalld, there is no output. To get a visual state use:

 firewall-cmd --state && echo "Running" || echo "Not running"
  • Reload the firewall without loosing state information:
 firewall-cmd --reload

If you are using --complete-reload instead, the state information will be lost. This option should only be used in case of severe firewall problems for example if there are state information problems that no connection can be established but the firewall rules are correct.

  • Get a list of all supported zones
 firewall-cmd --get-zones

This command prints a space separated list.

  • Get a list of all supported services
 firewall-cmd --get-services

This command prints a space separated list.

  • Get a list of all supported icmptypes
 firewall-cmd --get-icmptypes

This command prints a space separated list.

  • List all zones with the enabled features.
 firewall-cmd --list-all-zones

The output format is:

 <zone>
   interfaces: <interface1> ..
   services: <service1> ..
   ports: <port1> ..
   forward-ports: <forward port1> ..
   icmp-blocks: <icmp type1> ..
   
   ..
  • Print zone <zone> with the enabled features. If zone is omitted, the default zone will be used.
 firewall-cmd [--zone=<zone>] --list-all
  • Get the default zone set for network connections
 firewall-cmd --get-default-zone
  • Set the default zone
 firewall-cmd --set-default-zone=<zone>

All interfaces that are located in the default zone will be pushed in the new default zone, that defines the limitations for new external initiated connection attempts. Active connections are not affected.

  • Get active zones
 firewall-cmd --get-active-zones

The command prints the interfaces that are set to be part of a zone in this form:

 <zone1>: <interface1> <interface2> ..
 <zone2>: <interface3> ..
  • Get zone related to an interface
 firewall-cmd --get-zone-of-interface=<interface>

This prints the zone name, if the interface is part of a zone

  • Add an interface to a zone
 firewall-cmd [--zone=<zone>] --add-interface=<interface>

Add an interface to a zone, if it was not in a zone before. If the zone options is omitted, the default zone will be used. The interfaces are reapplied after reloads.

  • Change the zone an interface belongs to
 firewall-cmd [--zone=<zone>] --change-interface=<interface>

This is similar to the --add-interface options, but pushes the interface in the new zone even if it was in another zone before.

  • Remove an interface from a zone
 firewall-cmd [--zone=<zone>] --remove-interface=<interface>
  • Query if an interface is in a zone
 firewall-cmd [--zone=<zone>] --query-interface=<interface>

Returns if the interface is in the zone. There is no output.

  • List the enabled services in a zone
 firewall-cmd [ --zone=<zone> ] --list-services
  • Enable panic mode to block all network traffic in case of emergency
 firewall-cmd --enable-panic
  • Disable panic mode
 firewall-cmd --disable-panic
  • Query panic mode
 firewall-cmd --query-panic

This returns the state of the panic mode, there is no output. To get a visual state use

 firewall-cmd --query-panic && echo "On" || echo "Off"

Runtime zone handling

In the runtime mode the changes to zones are not permanent. The changes will be gone after reload or restart.

  • Enable a service in a zone
 firewall-cmd [--zone=<zone>] --add-service=<service> [--timeout=<seconds>]

This enables a service in a zone. If zone is not set, the default zone will be used. If timeout is set, the service will only be enabled for the amount of seconds in the zone. If the service is already active, there will be no warning message.

  • Example: Enable ipp-client service for 60 seconds in the home zone:
 firewall-cmd --zone=home --add-service=ipp-client --timeout=60
  • Example: Enable the http service in the default zone:
 firewall-cmd --add-service=http
  • Disable a service in a zone
 firewall-cmd [--zone=<zone>] --remove-service=<service>

This disables a service in a zone. If zone is not set, the default zone will be used.

  • Example: Disable http service in the home zone:
 firewall-cmd --zone=home --remove-service=http

The service will be disabled in the zone. If the service is not enabled in the zone, there will be an warning message.

  • Query if a service is enabled in a zone
 firewall-cmd [--zone=<zone>] --query-service=<service>

This returns 1 if the service is enabled in the zone, otherwise 0. There is no output.

  • Enable a port and protocol combination in a zone
 firewall-cmd [--zone=<zone>] --add-port=<port>[-<port>]/<protocol> [--timeout=<seconds>]

This enables a port and protocol combination. The port can be a single port <port> or a port range <port>-<port>. The protocol can be either tcp or udp.

  • Disable a port and protocol combination in a zone
 firewall-cmd [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>
  • Query if a port and protocol combination in enabled in a zone
 firewall-cmd [--zone=<zone>] --query-port=<port>[-<port>]/<protocol>

This command returns if it is enabled, there is no output.

  • Enable masquerading in a zone
 firewall-cmd [--zone=<zone>] --add-masquerade

This enables masquerading for the zone. The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation and mostly used in routers. Masquerading is IPv4 only because of kernel limitations.

  • Disable masquerading in a zone
 firewall-cmd [--zone=<zone>] --remove-masquerade
  • Query masquerading in a zone
 firewall-cmd [--zone=<zone>] --query-masquerade

This command returns if it is enabled, there is no output.

  • Enable ICMP blocks in a zone
 firewall-cmd [--zone=<zone>] --add-icmp-block=<icmptype>

This enabled the block of a selected Internet Control Message Protocol (ICMP) message. ICMP messages are either information requests or created as a reply to information requests or in error conditions.

  • Disable ICMP blocks in a zone
 firewall-cmd [--zone=<zone>] --remove-icmp-block=<icmptype>
  • Query ICMP blocks in a zone
 firewall-cmd [--zone=<zone>] --query-icmp-block=<icmptype>

This command returns if it is enabled, there is no output.

  • Example: Block echo-reply messages in the public zone:
 firewall-cmd --zone=public --add-icmp-block=echo-reply
  • Enable port forwarding or port mapping in a zone
 firewall-cmd [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }

The port is either mapped to the same port on another host or to another port on the same host or to another port on another host. The port can be a singe port <port> or a port range <port>-<port>. The protocol is either tcp or udp. toport is either port <port> or a port range <port>-<port>. toaddr is an IPv4 address. Port forwarding is IPv4 only because of kernel limitations.

  • Disable port forwarding or port mapping in a zone
 firewall-cmd [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
  • Query port forwarding or port mapping in a zone
 firewall-cmd [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }

This command returns if it is enabled, there is no output.

  • Example: Forward ssh to host 127.0.0.2 in the home zone
 firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

Permanent/persistent zone handling

The permanent options are not affecting runtime directly. These options are only available after a reload or restart. To have runtime and permanent setting, you need to supply both. The --permanent option needs to be the first option for all permanent calls.

  • Get a list of supported permanent services
 firewall-cmd --permanent --get-services
  • Get a list of supported permanent icmptypes
 firewall-cmd --permanent --get-icmptypes
  • Get a list of supported permanent zones
 firewall-cmd --permanent --get-zones
  • Enable a service in a zone
 firewall-cmd --permanent [--zone=<zone>] --add-service=<service>

This enables the service in the zone permanently. If the zone option is omitted, the default zone is used.

  • Disable a service in a zone
 firewall-cmd --permanent [--zone=<zone>] --remove-service=<service>
  • Query if a service is enabled in a zone
 firewall-cmd --permanent [--zone=<zone>] --query-service=<service>

This command returns if it is enabled, there is no output.

  • Example: Enable service ipp-client permanently in the home zone
 firewall-cmd --permanent --zone=home --add-service=ipp-client
  • Enable a port and protocol combination permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --add-port=<port>[-<port>]/<protocol>
  • Disable a port and protocol combination permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>
  • Query if a port and protocol combination is enabled permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --query-port=<port>[-<port>]/<protocol>

This command returns if it is enabled, there is no output.

  • Example: Enable port 443/tcp for https permanently in the home zone
 firewall-cmd --permanent --zone=home --add-port=443/tcp
  • Enable masquerading permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --add-masquerade

This enables masquerading for the zone. The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation and mostly used in routers. Masquerading is IPv4 only because of kernel limitations.

  • Disable masquerading permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --remove-masquerade
  • Query masquerading permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --query-masquerade

This command returns if it is enabled, there is no output.

  • Enable ICMP blocks permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --add-icmp-block=<icmptype>

This enabled the block of a selected Internet Control Message Protocol (ICMP) message. ICMP messages are either information requests or created as a reply to information requests or in error conditions.

  • Disable ICMP blocks permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --remove-icmp-block=<icmptype>
  • Query ICMP blocks permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --query-icmp-block=<icmptype>

This command returns if it is enabled, there is no output.

  • Example: Block echo-reply messages in the public zone:
 firewall-cmd --permanent --zone=public --add-icmp-block=echo-reply
  • Enable port forwarding or port mapping permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }

The port is either mapped to the same port on another host or to another port on the same host or to another port on another host. The port can be a singe port <port> or a port range <port>-<port>. The protocol is either tcp or udp. toport is either port <port> or a port range <port>-<port>. toaddr is an IPv4 address. Port forwarding is IPv4 only because of kernel limitations.

  • Disable port forwarding or port mapping permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }
  • Query port forwarding or port mapping permanently in a zone
 firewall-cmd --permanent [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }

This command returns if it is enabled, there is no output.

  • Example: Forward ssh to host 127.0.0.2 in the home zone
 firewall-cmd --permanent --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

Direct options

The direct options are mostly for services and applications to be able to add custom rules. The rules are not saved and have to get resubmitted after reload or restart. The arguments <args> of the passthrough option are the same as the corresponding iptables, ip6tables and ebtables arguments.

The --direct option needs to be the first option for all direct options.

  • Pass a command through to the firewall. <args> can be all iptables, ip6tables and ebtables command line arguments
 firewall-cmd --direct --passthrough { ipv4 | ipv6 | eb } <args>
  • Add a new chain <chain> to a table <table>.
 firewall-cmd --direct --add-chain { ipv4 | ipv6 | eb } <table> <chain>
  • Remove a chain with name <chain> from table <table>.
 firewall-cmd --direct --remove-chain { ipv4 | ipv6 | eb } <table> <chain>
  • Query if a chain with name <chain> exists in table <table>. Returns 0 if true, 1 otherwise.
 firewall-cmd --direct --query-chain { ipv4 | ipv6 | eb } <table> <chain>

This command returns if it is enabled, there is no output.

  • Get all chains added to table <table> as a space separated list.
 firewall-cmd --direct --get-chains { ipv4 | ipv6 | eb } <table>
  • Add a rule with the arguments <args> to chain <chain> in table <table> with priority <priority>.
 firewall-cmd --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
  • Remove a rule with the arguments <args> from chain <chain> in table <table>.
 firewall-cmd --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <args>
  • Query if a rule with the arguments <args> exists in chain <chain> in table <table>. Returns 0 if true, 1 otherwise.
 firewall-cmd --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <args>

This command returns if it is enabled, there is no output.

  • Get all rules added to chain <chain> in table <table> as a newline separated list of arguments.
 firewall-cmd --direct --get-rules { ipv4 | ipv6 | eb } <table> <chain>

The current firewalld features

D-BUS Interface

The D-BUS interface gives information about the firewall state and makes it possible to enable, disable and query firewall settings.

Zones

A network or firewall zone defines the trust level of the interface used for a connection. There are several pre-defined zones provided by firewalld. Zone configuration options and generic file information are described in the firewalld.zone(5) man page.

Services

A service can be a list of local ports and destinations and additionally also a list of firewall helper modules automatically loaded if a service is enabled. The use of predefined services makes it easier for the user to enable and disable access to a service. Service configuration options and generic file information are described in the firewalld.service(5) man page.

ICMP types

The Internet Control Message Protocol (ICMP) is used to exchange information and also error messages in the Internet Protocol (IP). ICMP types can be used in firewalld to limit the exchange of these messages. ICMP type configuration options and generic file information are described in the firewalld.icmptype(5) man page.

Direct interface

The direct interface is mainly used by services or applications to add specific firewall rules. The rules are not persistent and need to get applied after receiving the start, restart or reload message from firewalld using D-BUS.

Runtime configuration

The runtime configuration is not persistent and will only be restored for a reload. After restart or stop of the service or a system reboot, these options will be gone.

Persistent configuration

The persistent configuration is stored in config files and will be restored with every machine boot or service reload or restart.

Tray Applet

The tray applet firewall-applet visualizes the firewall state and also problems with the firewall for the user. It can also be used to configure settings by calling firewall-config.

Graphical Configuration Tool

The configuration tool firewall-config is the main configuration tool for the firewall daemon. It supports all features of the firewall besides the direct interface, this is handled by the service/application that added the rules.

Command Line client

firewall-cmd provides (most of) the configuration features of the graphical tool for the command line.

Support for ebtables

ebtables support is needed to fulfill all needs of the libvirt daemon and to prevent access problems between ip*tables and ebtables on kernel netfilter level. All these commands are accessing the same structures and therefore they should not be used at the same time.

Default/Fallback configuration in /usr/lib/firewalld

This directory contains the default and fallback configuration provided by firewalld for icmptypes, services and zones. The files provided with the firewalld package should not get changed and the changes are gone with an update of the firewalld package. Additional icmptypes, services and zones can be provided with packages or by creating files.

System configuration settings in /etc/firewalld

The system or user configuration stored here is either created by the system administrator or by customization with the configuration interface of firewalld or by hand. The files will overload the default configuration files.

To manually change settings of pre-defined icmptypes, zones or services, copy the file from the default configuration directory to the corresponding directory in the system configuration directory and change it accordingly.

It is not possible to overload immutable zones, because these may not get changed. If you are loading the defaults for a zone that has a default or fallback file, the file in /etc/firewalld will be renamed to <file>.old and the fallback will be used again.

Planned and Proposed Features

Firewall Abstraction Model

Adding an abstraction layer on top of ip*tables and ebtables firewall rules makes adding rules simple and more intuitive. The abstraction layer needs to be powerful, but also simple, which makes this not an easy task. A firewall language has to gen invented for this. Firewall rules have a fixed position and querying generic information about access state, access policies for ports and other firewall features is possible.

Support for conntrack

Conntrack is needed to be able to terminate established connections for features that get disabled. For some use cases it might not be good to terminate the connection: Enabling of a firewall service for a limited time to establish a persistent external connection.

User interaction mode

This is a special mode of in the firewall the user or admin can enable. All requests of applications to alter the firewall are directed to the user to get notified and granted or denied. It is possible to set a time limit for the acceptance of a connection and to limit it to hosts, networks or connections. It can be saved to behave the same in the future without notification.

An additional feature of this mode is direct external connection attempts on preselected services or ports to the user with the same features as the application initiated requests. The limitation on services and ports will also limit the amount of requests sent to the user.

User policy support

The administrator can define which users are able to use the User Interaction Mode and can also limit the firewall features, that can be used with it.

Port metadata information (proposed by Lennart Poettering)

To have a port independent metadata information would be good to have. The current model with a static assignment of ports and protocols from /etc/services is not a good solution and is not reflecting current use cases. Ports in applications or services are dynamic and therefore the port itself does not describe the use case.

This metadata information could be used to form simple rules for the firewall. Here are some examples:

 allow external access to file sharing applications or services
 allow external access to music sharing applications or services
 allow external access to all sharing applications or services
 allow external access to torrent file sharing applications or services
 allow external access to http web services

The metadata information here could not only be application specific, but also a group of use cases. For example the "all sharing" group or the "file sharing" group could match all sharing or file sharing applications, for example torrent file sharing. These are examples, therefore it might be that they are not useful.

There are two possible solutions to get metadata information in the firewall:

The first is to add it to netfilter (kernel space). This has the advantage, that it can be used by everyone, but also limits the use. To get user or system specific information into account, all these need to be implemented in kernel space also.

The other one would be to add this to a firewall daemon. These abstract rules could be used together with information like the trust level of the network connections, the user decision to share with as specific person/host or the hard rule of the administrator to forbid sharing completely.

The second solution would have the advantage that new metadata groups or changes in incorporation of trust levels, user preferences or administrator rules would not require to push a new kernel. Adding these kind of abstract rules to a firewall daemon would make it much more flexible. Even new security levels would be easy to add without kernel updates.

sysctld

At the moment there are sysctl settings that are not properly applied. This happens if the module providing the setting is not loaded at boot time when rc.sysinit runs or it the module gets reloaded at runtime. Another example is net.ipv4.ip_forward, which is needed for example for specific firewall settings, libvirt and also user/admin changes. If there are two apps or daemons enabling ip_forwarding only if needed, then it could happen that one of them is turning it off again without knowing that there is another one, that still needs it tuned on.

The sysctl daemon could solve this by having an internal use count for settings, that will make it possible to turn it off or go to the previous setting again if the requester reverted the request to change it.

Firewall Rules

Netfilter firewalls are always susceptible to rule ordering issues, because a rule does not have a fixed position in a chain. The position can change if other rules are added or removed in a position before that rule.

In the static firewall model a firewall change is recreating a clean and sane firewall setup limited to the features directly supported by system-config-firewall / lokkit. Firewall rules created by other applications are not integrated and s-c-fw / lokkit does not know about them if the customs rules file feature is not in use. Default chains are used and there is no safe way to add and remove rules without interfering with others.

The dynamic model has additional chains for the firewall features. These specific chains are called in a defined ordering and rules added to a chain could not interfere with reject or drop rules in chains that were called before. This makes it possible to have a more sane firewall configuration.

Here are example rules created by the daemon in the filter table with ssh, ipp-client and mdns enabled in the public zone, all other zones have been removed to simplify and shorten the output:

 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :FORWARD_ZONES - [0:0]
 :FORWARD_direct - [0:0]
 :INPUT_ZONES - [0:0]
 :INPUT_direct - [0:0]
 :IN_ZONE_public - [0:0]
 :IN_ZONE_public_allow - [0:0]
 :IN_ZONE_public_deny - [0:0]
 :OUTPUT_direct - [0:0]
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -j INPUT_direct
 -A INPUT -j INPUT_ZONES
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i lo -j ACCEPT
 -A FORWARD -j FORWARD_direct
 -A FORWARD -j FORWARD_ZONES
 -A FORWARD -p icmp -j ACCEPT
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 -A OUTPUT -j OUTPUT_direct
 -A IN_ZONE_public -j IN_ZONE_public_deny
 -A IN_ZONE_public -j IN_ZONE_public_allow
 -A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
 -A IN_ZONE_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
 -A IN_ZONE_public_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT

Used is a deny/allow model to have a clear behaviour and at best no rule interferences. Icmp blocks for example will go to the IN_ZONE_public_deny chain if set for the public zone and will be handled before the rules in the IN_ZONE_public_allow chain.

This model makes it more easy to add or remove rules from a specific block without interfering with accept or drop rules from another block.