-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirewall-cmd.txt
70 lines (60 loc) · 4.06 KB
/
firewall-cmd.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# some aliases because WHO HAS TIME FOR TYPING ALL THAT
alias fw='firewall-cmd'
alias fwl='firewall-cmd --list-all'
# this doesn't actually "list all"; fail2ban for example will use --direct when --add-rule'ing to pass raw iptables commands.
# to list /those/, use \e[37m$ firewall-cmd --direct --get-all-rules
alias fwr='firewall-cmd --reload' # this will also get rid of unstored live changes
alias fw-cc='firewall-cmd --check-config'
alias fw-gaz='firewall-cmd --get-active-zones'
alias fw-gdz='firewall-cmd --get-default-zone' # though you /can/ have more than one active zones
# "I just want to block this IP Address"
# Figure out the currently active zone:
firewall-cmd --get-active-zones
# Add the reject or drop rule to the config:
firewall-cmd --zone=\e[32;1m<zone>\e[0m --permanent --add-rich-rule='rule family="ipv4" source address="\e[32;1mx.x.x.x\e[0m" reject'
# You can replace \e[38;5;208mreject\e[0m by \e[38;5;208mdrop\e[0m to appear offline altogether. \e[38;5;208mreject\e[0m lets the client know that you're actively blocking it.
# Then "activate" it:
firewall-cmd --reload
# Example adding temporary rule:
$ fw --add-rich-rule='rule family="ipv4" source address="136.144.153.19" port port="15000" protocol="tcp" accept'
'success'
$ fwl # this should show the added rules
$ fwr # this resets the rules to the stored config (and so removes the temporary rule again)
'success'
$ fw --remove-rich-rule <quoted rule from fwl, probably>
# NB: protocol is required if you specify port.
# port apparently needs mentioning twice (once with value). note the "source address='foo'" format.
# also note the nested quotes. due to bash shenanigans the outer quotes /can/ also be double quotes (as long as the
# values of its parts don't contain whitespace) but it's hella confusing.
# tl;dr: add-rich-rule value is a single string
firewalld runs as a service; firewall-cmd is used to poke at it.
Config is stored in \e[38;5;226m/etc/firewalld/firewalld.conf\e[0m, zones in \e[38;5;226m/etc/firewalld/zones/<zone>.xml\e[0m
You can change the config files and then issue a "firewall-cmd --reload", too.
NB: Invalid service names will be happily ignored (and not reported) by reload, run
"firewall-cmd --check-config" if you're not sure.
Adding \e[35m--permanent\e[0m to commands stores config changes in the \e[38;5;226m/etc/firewalld/zones/<zone>.xml\e[0m file,
but apparently does /not/ also change the config of the running instance (RedHat, eh), so either
run a config change command twice (once with --permanent), or run it with --permanent once and
then 'firewall-cmd --reload'.
--change-interface is unaffected by --permanent, allegedly.
According to the manual you can "firewall-cmd --runtime-to-permanent" to write live changes back
to config files, too.
A zone is a set of rules, that traffic coming from its network interface(s) should obey.
There are different zones, each zone can listen/subscribe to one or more network interfaces like
eth0, but a network interface can only ever sit in a single zone (the interface file in
\e[38;5;226m/etc/sysconfig/network-scripts/\e[0m has max 1 ZONE=.. entry).
Packets that arrive over that interface have to match the rules for that zone, or they are dropped,
bounced, whatever.
The rules can be service (http), port (80), source (some ip/range), protocols (tcp), etc.
Then there's some settings to forward ports and probably what-not-other-stuff.
1 takeaway: --change-interface doesn't really "change" the interface of a zone, it points the traffic
from that interface to the zone rules. Old/other interfaces for that zone will still be there.
Read:
https://docs.rockylinux.org/de/guides/security/firewalld-beginners/
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-8
There's also the NetworkManager, whose job overlaps/overrules that of firewall-cmd iiuic. It has
files in /etc/sysconfig/network-scripts/
# some more options/commands
--list-services # services for [default] zone
--add-service=ssh # adds to default or given zone; --zone=foobar
--remove-service=ssh # reverse, eh