Firewalld seems to be a way to "magic away" some of the manual configuration iptables rules of old.
Here are the main points that I have found:
This is for the "zones" and magic pre-configuration https://fedoraproject.org/wiki/Firewalld?rd=FirewallD
This is for the more granular rules https://fedoraproject.org/wiki/Features/FirewalldRichLanguage
So, it would seem there are a set of "zones" that per-configure the traffic assumptions...
I have repeated them here, so I have a snapshot should that link go away:
drop: Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible. block: Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible. public: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. dmz: For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted. work: For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. home: For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted. trusted: All network connections are accepted.
So, rather than setting some defaults as you would with iptables, you just set the default zone.
The choice of the zone depends on how locked down outbound and inbound traffic needs to be.
It looks like it may interact with network-manager (should you be using that), to set the default zone.
Zones can be filled with services, ports, and protocols using the easy rules from that first link.
firewall-cmd sets them up. The services are not from /etc/services, but rather xml files in its config.
You need to define your own should they not exist for the many services that are not in the defaults.
For the harder work, you need to use the "Rich Language" bit. Looks pretty much like iptables or ip6tables.
If you don't use the --permanent flag to firewall-cmd, your added rule won't survive a reboot / reload, but they be applied immediately. So, if you want them to stick, do use the --permanent flag, but with a follow up: firewall-cmd --reload
So, for example, to add rules to the default zone (public) -
- first make sure it is installed: apt install firewalld - make sure it is running (and running at boot): systemctl enable firewalld systemctl start firewalld firewall-cmd --state - now check for what is what: firewall-cmd --list-all-zones -Now to restrict things in the default (public) zone: firewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" source address="your.ip.add.ress" accept' --permanent - do the same for ipv6, and remove the defaults (have a back way in!): firewall-cmd --zone=public --remove-service=ssh --permanent firewall-cmd --reload
So you can see how to restrict some of the defaults by adding a "rich-rule", and removing the default allow access.
Don't forget to check the other zones and rules that are in by default, so you can tweak the zone that most closely
matches the level of blocking for your use case.
You might not find a zone that matches what you want to do, so you might need to make one, and tweak it.
To put things back:
# put back the blanket allow from the default public zone, and reload the saved rule: firewall-cmd --zone=public --add-service=ssh --permanent firewall-cmd --reload # note, the more restrictive rule is still in there, but the allow all ssh overrides it, it would seem. Not sure about order. # To remove it: firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" service name="ssh" source address="your.ip.add.ress" accept' --permanent # and of course, reload to make the saved rules the default you are currently running: firewall-cmd --reload # and recheck: firewall-cmd --list-all-zones
Funky interaction with fail2ban
I have been having issues with fail2ban and firewalld on reboots. Not sure why yet, but I just purge the package on restricted hosts.