Wednesday, January 7, 2015

The misunderstood firewalld

I love it. Its exactly what I was NOT expecting for!

Fallback

First of all, those who can't wait to shred this tech by moving back to iptables, can use these commands and get out of here:

 yum install iptables-services  
 systemctl mask firewalld.service  
 systemctl enable iptables.service  
 systemctl enable ip6tables.service


A basic introduction

Now for us loyal fans of bleeding edge, cut throat technologies!

What is it? Why the good old iptables is dropped in favor of this new tech in Fedora?
  • The previous firewall system required a reload to mirror any change.
  • It was primarily based on chains and rules.
  • IMHO Switches to the command line program was hard :D

This new tech is exactly the opposite:
  • No change requires a complete firewall restart.
  • Its primarily based on zones and services.
  • Switches on the command line are sweeeeeeet :D

The underlying system is different and it works in another way. The idea is that connections and packets are filtered on the definition of zones. Each zone is subset of policies to control packets. Each network adapter is assigned a zone and behaves by the zone's rules. Take a look at the default zone legend below which is excerpted from fedoraproject.org.

zone:drop
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

zone:public
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

zone: work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

zone: home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

zone: internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

zone: trusted
All network connections are accepted.

 

Fun part

Got the idea? Now lets move on to another subject. Services! A service a combination of a port, protocol and possible firewall module executable to load. I'm not an administrator and I have not yet felt the need to go further on this subject. (Consider the fact that I'm lazy...)


How to open up a port?

 firewall-cmd --add-port 7777/tcp
This will not be permanent. Once the system is reset or the firewall is reloaded, this is lost.

How to open up a port permanently?

 firewall-cmd --permanent --add-port 7777/tcp

How to revert all temporary changes?

 firewall-cmd --reload

How to revert all permanent changes?

 firewall-cmd --complete-reload

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)