firewalld
Table of Content
- Installation
- Default Zones
- Commands and Descriptions
- Adding firewalld zone to NetworkManager connection
- Behind the sceens
Installation
On Debian (and Debian based systems) you can install it with apt/apt-get/nala/…
$ apt install firewalld
Default Zones
| Zone Name | Description |
|---|---|
drop | Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible. |
block | Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible. |
public | For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. |
external | For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. |
dmz | For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted. |
work | For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. |
home | For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. |
internal | For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted. |
trusted | All network connections are accepted. |
Commands and Descriptions
| Command | Description |
|---|---|
firewall-cmd --get-active-zone | Displays the used zones for each active connection + default zone if not in use |
firewall-cmd --get-services | Displays all avilable services known by firewalld to interact with |
firewall-cmd --zone=[zone_name] --list-all | Displays current config of zone [zone_name] |
firewall-cmd --zone=[zone_name] --list-services | Shows enabled servies for the zone [zone_name] |
firewall-cmd --zone=[zone_name] --list-ports | Shows open ports for the zone [zone_name] |
firewall-cmd --zone=[zone_name] --add-service=[service_name] | Adds service [service_name] to give permission to have inbound traffic for it |
firewall-cmd --zone=[zone_name] --remove-service=[service_name] | Removes service [service_name] to deny network traffic for it |
firewall-cmd --zone=[zone_name] --add-interface=[interface_name] | Adds interface [interface_name] to zone [zone_name] |
firewall-cmd --zone=[zone_name] --remove-interface=[interface_name] | Removes interface [interface_name] from zone [zone_name] |
firewall-cmd --zone=[zone_name] --add-port=[port]/[protocol] | Adds port to zone [zone_name] |
firewall-cmd --zone=[zone_name] --remove-port=[port]/[protocol] | Removes port from zone [zone_name] |
firewall-cmd --reload | Reloads firewalld to load config changes from the filesystem |
firewall-cmd --permanent [rest_of_command] | Applys change + writes it to the filesystem |
firewall-cmd --runtime-to-permanent | Writes current running config to the filesystem (/etc/firewalld) |
If you don’t specify
--zone=[zone_name]the default zone will be used (which is per defaultpublic)
Adding firewalld zone to NetworkManager connection
Why would you add a zone from
firewalldto a NetworkManager connection. This makes a lot of sense if you are for example doing that on clients where they switch between connections (e.g. a laptop)
First we have to check if there is alrey a zone defined for the connection where we want to apply a zone to.
If it looks like the below sample, it will use the default zone as no specific one got assigned.
$ nmcli -p connection show [connection_name] | grep connection.zone
connection.zone: --
Have a look at the zone which are provided by firewalld and decide which one is best fitting.
If you want to create a new one, e.g. based on the zone public, just copy the file /usr/lib/filewalld/zones/public.xml to /etc/firewalld/zones with a new name and reload firewalld.
After you are done modifying it (dont forget to use --permanent or --runtime-to-permanent) you can add the zone to the connection like so:
$ nmcli connection modify [connection_name] connection.zone [zone_name]
And if you rerun the command from above (nmcli -p connection show...) you will get this:
$ nmcli -p connection show [connection_name] | grep connection.zone
connection.zone: [zone_name]
Behind the sceens
To see what is going on in nftables you can use the commands:
$ nft list ruleset inet
Of course you could change in the config that it should uses
iptablesby addingFirewallBackendand set it to iptables, but keep in mind, iptables is deprecated and will be removed in future releases.If you still use it, with
iptables -nvLyou could see the applied rules.