Recuerda que para habilitar Firewalld, debemos asignar zona a una NIC con los comandos pertinentes. Es indispensable.
Comenzamos:
Iniciamos Firewalld.
[root@yo ~]# systemctl start firewalld [root@yo ~]# systemctl enable firewalld
De forma predeterminada, la zona «pública» se aplica a una NIC y el dhcpv6-client y ssh estarán permitidos. Cuando configuramos con el «firewall-cmd», si los comandos los colocamos sin especificar la «–zone = ***», la configuración se establecerá en la zona por defecto.
# display the default zone [root@yo ~]# firewall-cmd --get-default-zone public # display current settings [root@yo ~]# firewall-cmd --list-all public (default, active) interfaces: eno16777736 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: # display all zones defined by default [root@yo ~]# firewall-cmd --list-all-zones block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: ..... ..... # display allowed services on a specific zone [root@yo ~]# firewall-cmd --list-service --zone=external ssh # change default zone [root@yo ~]# firewall-cmd --set-default-zone=external success # change zone for an interface (*note) [root@yo ~]# firewall-cmd --change-interface=eth1 --zone=external success [root@yo ~]# firewall-cmd --list-all --zone=external external (active) interfaces: eth1 sources: services: ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: # *note : it's not changed permanently with "change-interface" even if added "--permanent" option # if change permanently, use nmcli like follows [root@yo ~]# nmcli c mod eth1 connection.zone external [root@yo ~]# firewall-cmd --get-active-zone external interfaces: eth1 public interfaces: eth0
Los servicios definidos de forma predeterminada, son:
[root@yo ~]# firewall-cmd --get-services amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https # definition files are placed like follows # if you'd like to add your original definition, add XML file on there [root@yo ~]# ls /usr/lib/firewalld/services amanda-client.xml ipp-client.xml mysql.xml rpc-bind.xml bacula-client.xml ipp.xml nfs.xml samba-client.xml bacula.xml ipsec.xml ntp.xml samba.xml dhcpv6-client.xml kerberos.xml openvpn.xml smtp.xml dhcpv6.xml kpasswd.xml pmcd.xml ssh.xml dhcp.xml ldaps.xml pmproxy.xml telnet.xml dns.xml ldap.xml pmwebapis.xml tftp-client.xml ftp.xml libvirt-tls.xml pmwebapi.xml tftp.xml high-availability.xml libvirt.xml pop3s.xml transmission-client.xml https.xml mdns.xml postgresql.xml vnc-server.xml http.xml mountd.xml proxy-dhcp.xml wbem-https.xml imaps.xml ms-wbt.xml radius.xml
Agregar o quitar servicios permitidos. Recuerda que para que el cambio sea permanente y no se restablezca en el reinicio debes agregar «–permanent».
# for example, add http (the change will be valid at once) [root@yo ~]# firewall-cmd --add-service=http success [root@yo ~]# firewall-cmd --list-service dhcpv6-client http ssh # for example, remove http [root@yo ~]# firewall-cmd --remove-service=http success [root@dlp ~]# firewall-cmd --list-service dhcpv6-client ssh # for example, add http permanently. (this permanent case, it's necessary to reload the Firewalld to enable the change) [root@yo ~]# firewall-cmd --add-service=http --permanent success [root@yo ~]# firewall-cmd --reload success [root@yo ~]# firewall-cmd --list-service dhcpv6-client http ssh
Agregar o quitar puertos permitidos. De igual forma usaremos «–permanent».
# for example, add TCP 465 [root@yo ~]# firewall-cmd --add-port=465/tcp success [root@yo ~]# firewall-cmd --list-port 465/tcp # for example, remove TCP 465 [root@yo ~]# firewall-cmd --remove-port=465/tcp success [root@yo ~]# firewall-cmd --list-port # for example, add TCP 465 permanently [root@yo ~]# firewall-cmd --add-port=465/tcp --permanent success [root@yo ~]# firewall-cmd --reload success [root@yo ~]# firewall-cmd --list-port 465/tcp
Agregar o quitar ICMP.
# for example, add echo-request to prohibit it [root@yo ~]# firewall-cmd --add-icmp-block=echo-request success [root@yo ~]# firewall-cmd --list-icmp-blocks echo-request # for example, remove echo-request [root@yo ~]# firewall-cmd --remove-icmp-block=echo-request success [root@yo ~]# firewall-cmd --list-icmp-blocks # display ICMP types [root@yo ~]# firewall-cmd --get-icmptypes destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded