Recuerda que para habilitar Firewalld, debemos asignar zona a una NIC con los comandos pertinentes. Es indispensable.
Comenzamos:
Iniciamos Firewalld.
1 2 | [root@yo ~]# systemctl start firewalld [root@yo ~]# systemctl enable firewalld |
De forma predeterminada, la zona “pública” se aplica a una NIC y el dhcpv6-client y ssh estarán permitidos. Cuando configuramos con el “firewall-cmd”, si los comandos los colocamos sin especificar la “–zone = ***”, la configuración se establecerá en la zona por defecto.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 | # display the default zone [root@yo ~]# firewall-cmd --get-default-zone public # display current settings [root@yo ~]# firewall-cmd --list-all public (default, active) interfaces: eno16777736 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: # display all zones defined by default [root@yo ~]# firewall-cmd --list-all-zones block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules: ..... ..... # display allowed services on a specific zone [root@yo ~]# firewall-cmd --list-service --zone=external ssh # change default zone [root@yo ~]# firewall-cmd --set-default-zone=external success # change zone for an interface (*note) [root@yo ~]# firewall-cmd --change-interface=eth1 --zone=external success [root@yo ~]# firewall-cmd --list-all --zone=external external (active) interfaces: eth1 sources: services: ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: # *note : it's not changed permanently with "change-interface" even if added "--permanent" option # if change permanently, use nmcli like follows [root@yo ~]# nmcli c mod eth1 connection.zone external [root@yo ~]# firewall-cmd --get-active-zone external interfaces: eth1 public interfaces: eth0 |
Los servicios definidos de forma predeterminada, son:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | [root@yo ~]# firewall-cmd --get-services amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https # definition files are placed like follows # if you'd like to add your original definition, add XML file on there [root@yo ~]# ls /usr/lib/firewalld/services amanda-client.xml ipp-client.xml mysql.xml rpc-bind.xml bacula-client.xml ipp.xml nfs.xml samba-client.xml bacula.xml ipsec.xml ntp.xml samba.xml dhcpv6-client.xml kerberos.xml openvpn.xml smtp.xml dhcpv6.xml kpasswd.xml pmcd.xml ssh.xml dhcp.xml ldaps.xml pmproxy.xml telnet.xml dns.xml ldap.xml pmwebapis.xml tftp-client.xml ftp.xml libvirt-tls.xml pmwebapi.xml tftp.xml high-availability.xml libvirt.xml pop3s.xml transmission-client.xml https.xml mdns.xml postgresql.xml vnc-server.xml http.xml mountd.xml proxy-dhcp.xml wbem-https.xml imaps.xml ms-wbt.xml radius.xml |
Agregar o quitar servicios permitidos. Recuerda que para que el cambio sea permanente y no se restablezca en el reinicio debes agregar “–permanent”.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | # for example, add http (the change will be valid at once) [root@yo ~]# firewall-cmd --add-service=http success [root@yo ~]# firewall-cmd --list-service dhcpv6-client http ssh # for example, remove http [root@yo ~]# firewall-cmd --remove-service=http success [root@dlp ~]# firewall-cmd --list-service dhcpv6-client ssh # for example, add http permanently. (this permanent case, it's necessary to reload the Firewalld to enable the change) [root@yo ~]# firewall-cmd --add-service=http --permanent success [root@yo ~]# firewall-cmd --reload success [root@yo ~]# firewall-cmd --list-service dhcpv6-client http ssh |
Agregar o quitar puertos permitidos. De igual forma usaremos “–permanent”.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | # for example, add TCP 465 [root@yo ~]# firewall-cmd --add-port=465/tcp success [root@yo ~]# firewall-cmd --list-port 465/tcp # for example, remove TCP 465 [root@yo ~]# firewall-cmd --remove-port=465/tcp success [root@yo ~]# firewall-cmd --list-port # for example, add TCP 465 permanently [root@yo ~]# firewall-cmd --add-port=465/tcp --permanent success [root@yo ~]# firewall-cmd --reload success [root@yo ~]# firewall-cmd --list-port 465/tcp |
Agregar o quitar ICMP.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | # for example, add echo-request to prohibit it [root@yo ~]# firewall-cmd --add-icmp-block=echo-request success [root@yo ~]# firewall-cmd --list-icmp-blocks echo-request # for example, remove echo-request [root@yo ~]# firewall-cmd --remove-icmp-block=echo-request success [root@yo ~]# firewall-cmd --list-icmp-blocks # display ICMP types [root@yo ~]# firewall-cmd --get-icmptypes destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded |
VOTA Y COMPARTE
Suscribete
Suscribete a nuestro newsletter y mantente informado con nuestros últimos artículos, noticias y más. Todo completamente gratis.
Tu suscripción a sido realizada con éxito.