Operaciones básicas en Firewalld CenTos 7

Recuerda que para habilitar Firewalld, debemos asignar zona a una NIC con los comandos pertinentes. Es indispensable.

 

Comenzamos:

 

Iniciamos Firewalld.

[root@yo ~]# systemctl start firewalld 
[root@yo ~]# systemctl enable firewalld

 

De forma predeterminada, la zona «pública» se aplica a una NIC y el dhcpv6-client y ssh estarán permitidos. Cuando configuramos con el «firewall-cmd», si los comandos los colocamos sin especificar la «–zone = ***», la configuración se establecerá en la zona por defecto.

# display the default zone
[root@yo ~]# firewall-cmd --get-default-zone 
public
# display current settings
[root@yo ~]# firewall-cmd --list-all 
public (default, active)
  interfaces: eno16777736
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
  
# display all zones defined by default
[root@yo ~]# firewall-cmd --list-all-zones 
block
  interfaces:
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
  .....
  .....
  
# display allowed services on a specific zone
[root@yo ~]# firewall-cmd --list-service --zone=external 
ssh
# change default zone
[root@yo ~]# firewall-cmd --set-default-zone=external 
success
# change zone for an interface (*note)
[root@yo ~]# firewall-cmd --change-interface=eth1 --zone=external 
success
[root@yo ~]# firewall-cmd --list-all --zone=external
external (active)
  interfaces: eth1
  sources:
  services: ssh
  ports:
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:
  
# *note : it's not changed permanently with "change-interface" even if added "--permanent" option
# if change permanently, use nmcli like follows
[root@yo ~]# nmcli c mod eth1 connection.zone external 
[root@yo ~]# firewall-cmd --get-active-zone 
external
  interfaces: eth1
public
  interfaces: eth0

 

Los servicios definidos de forma predeterminada, son:

[root@yo ~]# firewall-cmd --get-services 
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
# definition files are placed like follows
# if you'd like to add your original definition, add XML file on there
[root@yo ~]# ls /usr/lib/firewalld/services 
amanda-client.xml      ipp-client.xml   mysql.xml       rpc-bind.xml
bacula-client.xml      ipp.xml          nfs.xml         samba-client.xml
bacula.xml             ipsec.xml        ntp.xml         samba.xml
dhcpv6-client.xml      kerberos.xml     openvpn.xml     smtp.xml
dhcpv6.xml             kpasswd.xml      pmcd.xml        ssh.xml
dhcp.xml               ldaps.xml        pmproxy.xml     telnet.xml
dns.xml                ldap.xml         pmwebapis.xml   tftp-client.xml
ftp.xml                libvirt-tls.xml  pmwebapi.xml    tftp.xml
high-availability.xml  libvirt.xml      pop3s.xml       transmission-client.xml
https.xml              mdns.xml         postgresql.xml  vnc-server.xml
http.xml               mountd.xml       proxy-dhcp.xml  wbem-https.xml
imaps.xml              ms-wbt.xml       radius.xml

 

Agregar o quitar servicios permitidos.  Recuerda que para que el cambio sea permanente y no se restablezca en el reinicio debes agregar «–permanent».

# for example, add http (the change will be valid at once)
[root@yo ~]# firewall-cmd --add-service=http 
success
[root@yo ~]# firewall-cmd --list-service 
dhcpv6-client http ssh
# for example, remove http
[root@yo ~]# firewall-cmd --remove-service=http 
success
[root@dlp ~]# firewall-cmd --list-service 
dhcpv6-client ssh
# for example, add http permanently. (this permanent case, it's necessary to reload the Firewalld to enable the change)
[root@yo ~]# firewall-cmd --add-service=http --permanent 
success
[root@yo ~]# firewall-cmd --reload 
success
[root@yo ~]# firewall-cmd --list-service 
dhcpv6-client http ssh

 

Agregar o quitar puertos permitidos. De igual forma usaremos «–permanent».

# for example, add TCP 465
[root@yo ~]# firewall-cmd --add-port=465/tcp 
success
[root@yo ~]# firewall-cmd --list-port 
465/tcp
# for example, remove TCP 465
[root@yo ~]# firewall-cmd --remove-port=465/tcp 
success
[root@yo ~]# firewall-cmd --list-port 
 
# for example, add TCP 465 permanently
[root@yo ~]# firewall-cmd --add-port=465/tcp --permanent 
success
[root@yo ~]# firewall-cmd --reload 
success
[root@yo ~]# firewall-cmd --list-port 
465/tcp

 

Agregar o quitar ICMP.

# for example, add echo-request to prohibit it
[root@yo ~]# firewall-cmd --add-icmp-block=echo-request 
success
[root@yo ~]# firewall-cmd --list-icmp-blocks 
echo-request
# for example, remove echo-request
[root@yo ~]# firewall-cmd --remove-icmp-block=echo-request 
success
[root@yo ~]# firewall-cmd --list-icmp-blocks 
 
# display ICMP types
[root@yo ~]# firewall-cmd --get-icmptypes 
destination-unreachable echo-reply echo-request parameter-problem redirect 
router-advertisement router-solicitation source-quench time-exceeded

 

 

 

Agregar comentario