Linux Firewalld Zones and Services

Posted By: adminPosted On:

Zones are pre-constructed rulesets for various trust levels you would likely have for a given location or scenario (e.g. home, public, trusted, etc.). Different zones allow different network services and incoming traffic types while denying everything else. After enabling FirewallD for the first time, Public will be the default zone.

Zones can also be applied to different network interfaces. For example, with separate interfaces for both an internal network and the Internet, you can allow DHCP on an internal zone but only HTTP and SSH on external zone. Any interface not explicitly set to a specific zone will be attached to the default zone.

Zones files are XML files and stored at : /usr/lib/firewalld/zones/

FirewallD service is an easy way to handle a service port or ports , it is XMl file describing the service and its ports sets.

The XML file name is the service name that we will use it –add-service=NAME

Service files stored at : /usr/lib/firewalld/services/

If you want to read about firewall basics and simple usage for firewalld and firewall-cmd , please read this.

01. FirewallD Services :

To list all services that we can use to configure firewall, use either of tow ways :

[[email protected] ~]# ls /usr/lib/firewalld/services/
[[email protected] ~]# firewall-cmd --get-services

Let’s explore any service file content for example http.xml

[[email protected] ~]# vim /usr/lib/firewalld/services/http.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
  <port protocol="tcp" port="80"/>
</service>

As you see , a simple xml file , the most important line inside <service> section is the <port …. > line:
That is how we define the protocol and port for our service.
<short> is a title .
<description> is a description for the service.

you can create your own service easily by copying any service file to a file with your service name and edit values as you like to point to port and protocol for the new service, then reload firewall.

OR by firewall-cmd command with –new-service= , must use –permanent , so we need to reload :

[[email protected] ~]# firewall-cmd --permanent --new-service=test
success
[[email protected] ~]# firewall-cmd --reload 
success
[[email protected] ~]# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns enan ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet test tftp tftp-client transmission-client vnc-server wbem-https
[[email protected] ~]#

To delete a service that has XML file , delete its file and reload firewall.
To delete a service we created by command line , we can delete it by also command line and reboot :

[[email protected] ~]# firewall-cmd --permanent --delete-service=test
success
[[email protected] ~]# firewall-cmd --reload 
success
[[email protected] ~]#

Let’s go through an example, if we want to open http port we have to open port number 80 where protocol is tcp by adding that port or adding http service (you can add both at the same time but no benefit ! ):

firewall-cmd --add-port=80/tcp
OR
firewall-cmd --add-service=http

To list currently allowed services :

[[email protected] ~]# firewall-cmd --list-services 
dhcpv6-client http ssh
[[email protected] ~]#

 

02. FirewallD Zones :

The default zone is always : Public , but you can change it .
To show current default zone :

[[email protected] ~]# firewall-cmd --get-default-zone 
public

To change the default Zone :

[[email protected] ~]# firewall-cmd --set-default-zone=external 
success
[[email protected] ~]#

To assign interface to a specific zone ( example: add eth1 to internal zone ) , that will activate that zone rules on that interfaces .

[[email protected] ~]# firewall-cmd --zone=internal --add-interface=eth1
success
[[email protected] ~]# firewall-cmd --list-all --zone=internal 
internal (active)
  interfaces: eth1
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

*Any rules you set without specifying a zone will be applied to the default zone.
To set a rule to a specific zone you must specify it using –zone=ZoneName :

[[email protected] ~]# firewall-cmd --zone=internal --add-service=ftp 
success
[[email protected] ~]# firewall-cmd --list-all --zone=internal 
internal (active)
  interfaces: eth1
  sources: 
  services: dhcpv6-client ftp ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
    
[[email protected] ~]#

To show all current active zones and related interfaces :

[[email protected] ~]# firewall-cmd --get-active-zones 
internal
  interfaces: eth1
external
  interfaces: eth0
[[email protected] ~]#

To add a new zone :

Create or copy a zone XML file with desired name , edit it , then reload firewall to read it.

[[email protected] ~]# cp /usr/lib/firewalld/zones/dmz.xml /usr/lib/firewalld/zones/akm.xml
[[email protected] ~]# firewall-cmd --reload 
success
[[email protected] ~]# firewall-cmd --set-default-zone=
akm       dmz       external  internal  trusted   
block     drop      home      public    work 
[[email protected] ~]# firewall-cmd --set-default-zone=akm
success
[[email protected] ~]# firewall-cmd --list-all
akm (default, active)
  interfaces: eth0
  sources: 
  services: ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
    
[[email protected] ~]#

OR use simple firewall-cmd command to add zones
Only works –permanent , so we must reload to list changes.
* It will not create a zone file, don’t care.

[[email protected] ~]# firewall-cmd --permanent --new-zone=myZone
success
[[email protected] ~]# firewall-cmd --reload 
success
[[email protected] ~]# firewall-cmd --get-zones 
akm block dmz drop external home internal myZone public trusted work
[[email protected] ~]# 
[[email protected] ~]# ls /usr/lib/firewalld/zones/
akm.xml    dmz.xml   external.xml  internal.xml  trusted.xml
block.xml  drop.xml  home.xml      public.xml    work.xml
[[email protected] ~]#

To delete a zone you created by creating XML file , you must delete its file and reload.
To delete a zone you created by firewall-cmd command , you also use it for delete that zone :

[[email protected] ~]# firewall-cmd --permanent --delete-zone=myZone
success
[[email protected] ~]# firewall-cmd --reload 
success
[[email protected] ~]# firewall-cmd --get-zones 
ahmed akm block dmz drop external home internal public trusted work
[[email protected] ~]#

Now you know how to configure and use zones , you may need to configure Port-Forwarding and NAT , or add Rich Rules.

That is it for Zones and services , i hope it was simple.
Enjoy !.

 

2 comments on “Linux Firewalld Zones and Services

  1. Pingback: Red Hat CentOS Linux Firewalld | IT Systems
  2. Pingback: Linux Firewalld Port-Forward and NAT | IT Systems
Comments are closed.