Firewall Management (firewalld)
Skill Level: Intermediate
1. Getting Started
For these exercises, you will be using the host node1
as user root
.
From host bastion
, ssh to node1
.
ssh node1
Use sudo
to elevate your privileges.
[[ "$UID" == 0 ]] || sudo -i
Verify that you are on the right host for these exercises.
workshop-firewalld-checkhost.sh
You are now ready to proceed with these exercises.
2. Managing Ad-hoc Ports
2.1. Add a Port
Since we have been toying with http, it’s common for httpd to also be configured on ports 8080 and 8443. So let’s simply create and ad-hoc rule to make those ports available.
firewall-cmd --add-port=8080/tcp --add-port=8443/tcp
firewall-cmd --runtime-to-permanent
firewall-cmd --zone=public --list-all
public target: default icmp-block-inversion: no interfaces: sources: services: cockpit http https ssh ports: 8080/tcp 8443/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
2.2. Remove a Port
As much fun as that was, ad-hoc was quick and easy but not ideal. We really desire a formal configuration, so let us undo the ad-hoc rules.
firewall-cmd --remove-port=8080/tcp --remove-port=8443/tcp
firewall-cmd --runtime-to-permanent
firewall-cmd --zone=public --list-all
public target: default icmp-block-inversion: no interfaces: sources: services: cockpit http https ssh ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
3. Customizing a Default Service
3.1. Install Override Configuration
workshop-firewalld-customconfigs.sh
Two configuration files were just created /etc/firewalld/services
They are identical to the system defaults except that our additional ports (8080 and 8443) were added the the definition.
cat /etc/firewalld/services/http.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>WWW (HTTP)</short> <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description> <port protocol="tcp" port="80"/> <port protocol="tcp" port="8080"/> </service>
cat /etc/firewalld/services/https.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>Secure WWW (HTTPS)</short> <description>HTTPS is a modified HTTP used to serve Web pages when security is important. Examples are sites that require logins like stores or web mail. This option is not required for viewing pages locally or developing Web pages. You need the httpd package installed for this option to be useful.</description> <port protocol="tcp" port="443"/> <port protocol="tcp" port="8443"/> </service>
3.2. Activate Service
Since the httpd service is already active, all we really need to do is reload firewalld.
firewall-cmd --reload
3.3. Verification
firewall-cmd --info-service=http
http ports: 80/tcp 8080/tcp protocols: source-ports: modules: destination: includes: helpers:
firewall-cmd --info-service=https
https ports: 443/tcp 8443/tcp protocols: source-ports: modules: destination: includes: helpers:
firewall-cmd --zone=public --list-all --permanent
public target: default icmp-block-inversion: no interfaces: sources: services: cockpit http https ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
4. Custom Service From Scratch
In this exercise you will create a custom service with a unique name.
4.1. Configuration File
First, have a look at the configuration file which has already been prepared for you. It should be fairly self explanatory.
cat /usr/local/etc/firewalld-customname.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>workshop</short> <description>Workshop Test Service</description> <port protocol="tcp" port="7890" /> <port protocol="udp" port="7890" /> </service>
4.2. Configuration Import
Now it is time to import the config file.
firewall-cmd --new-service-from-file=/usr/local/etc/firewalld-customname.xml --name=workshop --permanent
firewall-cmd --reload
4.3. Activate Service
Finally, activate the service and verify.
firewall-cmd --add-service=workshop
firewall-cmd --zone=public --list-all
Just make note of the fact we did not use the '--permanent' option with any of our commands. If the system reboots, or if firewalld is reloaded then the custom named serviced will be lost. You can preserve the customizations with a simple firewall-cmd --runtime-to-permanent
And you are done!
5. Panic Mode
Panic mode allows you to immediately turn off all network traffic on a host.
This is handy to know, but unless you are on the physical system console or remote managed console (ie: ILO, DRAC, etc…) this can be very disruptive. So we’ll provide the commands under the strict guidance that you DON’T RUN THESE COMMANDS during this workshop.
DO NOT RUN THESE COMMANDS firewall-cmd --query-panic firewall-cmd --panic-on firewall-cmd --panic-off |
6. Conclusion
That concludes this unit on firewalld.
Time to finish this unit and return the shell to its home position.
workshop-finish-exercise.sh