Firewall Management (firewalld)

Skill Level: Intermediate

1. Getting Started

For these exercises, you will be using the host node1 as user root.

From host bastion, ssh to node1.

ssh node1

Use sudo to elevate your privileges.

[[ "$UID" == 0 ]] || sudo -i

Verify that you are on the right host for these exercises.

workshop-firewalld-checkhost.sh

You are now ready to proceed with these exercises.

2. Managing Ad-hoc Ports

2.1. Add a Port

Since we have been toying with http, it’s common for httpd to also be configured on ports 8080 and 8443. So let’s simply create and ad-hoc rule to make those ports available.

firewall-cmd --add-port=8080/tcp --add-port=8443/tcp
firewall-cmd --runtime-to-permanent
firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit http https ssh
  ports: 8080/tcp 8443/tcp
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

2.2. Remove a Port

As much fun as that was, ad-hoc was quick and easy but not ideal. We really desire a formal configuration, so let us undo the ad-hoc rules.

firewall-cmd --remove-port=8080/tcp --remove-port=8443/tcp
firewall-cmd --runtime-to-permanent
firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit http https ssh
  ports:
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

3. Customizing a Default Service

3.1. Install Override Configuration

workshop-firewalld-customconfigs.sh

Two configuration files were just created /etc/firewalld/services

They are identical to the system defaults except that our additional ports (8080 and 8443) were added the the definition.

cat /etc/firewalld/services/http.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="8080"/>
</service>
cat /etc/firewalld/services/https.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Secure WWW (HTTPS)</short>
  <description>HTTPS is a modified HTTP used to serve Web pages when security is important. Examples are sites that require logins like stores or web mail. This option is not required for viewing pages locally or developing Web pages. You need the httpd package installed for this option to be useful.</description>
  <port protocol="tcp" port="443"/>
  <port protocol="tcp" port="8443"/>
</service>

3.2. Activate Service

Since the httpd service is already active, all we really need to do is reload firewalld.

firewall-cmd --reload

3.3. Verification

firewall-cmd --info-service=http
http
  ports: 80/tcp 8080/tcp
  protocols:
  source-ports:
  modules:
  destination:
  includes:
  helpers:
firewall-cmd --info-service=https
https
  ports: 443/tcp 8443/tcp
  protocols:
  source-ports:
  modules:
  destination:
  includes:
  helpers:
firewall-cmd --zone=public --list-all --permanent
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit http https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

4. Custom Service From Scratch

In this exercise you will create a custom service with a unique name.

4.1. Configuration File

First, have a look at the configuration file which has already been prepared for you. It should be fairly self explanatory.

cat /usr/local/etc/firewalld-customname.xml
/usr/local/etc/firewalld-customname.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
 <short>workshop</short>
 <description>Workshop Test Service</description>
 <port protocol="tcp" port="7890" />
 <port protocol="udp" port="7890" />
</service>

4.2. Configuration Import

Now it is time to import the config file.

firewall-cmd --new-service-from-file=/usr/local/etc/firewalld-customname.xml --name=workshop --permanent
firewall-cmd --reload

4.3. Activate Service

Finally, activate the service and verify.

firewall-cmd --add-service=workshop
firewall-cmd --zone=public --list-all

Just make note of the fact we did not use the '--permanent' option with any of our commands. If the system reboots, or if firewalld is reloaded then the custom named serviced will be lost. You can preserve the customizations with a simple firewall-cmd --runtime-to-permanent

And you are done!

5. Panic Mode

Panic mode allows you to immediately turn off all network traffic on a host.

This is handy to know, but unless you are on the physical system console or remote managed console (ie: ILO, DRAC, etc…​) this can be very disruptive. So we’ll provide the commands under the strict guidance that you DON’T RUN THESE COMMANDS during this workshop.

DO NOT RUN THESE COMMANDS

firewall-cmd --query-panic

firewall-cmd --panic-on

firewall-cmd --panic-off

6. Conclusion

That concludes this unit on firewalld.

Time to finish this unit and return the shell to its home position.

workshop-finish-exercise.sh

7. Additional Resources

You can find more information:

End of Unit