Skip to content

Firewalld document - add a hint admonition #608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 11, 2022
Merged

Firewalld document - add a hint admonition #608

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 32 additions & 2 deletions docs/guides/security/firewalld.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ title: firewalld from iptables
author: Steven Spencer
contributors: wsoyinka, Antoine Le Morvan, Ezequiel Bruni
update: 17-Feb-2022
tags:
- security
- firewalld
---

# `iptables` Guide To `firewalld` - Introduction
Expand Down Expand Up @@ -68,7 +71,7 @@ To list existing zones on your system, type:
$ systemctl status firewalld
```

To be honest, I mostly hate the names of these zones. Drop, block, public, and trusted are perfectly clear, but some aren't good enough for perfect granular security. Let's take this `iptables` rule section as an example:
To be honest, I mostly hate the names of these zones. drop, block, public, and trusted are perfectly clear, but some aren't good enough for perfect granular security. Let's take this `iptables` rule section as an example:

`iptables -A INPUT -p tcp -m tcp -s 192.168.1.122 --dport 22 -j ACCEPT`

Expand All @@ -85,7 +88,7 @@ But what if on this server we also have an intranet that is accessible to only t

To add a zone, we need to use the `firewall-cmd` with the `--new-zone` parameter. We are going to add "admin" (for administrative) as a zone:

`firewall-cmd --new-zone admin --permanent`
`firewall-cmd --new-zone=admin --permanent`

!!! Note

Expand All @@ -95,6 +98,33 @@ Before this zone can actually be used, we need to reload the firewall:

`firewall-cmd --reload`

!!! hint

A note about custom zones: If you need to add a zone that will be a trusted zone, but will only contain a particular source IP or interface and no protocols or services, and the "trusted" zone doesn't work for you, probably because you've already used it for something else, etc. You can add a custom zone to do this, but you must change the target of the zone from "default" to "ACCEPT" (REJECT or DROP can also be used, depending on your goals). Here's an example using a bridge interface (lxdbr0 in this case) on an LXD machine.

First, we add the zone and reload so that we can use it:

```
firewall-cmd --new-zone=bridge --permanent
firewall-cmd --reload
```

Next, we change the target of the zone from "default" to "ACCEPT" (**note that the "--permanent" option is required for changing a target**) then assign the interface, and reload:

```
firewall-cmd --zone=bridge --set-target=ACCEPT --permanent
firewall-cmd --zone=bridge --add-interface=lxdbr0 --permanent
firewall-cmd --reload
```

This tells the firewall that you:

1. are changing the target of the zone to ACCEPT
2. are adding the bridge interface "lxdbr0" to the zone
3. reloading the firewall

All of which says that you are accepting all traffic from the bridge interface.

### Listing Zones

Before we go any further, we need to take a look at the process of listing zones. Rather than a tabular output provided by `iptables -L`, you get a single column of output with headers. Listing a zone is done with the command `firewall-cmd --zone=[zone_name] --list-all`. Here's what this looks like when we list out the newly created "admin" zone:
Expand Down