FirewallD

From HackerNet
Revision as of 09:49, 15 May 2015 by Helikopter (talk | contribs)
Jump to: navigation, search

FirewallD ersätter iptables i RHEL 7 och Fedora 18. Den främsta fördelen är att man kan göra alla ändringar utan att behöva starta om tjänsten. Denna artikel innehåller grunderna för FirewallD.

Kolla status

firewall-cmd --state

Detaljerad status

systemctl status firewalld.service

On/Off

systemctl enable firewalld.service
systemctl disable firewalld.service

OBS Om man har flera interface måste man slå på IPv4-forwarding

sudo sed -i -r 's/net.ipv4.ip_forward=0/net.ipv4.ip_forward=1/g' /etc/sysctl.conf
sysctl -p

FirewallD jobbar med säkerhetszoner och följande zoner finns default:

  • Public – For use in public areas. Only selected incoming connections are accepted.
  • Drop – Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
  • Block – Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
  • External – For use on external networks with masquerading enabled especially for routers. Only selected incoming connections are accepted.
  • DMZ – For computers DMZ network, with limited access to the internal network. Only selected incoming connections are accepted.
  • Work – For use in work areas. Only selected incoming connections are accepted.
  • Home – For use in home areas. Only selected incoming connections are accepted.
  • Trusted – All network connections are accepted.
  • Internal – For use on internal networks. Only selected incoming connections are accepted.

Alla interface ligger default i zonen public. Varje zon är definierad i en XML-fil som ligger i /usr/lib/firewalld/zones

Kolla vilka zoner som finns

firewall-cmd --get-zones

Kolla aktiva zoner

firewall-cmd --get-active-zones

Kolla zoner detaljerat

firewall-cmd --list-all-zones

Ändra default zon

firewall-cmd --set-default-zone=home

Man binder zoner till interface alternativt CIDR-notation.
Interface

firewall-cmd --get-zone-of-interface=eth0

Tillfälligt

firewall-cmd --zone=home --change-interface=eth0 

Permanent

firewall-cmd --permanent --zone=home --change-interface=eth0

CIDR

firewall-cmd --permanent --zone=work --add-source=192.168.0.0/24
firewall-cmd --permanent --zone=work --list-sources

Services

firewall-cmd --permanent --zone=dmz --add-service=http
firewall-cmd --reload
firewall-cmd --list-services --zone=dmz

Port Forwarding

firewall-cmd --zone=external --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.0.50


Iptables
Man kan byta tillbaka om man känner sig gammalmodig. http://www.certdepot.net/rhel7-disable-firewalld-use-iptables/