06-05-2020, 02:08 AM
How to manage network services with firewall-cmd
<div><p>In a previous article, you explored how to <a href="https://fedoramagazine.org/control-the-firewall-at-the-command-line/">control the firewall at the command line</a> in Fedora.</p>
<p>Now you are going to see how to see how <em>add</em>, <em>remove</em>, and <em>list</em> <em>services</em>, <em>protocols</em> and <em>ports</em> in order to <em>block</em> or <em>allow</em> them.</p>
<p> <span id="more-30922"></span> </p>
<h2>A short recap</h2>
<p>First, it’s a good idea to check the <em>status</em> of your firewall, see if it’s running or not. You do this, as we previously learned, by using the state option (<em>firewall-cmd </em>‐‐<em>state</em>).</p>
<p>The next step is to get the zone for the desired network interface. For example, I use a desktop that has two network interfaces: a <em>physical</em> interface (<em>enp0s3</em>), representing my actual <em>network card</em> and a <em>virtual</em> interface (<em>virbr0</em>) used by virtualization software like <em>KVM</em>. To see what zones are active, run <em>firewall-cmd ‐‐get-active-zones</em>.</p>
<p>Now that you know what zone you’re interested in, you can list the rules for the zone with <em>firewall-cmd ‐‐info-zone=FedoraWorkstation</em>.</p>
<h2>Reading zone information</h2>
<p>To display information for a particular <em>zone</em>, run <em>firewall-cmd ‐‐zone=ZoneName ‐‐list-all</em>, or simply display information for the default zone with:</p>
<pre class="wp-block-preformatted">[dan@localhost ~]$ firewall-cmd --list-all<br />FedoraWorkstation (active)<br />target: default<br />icmp-block-inversion: no<br />interfaces: enp0s3<br />sources:<br />services: dhcpv6-client mdns samba-client ssh<br />ports: 1025-65535/udp 1025-65535/tcp<br />protocols:<br />masquerade: no<br />forward-ports:<br />source-ports:<br />icmp-blocks:<br />rich rules:</pre>
<p>Now, let’s explore the output. The first line is showing which <em>zone</em> the following information applies to and if that zone is currently in use.</p>
<p>The <em>target</em> : <em>default</em> simply tells us this is the default zone. This can be set or retrieved via the <em>‐‐set-default-zone=ZoneName</em> and <em>‐‐get-default-zone</em>.</p>
<p><em>icmp-block-inversion</em>, indicates if <a href="https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol">ICMP</a> requests are blocked. For example if the machine responds to <em>ping</em> requests from other machines on the network. The <em>interfaces</em> field shows all interfaces that adopt this zone.</p>
<h2>Handling services, ports, and protocols</h2>
<p>Now focus on the <em>services</em>, <em>ports</em>, and <em>protocols</em> rows. By default, the firewall will block all ports, services and protocols. Only the listed ones will be allowed.</p>
<p>You can see the allowed services are very basic client services in this case. For example, accessing a shared folder on the network (<em>samba-client</em>), to talk to a <em>DNS</em> server or connect to a machine via SSH (the <em>ssh</em> service). You can think of a <em>service </em>as a protocol in combination to a port, for instance the ssh service is using the SSH protocol and, by convention, port 22. By allowing the ssh service, what you’re really doing is allowing incoming connections that use the ssh protocol at default port 22. </p>
<p>Notice, services that have the <em>client</em> word in their name, as a rule of thumb, refer to outgoing connections, i.e. <em>connections </em>that you make with your IP as source going to the outside, as opposed to the SSH<em> </em>service, for example, that will accept incoming connections (listening to connection coming from outside at you).</p>
<p>You can look up services in the file <em>/etc/services</em>. For example if you wish to know what port and protocol these service uses:</p>
<pre class="wp-block-preformatted">[dan@localhost ~]$ cat /etc/services | grep ssh<br />ssh 22/tcp # The Secure Shell (SSH) Protocol<br />ssh 22/udp # The Secure Shell (SSH) Protocol</pre>
<p>You can see SSH uses both TCP and UDP port 22. Also, if you wish to see all available services, just use <em>firewall-cmd ‐‐get-services</em>.</p>
<h3>Opening a port</h3>
<p>If you want to block a port, service, or protocol, all you have to do if make sure it’s not listed here. By extension, if you want to allow a service, you need add it to your list.</p>
<p>Let’s say you want to open the port <em>5000</em> for <em>TCP</em><strong> </strong>connection. To do this, run:</p>
<pre class="wp-block-preformatted">sudo firewall-cmd --zone=FedorwaWorkstation --permanent --add-port=5000/tcp</pre>
<p>Notice that you need to specify the zone for which the rule applies. When you add the rule, you also need to specify if it is a <em>TCP</em> or <em>UDP</em> port via as indicated above. The <em>permanent</em> parameter sets the rule to persist even after a system reboot. </p>
<p>Look at the information for your zone again: </p>
<pre class="wp-block-preformatted">[dan@localhost ~]$ firewall-cmd --list-all
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client mdns samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp 5000/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:</pre>
<p>Similarly, if you wish to remove this port from the list, run:</p>
<pre class="wp-block-preformatted">sudo firewall-cmd --zone=FedorwaWorkstation --permanent --remove-port=5000/tcp</pre>
<p>The very same <em>remove</em> (<em>‐‐remove-protocol</em>,<em> ‐‐remove-service</em>) and <em>add</em> (<em>‐‐add-protocol</em>,<em> ‐‐add-service</em>) options are also available for <em>services</em> and <em>protocols</em>.</p>
<hr class="wp-block-separator" />
<p><em>Photo by <a href="https://unsplash.com/@tkaiser?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">T. Kaiser</a> on <a href="https://unsplash.com/s/photos/poke-hole?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></em>.</p>
</div>
https://www.sickgaming.net/blog/2020/05/...ewall-cmd/
<div><p>In a previous article, you explored how to <a href="https://fedoramagazine.org/control-the-firewall-at-the-command-line/">control the firewall at the command line</a> in Fedora.</p>
<p>Now you are going to see how to see how <em>add</em>, <em>remove</em>, and <em>list</em> <em>services</em>, <em>protocols</em> and <em>ports</em> in order to <em>block</em> or <em>allow</em> them.</p>
<p> <span id="more-30922"></span> </p>
<h2>A short recap</h2>
<p>First, it’s a good idea to check the <em>status</em> of your firewall, see if it’s running or not. You do this, as we previously learned, by using the state option (<em>firewall-cmd </em>‐‐<em>state</em>).</p>
<p>The next step is to get the zone for the desired network interface. For example, I use a desktop that has two network interfaces: a <em>physical</em> interface (<em>enp0s3</em>), representing my actual <em>network card</em> and a <em>virtual</em> interface (<em>virbr0</em>) used by virtualization software like <em>KVM</em>. To see what zones are active, run <em>firewall-cmd ‐‐get-active-zones</em>.</p>
<p>Now that you know what zone you’re interested in, you can list the rules for the zone with <em>firewall-cmd ‐‐info-zone=FedoraWorkstation</em>.</p>
<h2>Reading zone information</h2>
<p>To display information for a particular <em>zone</em>, run <em>firewall-cmd ‐‐zone=ZoneName ‐‐list-all</em>, or simply display information for the default zone with:</p>
<pre class="wp-block-preformatted">[dan@localhost ~]$ firewall-cmd --list-all<br />FedoraWorkstation (active)<br />target: default<br />icmp-block-inversion: no<br />interfaces: enp0s3<br />sources:<br />services: dhcpv6-client mdns samba-client ssh<br />ports: 1025-65535/udp 1025-65535/tcp<br />protocols:<br />masquerade: no<br />forward-ports:<br />source-ports:<br />icmp-blocks:<br />rich rules:</pre>
<p>Now, let’s explore the output. The first line is showing which <em>zone</em> the following information applies to and if that zone is currently in use.</p>
<p>The <em>target</em> : <em>default</em> simply tells us this is the default zone. This can be set or retrieved via the <em>‐‐set-default-zone=ZoneName</em> and <em>‐‐get-default-zone</em>.</p>
<p><em>icmp-block-inversion</em>, indicates if <a href="https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol">ICMP</a> requests are blocked. For example if the machine responds to <em>ping</em> requests from other machines on the network. The <em>interfaces</em> field shows all interfaces that adopt this zone.</p>
<h2>Handling services, ports, and protocols</h2>
<p>Now focus on the <em>services</em>, <em>ports</em>, and <em>protocols</em> rows. By default, the firewall will block all ports, services and protocols. Only the listed ones will be allowed.</p>
<p>You can see the allowed services are very basic client services in this case. For example, accessing a shared folder on the network (<em>samba-client</em>), to talk to a <em>DNS</em> server or connect to a machine via SSH (the <em>ssh</em> service). You can think of a <em>service </em>as a protocol in combination to a port, for instance the ssh service is using the SSH protocol and, by convention, port 22. By allowing the ssh service, what you’re really doing is allowing incoming connections that use the ssh protocol at default port 22. </p>
<p>Notice, services that have the <em>client</em> word in their name, as a rule of thumb, refer to outgoing connections, i.e. <em>connections </em>that you make with your IP as source going to the outside, as opposed to the SSH<em> </em>service, for example, that will accept incoming connections (listening to connection coming from outside at you).</p>
<p>You can look up services in the file <em>/etc/services</em>. For example if you wish to know what port and protocol these service uses:</p>
<pre class="wp-block-preformatted">[dan@localhost ~]$ cat /etc/services | grep ssh<br />ssh 22/tcp # The Secure Shell (SSH) Protocol<br />ssh 22/udp # The Secure Shell (SSH) Protocol</pre>
<p>You can see SSH uses both TCP and UDP port 22. Also, if you wish to see all available services, just use <em>firewall-cmd ‐‐get-services</em>.</p>
<h3>Opening a port</h3>
<p>If you want to block a port, service, or protocol, all you have to do if make sure it’s not listed here. By extension, if you want to allow a service, you need add it to your list.</p>
<p>Let’s say you want to open the port <em>5000</em> for <em>TCP</em><strong> </strong>connection. To do this, run:</p>
<pre class="wp-block-preformatted">sudo firewall-cmd --zone=FedorwaWorkstation --permanent --add-port=5000/tcp</pre>
<p>Notice that you need to specify the zone for which the rule applies. When you add the rule, you also need to specify if it is a <em>TCP</em> or <em>UDP</em> port via as indicated above. The <em>permanent</em> parameter sets the rule to persist even after a system reboot. </p>
<p>Look at the information for your zone again: </p>
<pre class="wp-block-preformatted">[dan@localhost ~]$ firewall-cmd --list-all
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcpv6-client mdns samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp 5000/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:</pre>
<p>Similarly, if you wish to remove this port from the list, run:</p>
<pre class="wp-block-preformatted">sudo firewall-cmd --zone=FedorwaWorkstation --permanent --remove-port=5000/tcp</pre>
<p>The very same <em>remove</em> (<em>‐‐remove-protocol</em>,<em> ‐‐remove-service</em>) and <em>add</em> (<em>‐‐add-protocol</em>,<em> ‐‐add-service</em>) options are also available for <em>services</em> and <em>protocols</em>.</p>
<hr class="wp-block-separator" />
<p><em>Photo by <a href="https://unsplash.com/@tkaiser?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">T. Kaiser</a> on <a href="https://unsplash.com/s/photos/poke-hole?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></em>.</p>
</div>
https://www.sickgaming.net/blog/2020/05/...ewall-cmd/