Versions Compared

Old Version 7

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version Current

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Firewalldhttps://www.youtube.com/watch?v=T2g6nxRCnLQ&ab_channel=NetSecProf

firewall-cmd --list-all  (default zone= public )
Start and stop deamon

[root@sn9120210070 ~]# firewall-cmd --state
running

sudo systemctl status firewalld.service

sudo systemctl start firewalld.service

disable the firewalldsudo systemctl stop firewalld.service
Services
list all services availablefirewall-cmd --get-services
add service to a zone

firewall-cmd --add-service=https    ( will add to the default zone= public or "untrusted" or what ever default zone)

firewall-cmd --reload

list all ICMP type
firewall-cmd --get-icmptypes

https://superuser.com/questions/1114065/getting-firewalld-to-allow-ping-requests
allow ICMP

( by default block, inversion=allow ;-)
firewall-cmd

--permanent

--add-icmp-block-inversion
firewall-cmd --permanent --add-icmp-block=echo-reply
firewall-cmd --permanent --add-icmp-block=echo-request
firewall-cmd --reload

Code Block
titlebefore and after
collapsetrue
[root@conductor t128]# firewall-cmd --list-all
t128 (
by default block, inversion=allow ;-)
active)
  target: DROP
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: https netconf salt-master ssh zookeeper
  ports: 443/tcp 930/tcp 4505-4506/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:  <<<<<<<<<<<<<<<< BEFORE
  rich rules:


[root@conductor t128]# firewall-cmd --permanent --add-icmp-block-inversion
success
[root@conductor t128]# firewall-cmd --permanent --add-icmp-block=echo-reply
success
[root@conductor t128]# firewall-cmd --permanent --add-icmp-block=echo-request
success
[root@conductor t128]# firewall-cmd --reload
success
[root@conductor t128]# firewall-cmd --list-all
t128 (active)
  target: DROP
  icmp-block-inversion: yes
  interfaces: eth0
  sources:
  services: https netconf salt-master ssh zookeeper
  ports: 443/tcp 930/tcp 4505-4506/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks: echo-reply echo-request   <<<<<<<<<<<< AFTER
  rich rules:

[root@conductor t128]#


traceroute
firewall-cmd --permanent --add-icmp-block=time-exceeded
firewall-cmd --permanent --add-icmp-block=port-unreachable
firewall-cmd --reload
add permanent servicefirewall-cmd --add-service-https  --permanent
create service


Ports
add portfirewall-cmd --get-ports
add permanent port
host or IP address or subnet

sudo firewall-cmd --permanent --add-source=192.168.2.50
sudo firewall-cmd --permanent --add-source=192.168.2.0/24
on the conductor


Zones
list zonesfirewall-cmd --get-zones
zones config infofirewall-cmd --zone=home --list-all
add zones
create zone


NAT or masquarade




...