| Firewalld | https://www.youtube.com/watch?v=T2g6nxRCnLQ&ab_channel=NetSecProf |
|---|
| firewall-cmd --list-all (default zone= public ) |
| Start and stop deamon |
|
|---|
| [root@sn9120210070 ~]# firewall-cmd --state
running
sudo systemctl status firewalld.service sudo systemctl start firewalld.service |
| disable the firewalld | sudo systemctl stop firewalld.service |
| Services |
|
|---|
| list all services available | firewall-cmd --get-services |
| add service to a zone | firewall-cmd --add-service=https ( will add to the default zone= public or "untrusted" or what ever default zone) firewall-cmd --reload
|
| list all ICMP type | firewall-cmd --get-icmptypes
https://superuser.com/questions/1114065/getting-firewalld-to-allow-ping-requests
|
| allow ICMP | ( by default block, inversion=allow ;-)
firewall-cmd --permanent --add-icmp-block-inversion
firewall-cmd --permanent --add-icmp-block=echo-reply
firewall-cmd --permanent --add-icmp-block=echo-request
firewall-cmd --reload
[root@conductor t128]# firewall-cmd --list-all
t128 (active)
target: DROP
icmp-block-inversion: no
interfaces: eth0
sources:
services: https netconf salt-master ssh zookeeper
ports: 443/tcp 930/tcp 4505-4506/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: <<<<<<<<<<<<<<<< BEFORE
rich rules:
[root@conductor t128]# firewall-cmd --permanent --add-icmp-block-inversion
success
[root@conductor t128]# firewall-cmd --permanent --add-icmp-block=echo-reply
success
[root@conductor t128]# firewall-cmd --permanent --add-icmp-block=echo-request
success
[root@conductor t128]# firewall-cmd --reload
success
[root@conductor t128]# firewall-cmd --list-all
t128 (active)
target: DROP
icmp-block-inversion: yes
interfaces: eth0
sources:
services: https netconf salt-master ssh zookeeper
ports: 443/tcp 930/tcp 4505-4506/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-reply echo-request <<<<<<<<<<<< AFTER
rich rules:
[root@conductor t128]#
|
| traceroute | firewall-cmd --permanent --add-icmp-block=time-exceeded
firewall-cmd --permanent --add-icmp-block=port-unreachable
firewall-cmd --reload
|
| add permanent service | firewall-cmd --add-service-https --permanent |
| create service |
|
|
|
| Ports |
|
|---|
| add port | firewall-cmd --get-ports |
| add permanent port |
|
| host or IP address or subnet |
|
|---|
| sudo firewall-cmd --permanent --add-source=192.168.2.50 sudo firewall-cmd --permanent --add-source=192.168.2.0/24 |
| on the conductor |
|
|
|
| Zones |
|
|---|
| list zones | firewall-cmd --get-zones |
| zones config info | firewall-cmd --zone=home --list-all |
| add zones |
|
| create zone |
|
|
|
| NAT or masquarade |
|
|---|
|
|
|
|
