/
Linux firewall iptables and firewalld

Linux firewall iptables and firewalld

Owned by Jean-luc KRIKER
Last updated: Jul 14, 2022


Firewalldhttps://www.youtube.com/watch?v=T2g6nxRCnLQ&ab_channel=NetSecProf

firewall-cmd --list-all  (default zone= public )
Start and stop deamon

[root@sn9120210070 ~]# firewall-cmd --state
running

sudo systemctl status firewalld.service

sudo systemctl start firewalld.service

disable the firewalldsudo systemctl stop firewalld.service
Services
list all services availablefirewall-cmd --get-services
add service to a zone

firewall-cmd --add-service=https    ( will add to the default zone= public or "untrusted" or what ever default zone)

firewall-cmd --reload

list all ICMP type
firewall-cmd --get-icmptypes

https://superuser.com/questions/1114065/getting-firewalld-to-allow-ping-requests
allow ICMP

( by default block, inversion=allow ;-)
firewall-cmd --permanent --add-icmp-block-inversion
firewall-cmd --permanent --add-icmp-block=echo-reply
firewall-cmd --permanent --add-icmp-block=echo-request
firewall-cmd --reload

before and after 
[root@conductor t128]# firewall-cmd --list-all
t128 (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: https netconf salt-master ssh zookeeper
  ports: 443/tcp 930/tcp 4505-4506/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:  <<<<<<<<<<<<<<<< BEFORE
  rich rules:


[root@conductor t128]# firewall-cmd --permanent --add-icmp-block-inversion
success
[root@conductor t128]# firewall-cmd --permanent --add-icmp-block=echo-reply
success
[root@conductor t128]# firewall-cmd --permanent --add-icmp-block=echo-request
success
[root@conductor t128]# firewall-cmd --reload
success
[root@conductor t128]# firewall-cmd --list-all
t128 (active)
  target: DROP
  icmp-block-inversion: yes
  interfaces: eth0
  sources:
  services: https netconf salt-master ssh zookeeper
  ports: 443/tcp 930/tcp 4505-4506/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks: echo-reply echo-request   <<<<<<<<<<<< AFTER
  rich rules:

[root@conductor t128]#


traceroute
firewall-cmd --permanent --add-icmp-block=time-exceeded
firewall-cmd --permanent --add-icmp-block=port-unreachable
firewall-cmd --reload
add permanent servicefirewall-cmd --add-service-https  --permanent
create service


Ports
add portfirewall-cmd --get-ports
add permanent port
host or IP address or subnet

sudo firewall-cmd --permanent --add-source=192.168.2.50
sudo firewall-cmd --permanent --add-source=192.168.2.0/24
on the conductor


Zones
list zonesfirewall-cmd --get-zones
zones config infofirewall-cmd --zone=home --list-all
add zones
create zone


NAT or masquarade




Related content

security firewalld 128T
security firewalld 128T
Juniper Security
More like this
firewalld on conductor and router
firewalld on conductor and router
Juniper Security
More like this
iptables
iptables
Juniper Security
More like this
firewall filter ( stateless filter ) DHCP on managment
firewall filter ( stateless filter ) DHCP on managment
Juniper Security
More like this
ip access-list or acl
ip access-list or acl
Ekinops
More like this
firewall filter for tcp traceroute
firewall filter for tcp traceroute
Juniper Security
More like this