03-20-2020, 12:09 PM
Control the firewall at the command line
<div><p>A network <em>firewall</em> is more or less what it sounds like: a protective barrier that prevents unwanted network transmissions. They are most frequently used to prevent outsiders from contacting or using network services on a system. For instance, if you’re running a laptop at school or in a coffee shop, you probably don’t want strangers poking around on it.</p>
<p>Every Fedora system has a firewall built in. It’s part of the network functions in the Linux kernel inside. This article shows you how to change its settings using <em>firewall-cmd</em>.</p>
<p> <span id="more-30756"></span> </p>
<h2>Network basics</h2>
<p>This article can’t teach you <a href="https://en.wikipedia.org/wiki/Portal:Internet">everything</a> about computer networks. But a few basics suffice to get you started.</p>
<p>Any computer on a network has an <em>IP address</em>. Think of this just like a mailing address that allows correct routing of data. Each computer also has a set of <em>ports</em>, numbered 0-65535. These are not physical ports; instead, you can think of them as a set of connection points at the address. </p>
<p>In many cases, the port is a <a href="https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">standard number</a> or range depending on the application expected to answer. For instance, a web server typically reserves port 80 for non-secure HTTP communications, and/or 443 for secure HTTPS. The port numbers under 1024 are reserved for system and well-known purposes, ports 1024-49151 are registered, and ports 49152 and above are usually ephemeral (used only for a short time).</p>
<p>Each of the two most common protocols for Internet data transfer, <a href="https://en.wikipedia.org/wiki/Transmission_Control_Protocol">TCP</a> and <a href="https://en.wikipedia.org/wiki/User_Datagram_Protocol">UDP</a>, have this set of ports. TCP is used when it’s important that all data be received and, if it arrives out of order, reassembled in the right order. UDP is used for more time-sensitive services that can withstand losing some data.</p>
<p>An application running on the system, such as a web server, reserves one or more ports (as seen above, 80 and 443 for example). Then during network communication, a host establishes a connection between a source address and port, and the destination address and port. </p>
<p>A network firewall can block or permit transmissions of network data based on rules like address, port, or other criteria. The <em>firewall-cmd</em> utility lets you interact with the rule set to view or change how the firewall works.</p>
<h2>Firewall zones</h2>
<p>To verify the firewall is running, use this command with <a href="https://fedoramagazine.org/howto-use-sudo/">sudo</a>. (In fairness, you can run <em>firewall-cmd</em> without the <em>sudo</em> command in environments where <a href="https://en.wikipedia.org/wiki/Polkit">PolicyKit</a> is running.)</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --state</strong><br />running</pre>
<p>The firewalld service supports any number of <em>zones</em>. Each zone can have its own settings and rules for protection. In addition, each network interface can be placed in any zone individually The default zone for an external facing interface (like the wifi or wired network card) on a Fedora Workstation is the <em>FedoraWorkstation</em> zone.</p>
<p>To see what zones are active, use the <em>–get-active-zones</em> flag. On this system, there are two network interfaces, a wired Ethernet card <em>wlp2s0</em> and a virtualization (libvirt) bridge interface <em>virbr0</em>:</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --get-active-zones</strong>
FedoraWorkstation interfaces: wlp2s0
libvirt interfaces: virbr0</pre>
<p>To see the default zone, or all the defined zones:</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --get-default-zone</strong>
FedoraWorkstation
$ <strong>sudo firewall-cmd --get-zones</strong>
FedoraServer FedoraWorkstation block dmz drop external home internal libvirt public trusted work</pre>
<p>To see the services the firewall is allowing other systems to access in the default zone, use the <em>–list-services</em> flag. Here is an example from a customized system; you may see something different.</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --list-services</strong>
dhcpv6-client mdns samba-client ssh</pre>
<p>This system has four services exposed. Each of these has a well-known port number. The firewall recognizes them by name. For instance, the <em>ssh</em> service is associated with port 22.</p>
<p>To see other port settings for the firewall in the current zone, use the <em>–list-ports</em> flag. By the way, you can always declare the zone you want to check:</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --list-ports --zone=FedoraWorkstation</strong>
1025-65535/udp 1025-65535/tcp</pre>
<p>This shows that ports 1025 and above (both UDP and TCP) are open by default. </p>
<h2>Changing zones, ports, and services</h2>
<p>The above setting is a design decision.* It ensures novice users can use network facing applications they install. If you know what you’re doing and want a more protective default, you can move the interface to the <em>FedoraServer</em> zone, which prohibits any ports not explicitly allowed. <em>(<strong>Warning:</strong> if you’re using the host via the network, you may break your connection — meaning you’ll have to go to that box physically to make further changes!)</em></p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --change-interface=<em><ifname></em> --zone=FedoraServer</strong>
success</pre>
<p><small>* <em>This article is not the place to discuss that decision, which went through many rounds of review and debate in the Fedora community. You are welcome to change settings as needed.</em></small></p>
<p>If you want to open a well-known port that belongs to a service, you can add that service to the default zone (or use <em>–zone</em> to adjust a different zone). You can add more than one at once. This example opens up the well-known ports for your web server for both HTTP and HTTPS traffic, on ports 80 and 443:</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --add-service=http --add-service=https</strong>
success</pre>
<p>Not all services are defined, but many are. To see the whole list, use the <em>–get-services</em> flag.</p>
<p>If you want to add specific ports, you can do that by number and protocol as well. (You can also combine <em>–add-service</em> and <em>–add-port</em> flags, as many as necessary.) This example opens up the UDP service for a network boot service:</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --add-port=67/udp</strong>
success</pre>
<p><strong>Important:</strong> If you want your changes to be effective after you reboot your system or restart the firewalld service, you <strong>must</strong> add the <em>–permanent</em> flag to your commands. The examples here only change the firewall until one of those events next happens.</p>
<p>These are just some of the many functions of the <em>firewall-cmd</em> utility and the firewalld service. There is much more information on firewalld at the project’s <a href="https://firewalld.org/">home page</a> that’s worth reading and trying out.</p>
<hr class="wp-block-separator" />
<p><em>Photo by <a href="https://unsplash.com/@jakobustrop?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Jakob Braun</a> on <a href="https://unsplash.com/s/photos/brick-wall?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a>.</em></p>
</div>
https://www.sickgaming.net/blog/2020/03/...mand-line/
<div><p>A network <em>firewall</em> is more or less what it sounds like: a protective barrier that prevents unwanted network transmissions. They are most frequently used to prevent outsiders from contacting or using network services on a system. For instance, if you’re running a laptop at school or in a coffee shop, you probably don’t want strangers poking around on it.</p>
<p>Every Fedora system has a firewall built in. It’s part of the network functions in the Linux kernel inside. This article shows you how to change its settings using <em>firewall-cmd</em>.</p>
<p> <span id="more-30756"></span> </p>
<h2>Network basics</h2>
<p>This article can’t teach you <a href="https://en.wikipedia.org/wiki/Portal:Internet">everything</a> about computer networks. But a few basics suffice to get you started.</p>
<p>Any computer on a network has an <em>IP address</em>. Think of this just like a mailing address that allows correct routing of data. Each computer also has a set of <em>ports</em>, numbered 0-65535. These are not physical ports; instead, you can think of them as a set of connection points at the address. </p>
<p>In many cases, the port is a <a href="https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">standard number</a> or range depending on the application expected to answer. For instance, a web server typically reserves port 80 for non-secure HTTP communications, and/or 443 for secure HTTPS. The port numbers under 1024 are reserved for system and well-known purposes, ports 1024-49151 are registered, and ports 49152 and above are usually ephemeral (used only for a short time).</p>
<p>Each of the two most common protocols for Internet data transfer, <a href="https://en.wikipedia.org/wiki/Transmission_Control_Protocol">TCP</a> and <a href="https://en.wikipedia.org/wiki/User_Datagram_Protocol">UDP</a>, have this set of ports. TCP is used when it’s important that all data be received and, if it arrives out of order, reassembled in the right order. UDP is used for more time-sensitive services that can withstand losing some data.</p>
<p>An application running on the system, such as a web server, reserves one or more ports (as seen above, 80 and 443 for example). Then during network communication, a host establishes a connection between a source address and port, and the destination address and port. </p>
<p>A network firewall can block or permit transmissions of network data based on rules like address, port, or other criteria. The <em>firewall-cmd</em> utility lets you interact with the rule set to view or change how the firewall works.</p>
<h2>Firewall zones</h2>
<p>To verify the firewall is running, use this command with <a href="https://fedoramagazine.org/howto-use-sudo/">sudo</a>. (In fairness, you can run <em>firewall-cmd</em> without the <em>sudo</em> command in environments where <a href="https://en.wikipedia.org/wiki/Polkit">PolicyKit</a> is running.)</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --state</strong><br />running</pre>
<p>The firewalld service supports any number of <em>zones</em>. Each zone can have its own settings and rules for protection. In addition, each network interface can be placed in any zone individually The default zone for an external facing interface (like the wifi or wired network card) on a Fedora Workstation is the <em>FedoraWorkstation</em> zone.</p>
<p>To see what zones are active, use the <em>–get-active-zones</em> flag. On this system, there are two network interfaces, a wired Ethernet card <em>wlp2s0</em> and a virtualization (libvirt) bridge interface <em>virbr0</em>:</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --get-active-zones</strong>
FedoraWorkstation interfaces: wlp2s0
libvirt interfaces: virbr0</pre>
<p>To see the default zone, or all the defined zones:</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --get-default-zone</strong>
FedoraWorkstation
$ <strong>sudo firewall-cmd --get-zones</strong>
FedoraServer FedoraWorkstation block dmz drop external home internal libvirt public trusted work</pre>
<p>To see the services the firewall is allowing other systems to access in the default zone, use the <em>–list-services</em> flag. Here is an example from a customized system; you may see something different.</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --list-services</strong>
dhcpv6-client mdns samba-client ssh</pre>
<p>This system has four services exposed. Each of these has a well-known port number. The firewall recognizes them by name. For instance, the <em>ssh</em> service is associated with port 22.</p>
<p>To see other port settings for the firewall in the current zone, use the <em>–list-ports</em> flag. By the way, you can always declare the zone you want to check:</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --list-ports --zone=FedoraWorkstation</strong>
1025-65535/udp 1025-65535/tcp</pre>
<p>This shows that ports 1025 and above (both UDP and TCP) are open by default. </p>
<h2>Changing zones, ports, and services</h2>
<p>The above setting is a design decision.* It ensures novice users can use network facing applications they install. If you know what you’re doing and want a more protective default, you can move the interface to the <em>FedoraServer</em> zone, which prohibits any ports not explicitly allowed. <em>(<strong>Warning:</strong> if you’re using the host via the network, you may break your connection — meaning you’ll have to go to that box physically to make further changes!)</em></p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --change-interface=<em><ifname></em> --zone=FedoraServer</strong>
success</pre>
<p><small>* <em>This article is not the place to discuss that decision, which went through many rounds of review and debate in the Fedora community. You are welcome to change settings as needed.</em></small></p>
<p>If you want to open a well-known port that belongs to a service, you can add that service to the default zone (or use <em>–zone</em> to adjust a different zone). You can add more than one at once. This example opens up the well-known ports for your web server for both HTTP and HTTPS traffic, on ports 80 and 443:</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --add-service=http --add-service=https</strong>
success</pre>
<p>Not all services are defined, but many are. To see the whole list, use the <em>–get-services</em> flag.</p>
<p>If you want to add specific ports, you can do that by number and protocol as well. (You can also combine <em>–add-service</em> and <em>–add-port</em> flags, as many as necessary.) This example opens up the UDP service for a network boot service:</p>
<pre class="wp-block-preformatted">$ <strong>sudo firewall-cmd --add-port=67/udp</strong>
success</pre>
<p><strong>Important:</strong> If you want your changes to be effective after you reboot your system or restart the firewalld service, you <strong>must</strong> add the <em>–permanent</em> flag to your commands. The examples here only change the firewall until one of those events next happens.</p>
<p>These are just some of the many functions of the <em>firewall-cmd</em> utility and the firewalld service. There is much more information on firewalld at the project’s <a href="https://firewalld.org/">home page</a> that’s worth reading and trying out.</p>
<hr class="wp-block-separator" />
<p><em>Photo by <a href="https://unsplash.com/@jakobustrop?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Jakob Braun</a> on <a href="https://unsplash.com/s/photos/brick-wall?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a>.</em></p>
</div>
https://www.sickgaming.net/blog/2020/03/...mand-line/