PROBLEM
How do I use firewalld?
ENVIRONMENT
- on-premises server + webmail installations: Version 7.8+
CAUSE
Configure firewalld for mail-server functionality.
RESOLUTION
The following document will be divided into the following sections:
- Mailserver Configuration
General configuration for mail functionality - Getting familiar with firewalld
Further understanding of firewalld
Mailserver Configuration
Check if firewalld is enabled and started
[root@a8 services]# systemctl is-enabled firewalld
disabled
[root@a8 services]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@a8 services]# systemctl start firewalld
[root@a8 services]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2017-06-27 16:53:32 AEST; 5s ago
List allowed services
[root@a8 ~]# firewall-cmd --list-service
dhcpv6-client ssh
Add required services: HTTPS, SMTP, IMAP, POP3, DAV, DHCP(May be required in a testing environment).
[root@a8 ~]# firewall-cmd --zone=public --add-service=smtp --add-service=smtps --add-service=imap --add-service=imaps --add-service=pop3 --add-service=pop3s --add-service=https --add-service=dhcp --permanent
success
[root@a8 ~]# firewall-cmd --zone=public --add-port=587/tcp --add-port=8443/tcp --permanent
success
Reload firewalld
[root@a8 ~]# firewall-cmd --reload
success
List allowed services and ports. Check for previously added additions.
[root@a8 ~]# firewall-cmd --list-all | grep 'services\|ports' | head -n 2
services: dhcpv6-client https imap imaps pop3 pop3s smtp smtps ssh
ports: 8443/tcp 587/tcp
A simple bash script containing the above default settings can be found here.
Getting familiar with firewalld
Firewalld is based around the concepts of zones. Each zone can be assigned a level of trust to allow for a dynamically changing firewall. Although server installations commonly reside in the same network for the duration of its life, understanding these core concepts eases configuration and administration of firewalld.
Before configuring any additional rules, its important to know:
- default zone
- active zone
- summary of zone
[root@a8 ~]# firewall-cmd --get-default-zone
public
[root@a8 ~]# firewall-cmd --get-active-zones
public
interfaces: enp0s3
[root@a8 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: dhcp dhcpv6-client https imap imaps pop3 pop3s smtp smtps ssh
ports: 8443/tcp 587/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
Available services can be listed and added as demonstrated below. Remember you will need to pass the --permanent flag for the rule to remain consistent after restarting the service. Ports can also be added in the same fashion.
[root@a8 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula ...
[root@a8 ~]# firewall-cmd --add-service=telnet --permanent
success
[root@a8 ~]# firewall-cmd --add-port=53 --permanent
success
Services and ports can be removed from zones using the following:
[root@a8 ~]# firewall-cmd --zone=public --remove-service=telnet --permanent
success
[root@a8 ~]# firewall-cmd --zone-public --remove-port=53 --permanent
success
Further Configuration
Firewalld also comes with a built in panic mode. When enabled, panic mode will prevent any incoming and outgoing packets as well as dropping all active connections. This may be useful if your service is under attack.
To query panic mode:
[root@a8 services]# firewall-cmd --query-panic
no
To turn ON panic mode:
[root@a8 services]# firewall-cmd --panic-on
success
To turn OFF panic mode:
[root@a8 services]# firewall-cmd --panic-off
success
ICMP blocks can be added to zones. To see available icmp types:
[root@a8 services]# firewall-cmd --get-icmptypes
destination-unreachable echo-reply echo-request parameter-problem ...
To query an ICMP block, add it and then confirm:
[root@a8 services]# firewall-cmd --zone=public --query-icmp-block=echo-reply
no
[root@a8 services]# firewall-cmd --zone=public --add-icmp-block=echo-reply --permanent
success
[root@a8 services]# firewall-cmd --list-all | grep "icmp-blocks"
icmp-blocks: echo-reply
Access for IP addresses can be managed using rich-rule's. Below, we add the 192.168.0.254 address, check its presence, then remove it.
[root@a8 services]# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'
success
[root@a8 services]# firewall-cmd --zone=public --list-all | grep "rule"
rich rules:
rule family="ipv4" source address="192.168.0.254" accept
[root@a8 services]# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'
success
For troubleshooting, logs can be located in /var/log/firewalld.
For further information, the official documentation for firewalld can be found here.
Comments