Ce contenu n'est pas disponible dans la langue sélectionnée.
5.6. Controlling Traffic
5.6.1. Predefined Services
Services can be added and removed using the graphical firewall-config tool,
firewall-cmd
, and firewall-offline-cmd
.
Alternatively, you can edit the XML files in the
/etc/firewalld/services/
directory. If a service is not added or changed by the user, then no corresponding XML file is found in /etc/firewalld/services/
. The files in the /usr/lib/firewalld/services/
directory can be used as templates if you want to add or change a service.
5.6.2. Disabling All Traffic in Case of Emergency using CLI
In an emergency situation, such as a system attack, it is possible to disable all network traffic and cut off the attacker.
To immediately disable networking traffic, switch panic mode on:
~]# firewall-cmd --panic-on
Switching off panic mode reverts the firewall to its permanent settings. To switch panic mode off:
~]# firewall-cmd --panic-off
To see whether panic mode is switched on or off, use:
~]# firewall-cmd --query-panic
5.6.3. Controlling Traffic with Predefined Services using CLI
The most straightforward method to control traffic is to add a predefined service to
firewalld
. This opens all necessary ports and modifies other settings according to the service definition file.
- Check that the service is not already allowed:
~]#
firewall-cmd --list-services
ssh dhcpv6-client - List all predefined services:
~]#
firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry ... [output truncated] - Add the service to the allowed services:
~]#
firewall-cmd --add-service=<service-name>
- Make the new settings persistent:
~]#
firewall-cmd --runtime-to-permanent
5.6.4. Controlling Traffic with Predefined Services using GUI
To enable or disable a predefined or custom service, start the firewall-config tool and select the network zone whose services are to be configured. Select the Services tab and select the check box for each type of service you want to trust. Clear the check box to block a service.
To edit a service, start the firewall-config tool and select from the menu labeled Configuration. Additional icons and menu buttons appear at the bottom of the window. Select the service you want to configure.
The Ports, Protocols, and Source Port tabs enable adding, changing, and removing of ports, protocols, and source port for the selected service. The modules tab is for configuring Netfilter helper modules. The Destination tab enables limiting traffic to a particular destination address and Internet Protocol (
IPv4
or IPv6
).
Note
It is not possible to alter service settings in
mode.
5.6.5. Adding New Services
Services can be added and removed using the graphical firewall-config tool,
firewall-cmd
, and firewall-offline-cmd
. Alternatively, you can edit the XML files in /etc/firewalld/services/
. If a service is not added or changed by the user, then no corresponding XML file are found in /etc/firewalld/services/
. The files /usr/lib/firewalld/services/
can be used as templates if you want to add or change a service.
To add a new service in a terminal, use
firewall-cmd
, or firewall-offline-cmd
in case of not active firewalld
. enter the following command to add a new and empty service:
~]$ firewall-cmd --new-service=service-name
To add a new service using a local file, use the following command:
~]$ firewall-cmd --new-service-from-file=service-name.xml
You can change the service name with the additional
--name=service-name
option.
As soon as service settings are changed, an updated copy of the service is placed into
/etc/firewalld/services/
.
As
root
, you can enter the following command to copy a service manually:
~]# cp /usr/lib/firewalld/services/service-name.xml /etc/firewalld/services/service-name.xml
firewalld
loads files from /usr/lib/firewalld/services
in the first place. If files are placed in /etc/firewalld/services
and they are valid, then these will override the matching files from /usr/lib/firewalld/services
. The overriden files in /usr/lib/firewalld/services
are used as soon as the matching files in /etc/firewalld/services
have been removed or if firewalld
has been asked to load the defaults of the services. This applies to the permanent environment only. A reload is needed to get these fallbacks also in the runtime environment.
5.6.6. Controlling Ports using CLI
Ports are logical devices that enable an operating system to receive and distinguish network traffic and forward it accordingly to system services. These are usually represented by a daemon that listens on the port, that is it waits for any traffic coming to this port.
Normally, system services listen on standard ports that are reserved for them. The
httpd
daemon, for example, listens on port 80. However, system administrators by default configure daemons to listen on different ports to enhance security or for other reasons.
Opening a Port
Through open ports, the system is accessible from the outside, which represents a security risk. Generally, keep ports closed and only open them if they are required for certain services.
To get a list of open ports in the current zone:
- List all allowed ports:
~]#
firewall-cmd --list-ports
- Add a port to the allowed ports to open it for incoming traffic:
~]#
firewall-cmd --add-port=port-number/port-type
- Make the new settings persistent:
~]#
firewall-cmd --runtime-to-permanent
The port types are either
tcp
, udp
, sctp
, or dccp
. The type must match the type of network communication.
Closing a Port
When an open port is no longer needed, close that port in
firewalld
. It is highly recommended to close all unnecessary ports as soon as they are not used because leaving a port open represents a security risk.
To close a port, remove it from the list of allowed ports:
- List all allowed ports:
~]#
firewall-cmd --list-ports
[WARNING] ==== This command will only give you a list of ports that have been opened as ports. You will not be able to see any open ports that have been opened as a service. Therefore, you should consider using the --list-all option instead of --list-ports. ==== - Remove the port from the allowed ports to close it for the incoming traffic:
~]#
firewall-cmd --remove-port=port-number/port-type
- Make the new settings persistent:
~]#
firewall-cmd --runtime-to-permanent
5.6.7. Opening Ports using GUI
To permit traffic through the firewall to a certain port, start the firewall-config tool and select the network zone whose settings you want to change. Select the Ports tab and click the button on the right-hand side. The Port and Protocol window opens.
Enter the port number or range of ports to permit. Select tcp or udp from the list.
5.6.8. Controlling Traffic with Protocols using GUI
To permit traffic through the firewall using a certain protocol, start the firewall-config tool and select the network zone whose settings you want to change. Select the Protocols tab and click the Add button on the right-hand side. The Protocol window opens.
Either select a protocol from the list or select the Other Protocol check box and enter the protocol in the field.
5.6.9. Opening Source Ports using GUI
To permit traffic through the firewall from a certain port, start the firewall-config tool and select the network zone whose settings you want to change. Select the Source Port tab and click the Add button on the right-hand side. The Source Port window opens.
Enter the port number or range of ports to permit. Select tcp or udp from the list.