Firewall-CMD

1 minute read

Description:

In CentOS I created the following firewall zones:

To Resolve:

  1. First, I create a new zone, and then allow only hosts/ports that I specify:
firewall-cmd --new-zone=gerry --permanent
firewall-cmd --reload
firewall-cmd --set-default-zone=gerry #NOTE: You have to reload first before you can select a custom zone as your default zone
firewall-cmd --zone=gerry --add-source 192.168.0.20/32 --permanent
firewall-cmd --zone=gerry --add-port=22/tcp --permanent
firewall-cmd --zone=gerry --add-service=ssh --permanent
firewall-cmd --reload
  1. Next, to stop other hosts even on the same network from being able to access ports:
firewall-cmd --remove-active-zone=public
# Learned quickly that interfaces override source addresses, put that interface in DROP!
firewall-cmd --zone=public --remove-interface=enp0s3 --permanent
firewall-cmd --zone=drop --add-interface=enp0s3 --permanent
firewall-cmd --get-active-zone
# Should see: gerry - source and drop - interface

#Steps 1/2 are my setup for initial CentOS VM’s. With this setup all incoming ports are blocked except 192.168.0.20:22. You can then add hosts/ports as needed.

  1. To check firewall settings:
sudo firewall-cmd --zone=gerry --list-all
# Or
sudo firewall-cmd --zone=gerry --list-sources
sudo firewall-cmd --zone=gerry --list-services
sudo firewall-cmd --zone=gerry --list-ports
  1. To add sources, services, and ports:
# See services:
firewall-cmd --get-services

# Then to add (examples from above):
firewall-cmd --zone=gerry --add-source 192.168.0.20/32 --permanent
firewall-cmd --zone=gerry --add-port=22/tcp --permanent
firewall-cmd --zone=gerry --add-service=ssh --permanent
  1. To enable/disable panic mode (block all):
sudo firewall-cmd --panic-on
sudo firewall-cmd --panic-off

Tags:

Categories:

Updated: