Linux FirewallD Random notes

FirewallD is stupid and is a total piece of crap. But this is how to make it work.
**** REMEMBER TO reload the firewall for changes to actually take effect.!! ****

Set default zone:
firewall-cmd –set-default-zone=public

Reload firewall:
firewall-cmd –reload

Webmin:
firewall-cmd –permanent –new-service=webmin
firewall-cmd –permanent –service=webmin –add-port=10000/tcp
firewall-cmd –permanent –zone=public –add-service=webmin

Zabbix:
firewall-cmd –permanent –new-service=zabbix
firewall-cmd –permanent –service=zabbix –add-port=10050/tcp
firewall-cmd –permanent –service=zabbix –add-port=10051/tcp
firewall-cmd –permanent –zone=public –add-service=zabbix

Tomcat:
firewall-cmd –permanent –new-service=tomcat
firewall-cmd –permanent –service=tomcat –add-port=8009/tcp
firewall-cmd –permanent –service=tomcat –add-port=8080/tcp
firewall-cmd –permanent –zone=public –add-service=tomcat

WildFly:
firewall-cmd –permanent –new-service=wildfly
firewall-cmd –permanent –service=wildfly –add-port=8009/tcp
firewall-cmd –permanent –service=wildfly –add-port=8080/tcp
firewall-cmd –permanent –service=wildfly –add-port=8081/tcp
firewall-cmd –permanent –service=wildfly –add-port=8444/tcp
firewall-cmd –permanent –service=wildfly –add-port=9990/tcp
firewall-cmd –permanent –service=wildfly –add-port=9999/tcp
firewall-cmd –permanent –zone=public –add-service=wildfly

Mod_Cluster:
firewall-cmd –permanent –new-service=mod_cluster
firewall-cmd –permanent –service=mod_cluster –add-port=6666/tcp
firewall-cmd –permanent –service=mod_cluster –add-port=23364/udp
firewall-cmd –permanent –zone=public –add-service=mod_cluster

NFS_new?:
firewall-cmd –permanent –new-service=NFS_new
firewall-cmd –permanent –service=NFS_new –add-port=20048/tcp
firewall-cmd –permanent –service=NFS_new –add-port=20048/udp
firewall-cmd –permanent –zone=public –add-service=NFS_new

Pre Defined:
firewall-cmd –zone=public –permanent –add-service=http
firewall-cmd –zone=public –permanent –add-service=https
firewall-cmd –zone=public –permanent –add-service=mysql #<— OR MARIADB
firewall-cmd –zone=public –permanent –add-service=dns
firewall-cmd –zone=public –permanent –add-service=smtp
firewall-cmd –zone=public –permanent –add-service=nfs
firewall-cmd –zone=public –permanent –add-service=nfs3

HAProxy:
firewall-cmd –permanent –new-service=haproxy
firewall-cmd –permanent –service=haproxy –add-port=1234/tcp
firewall-cmd –permanent –service=haproxy –add-port=12345/tcp
firewall-cmd –permanent –zone=public –add-service=haproxy

Splunk:
firewall-cmd –permanent –new-service=Splunk
firewall-cmd –permanent –service=Splunk –add-port=8000/tcp
firewall-cmd –permanent –service=Splunk –add-port=5012/udp
firewall-cmd –permanent –zone=public –add-service=Splunk

urBackup:
firewall-cmd –permanent –new-service=urBackup
firewall-cmd –permanent –service=urBackup –add-port=35623/tcp
firewall-cmd –permanent –service=urBackup –add-port=35621/tcp
firewall-cmd –permanent –service=urBackup –add-port=35622/udp
firewall-cmd –permanent –zone=public –add-service=urBackup

Block:
Specific Host/Net inbound:
firewall-cmd –permanent –add-rich-rule=”rule family=’ipv4′ source address=’193.201.224.0/24′ reject”

Specific Host/Net outbound MUST BE DONE WITH ‘-direct’ DIRECTIVE (https://cogitantium.blogspot.com/2017/06/how-to-drop-outbound-connections-with.html):
firewall-cmd –permanent –direct –add-rule ipv4 filter OUTPUT 0 -d 8.8.8.8/32 -j DROP

To remove DIRECT Rule:
firewall-cmd –permanent –direct –remove-rule ipv4 filter OUTPUT 0 -d 8.8.8.8/32 -j DROP

If you want to BLOCK outbound but allow inbound connections to work correctly add this to the beginning:
firewall-cmd –permanent –direct –add-rule ipv4 filter OUTPUT 0 -d 0.0.0.0/0 -m state –state RELATED,ESTABLISHED -j ACCEPT

To View Direct rules:
firewall-cmd –direct –get-all-rules

firewall-cmd –zone=public –add-interface=tun0 –permanent

Port forward example

firewall-cmd –permanent –zone=public –add-forward-port=port=80:proto=tcp:toaddr=10.0.0.61:toport=8080

Leave a Reply