Complete Guide to Allowing Services in firewalld

Table of Contents

Introduction to firewalld

firewalld is a dynamic firewall management tool that provides a flexible and feature-rich interface for managing Linux firewall rules. Unlike traditional iptables configurations, firewalld uses zones and services to organize firewall rules, making it easier to manage complex network security policies.

Key Features

- Dynamic Management: Rules can be changed without restarting the firewall service - Zone-based Configuration: Different security levels for different network interfaces - Service Definitions: Predefined service configurations for common applications - Runtime and Permanent Configuration: Separate handling of temporary and persistent rules - D-Bus Interface: Integration with system management tools - Rich Rules: Advanced rule syntax for complex scenarios

Architecture Overview

firewalld operates with two main configuration layers:

1. Runtime Configuration: Active rules that are immediately applied but lost on restart 2. Permanent Configuration: Persistent rules that survive system reboots

Understanding firewalld Services

Services in firewalld are predefined configurations that specify which ports and protocols should be opened for specific applications or services. Each service definition includes:

- Service name and description - TCP and UDP ports - Destination addresses (if applicable) - Helper modules (for complex protocols)

Service Definition Structure

Services are defined in XML files located in: - System services: /usr/lib/firewalld/services/ - User-defined services: /etc/firewalld/services/

Example service definition structure: `xml Service Name Service description `

Basic Commands and Operations

Installation and Setup

Most modern Linux distributions include firewalld by default. If not installed:

`bash

Red Hat/CentOS/Fedora

Debian/Ubuntu

Enable and start firewalld

Essential Commands

#### Checking firewalld Status

`bash

Check if firewalld is running

Get detailed status information

Check firewalld version

#### Basic Information Commands

`bash

List all available zones

Get default zone

List active zones

List all available services

Service Management

Listing Services

#### Current Zone Services

`bash

List services in default zone

List services in specific zone

List all configuration for default zone

List all configuration for specific zone

Adding Services

#### Runtime Configuration (Temporary)

`bash

Add service to default zone (temporary)

Add service to specific zone (temporary)

Add multiple services at once

#### Permanent Configuration

`bash

Add service permanently to default zone

Add service permanently to specific zone

Add multiple services permanently

Reload to apply permanent changes

#### Combined Runtime and Permanent

`bash

Add service both runtime and permanent

Alternative single command approach

Removing Services

#### Runtime Removal

`bash

Remove service from default zone (temporary)

Remove service from specific zone (temporary)

#### Permanent Removal

`bash

Remove service permanently

Remove from specific zone permanently

Reload to apply changes

Verification Commands

`bash

Check if service is enabled in zone

List enabled services with details

Show complete zone configuration

Zones and Service Configuration

Understanding Zones

Zones define different trust levels for network connections. Each zone has a predefined set of rules and can be assigned to network interfaces.

#### Default Zones

| Zone Name | Trust Level | Description | Default Services | |-----------|-------------|-------------|------------------| | drop | Lowest | All incoming connections dropped | None | | block | Very Low | Incoming connections rejected | None | | public | Low | Public networks, untrusted | ssh, dhcpv6-client | | external | Low-Medium | External networks with masquerading | ssh | | dmz | Medium | DMZ networks, limited access | ssh | | work | Medium-High | Work networks, trusted | ssh, dhcpv6-client | | home | High | Home networks, mostly trusted | ssh, mdns, dhcpv6-client | | internal | High | Internal networks, trusted | ssh, mdns, dhcpv6-client | | trusted | Highest | All connections accepted | All |

Zone Management

#### Setting Default Zone

`bash

Set default zone

Verify default zone

#### Interface Assignment

`bash

Assign interface to zone (runtime)

Assign interface to zone (permanent)

List interfaces in zone

Service Configuration in Different Zones

#### Web Server Configuration Example

`bash

Configure web server in public zone

Configure SSH access in internal zone only

Apply changes

#### Database Server Configuration Example

`bash

Allow database access only from internal zone

Verify configuration

Practical Examples

Example 1: Web Server Setup

Setting up a web server with HTTP and HTTPS access:

`bash

Step 1: Check current configuration

Step 2: Add HTTP service (temporary for testing)

Step 3: Test web server accessibility

(Test your web server here)

Step 4: Make changes permanent if working correctly

Step 5: Reload to apply permanent configuration

Step 6: Verify final configuration

Example 2: Mail Server Configuration

Setting up a complete mail server:

`bash

Add mail services permanently

Reload configuration

Verify mail services

Example 3: Database Server with Restricted Access

Setting up database access only from internal networks:

`bash

Remove database service from public zone if present

Add database service to internal zone only

Add specific source networks to internal zone

Reload configuration

Verify configuration

Example 4: FTP Server Configuration

Setting up FTP server with both standard and secure FTP:

`bash

Add FTP services

For passive FTP, you might need additional ports

This is typically handled by the ftp service definition

but can be customized if needed

Reload and verify

Advanced Configuration

Creating Custom Services

#### Custom Service Definition

Create a custom service file at /etc/firewalld/services/myapp.xml:

`xml MyApp My Custom Application `

#### Using Custom Services

`bash

Reload firewalld to recognize new service

Add custom service

Verify custom service is available

Rich Rules for Advanced Service Control

Rich rules provide more granular control over service access:

`bash

Allow HTTP only from specific subnet

Allow SSH with rate limiting

Allow HTTPS with logging

Reload to apply rich rules

Port Forwarding with Services

`bash

Forward external port to internal service

Enable masquerading for forwarding to work

Reload configuration

Time-based Service Access

Using rich rules for time-based access:

`bash

Allow web access only during business hours (requires additional scripting)

This is a conceptual example - actual implementation requires cron jobs or systemd timers

Create scripts to enable/disable services at specific times

echo '#!/bin/bash firewall-cmd --remove-service=http firewall-cmd --remove-service=https' > /usr/local/bin/disable-web.sh

chmod +x /usr/local/bin/enable-web.sh /usr/local/bin/disable-web.sh `

Troubleshooting

Common Issues and Solutions

#### Service Not Working After Adding

Problem: Service added to firewalld but still not accessible

Diagnosis Steps: `bash

Check if service is actually enabled

Check if service is in correct zone

Verify service definition

Check if permanent rules are loaded

Solutions: `bash

Reload firewalld

Make sure service is added to correct zone

Restart firewalld if needed

#### Permanent Changes Not Applied

Problem: Permanent changes not taking effect

Diagnosis: `bash

Compare runtime vs permanent configuration

Solution: `bash

Reload to apply permanent changes

Or restart firewalld service

#### Service Conflicts

Problem: Custom service conflicts with existing services

Diagnosis: `bash

Check all services using specific port

List all active ports

Debugging Commands

#### Verbose Output

`bash

Enable verbose logging

Check logs

View detailed zone information

#### Testing Connectivity

`bash

Test from client machine

Check if port is listening on server

Use nmap to scan ports

Best Practices

Security Best Practices

#### Principle of Least Privilege

`bash

Only enable services that are actually needed

Review enabled services regularly

Remove unused services

#### Zone-based Security

`bash

Use appropriate zones for different network segments

Public zone for internet-facing services

Internal zone for administrative access

Assign interfaces to appropriate zones

#### Regular Auditing

`bash

Create audit script

chmod +x /usr/local/bin/firewall-audit.sh `

Operational Best Practices

#### Change Management

`bash

Always test changes in runtime before making permanent

Test functionality

#### Backup and Recovery

`bash

Backup firewalld configuration

Export zone configuration

Create restoration script

Restore firewalld configuration

#### Documentation

Maintain documentation of firewall changes:

`bash

Create change log template

Reference Tables

Common Services and Ports

| Service Name | Protocol | Port(s) | Description | |--------------|----------|---------|-------------| | http | TCP | 80 | HTTP Web Server | | https | TCP | 443 | HTTPS Web Server | | ssh | TCP | 22 | Secure Shell | | ftp | TCP | 21 | File Transfer Protocol | | smtp | TCP | 25 | Simple Mail Transfer Protocol | | smtps | TCP | 465 | SMTP over SSL | | submission | TCP | 587 | Mail Submission | | imap | TCP | 143 | Internet Message Access Protocol | | imaps | TCP | 993 | IMAP over SSL | | pop3 | TCP | 110 | Post Office Protocol v3 | | pop3s | TCP | 995 | POP3 over SSL | | mysql | TCP | 3306 | MySQL Database | | postgresql | TCP | 5432 | PostgreSQL Database | | dns | TCP/UDP | 53 | Domain Name System | | ntp | UDP | 123 | Network Time Protocol | | snmp | UDP | 161 | Simple Network Management Protocol | | ldap | TCP | 389 | Lightweight Directory Access Protocol | | ldaps | TCP | 636 | LDAP over SSL | | samba | TCP/UDP | 137-139, 445 | Samba File Sharing | | nfs | TCP/UDP | 2049 | Network File System |

firewall-cmd Command Reference

| Command Category | Command | Description | |------------------|---------|-------------| | Status | --state | Check firewalld state | | | --get-default-zone | Get default zone | | | --get-active-zones | List active zones | | | --get-zones | List all zones | | Services | --get-services | List all available services | | | --list-services | List enabled services | | | --add-service=SERVICE | Add service | | | --remove-service=SERVICE | Remove service | | | --query-service=SERVICE | Check if service is enabled | | Information | --list-all | Show complete zone configuration | | | --info-service=SERVICE | Show service details | | | --list-all-zones | Show all zones configuration | | Configuration | --reload | Reload permanent configuration | | | --complete-reload | Complete reload (breaks connections) | | | --permanent | Make changes permanent | | Zones | --zone=ZONE | Specify zone for command | | | --set-default-zone=ZONE | Set default zone | | | --change-interface=INTERFACE | Assign interface to zone |

Zone Trust Levels and Use Cases

| Zone | Trust Level | Network Type | Typical Use Cases | |------|-------------|--------------|-------------------| | trusted | Maximum | Fully trusted | Internal management networks | | internal | High | Internal networks | Corporate LANs, private networks | | home | High | Home networks | Home LANs, trusted devices | | work | Medium-High | Work networks | Office networks, business LANs | | dmz | Medium | DMZ networks | Public-facing servers, isolated services | | external | Low-Medium | External networks | VPN connections, external access | | public | Low | Public networks | Internet connections, WiFi hotspots | | block | Very Low | Untrusted | Blocked networks, rejected connections | | drop | Minimum | Hostile | Completely untrusted, dropped packets |

Service Definition XML Elements

| Element | Description | Example | |---------|-------------|---------| | | Short service name | HTTP | | | Service description | HTTP Server | | | Port specification | | | | Protocol specification | | | | Source port | | | | Netfilter helper module | | | | Destination address | |

This comprehensive guide provides detailed information about managing services in firewalld, from basic operations to advanced configurations. The examples and reference tables serve as practical resources for implementing and maintaining firewall security policies effectively.