Red Team GuidesRed Team RecipeDevSecOps Guides

Firewalld

Cheatsheet

1. Install Firewalld

  • Ensure Firewalld is installed and running on your system.

2. Manage Firewalld Service

  • Start, enable, stop, or disable the Firewalld service.

3. Configure Zones

  • Define and manage zones to control the trust level of network connections.

4. Manage Services

  • Allow, deny, or customize services in zones.

5. Manage Ports

  • Open or close specific ports in zones.

6. Manage Interfaces

  • Assign network interfaces to zones.

7. Manage Sources

  • Assign specific IP addresses or subnets to zones.

8. Manage ICMP Blocks

  • Allow or deny ICMP messages in zones.

9. Manage Masquerading and Port Forwarding

  • Configure NAT and port forwarding.

10. Manage Rich Rules

Use rich rules for more detailed control over traffic.

20 Real Examples for Hardening with Firewalld

1. Install Firewalld

sudo yum install firewalld

2. Start and Enable Firewalld

sudo systemctl start firewalld
sudo systemctl enable firewalld

3. Get Active Zone

sudo firewall-cmd --get-active-zones

4. Change Default Zonesudo firewall-cmd --set-default-zone=home

5. Add Service to Zone

sudo firewall-cmd --zone=public --add-service=http --permanent

6. Remove Service from Zone

sudo firewall-cmd --zone=public --remove-service=http --permanent

7. Add Port to Zone

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent

8. Remove Port from Zone

sudo firewall-cmd --zone=public --remove-port=8080/tcp --permanent

9. Reload Firewalld

sudo firewall-cmd --reload

10. Add Interface to Zone

sudo firewall-cmd --zone=public --add-interface=eth0 --permanent

11. Add Source to Zone

sudo firewall-cmd --zone=public --add-source=192.168.1.0/24 --permanent

12. Enable Masquerading

sudo firewall-cmd --zone=public --add-masquerade --permanent

13. Add Forward Port

sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent

14. Add ICMP Block

sudo firewall-cmd --zone=public --add-icmp-block=echo-request --permanent

15. Create Custom Service

  • Define a custom service XML file and place it in /etc/firewalld/services/.

16. Add Custom Service to Zone

sudo firewall-cmd --zone=public --add-service=custom-service --permanent

17. Add Rich Rule

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" accept' --permanent

18. Remove Rich Rule

sudo firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.100" accept' --permanent

19. Query Service in Zone

sudo firewall-cmd --zone=public --query-service=http

20. List All Configurations

sudo firewall-cmd --list-all-zones
PreviousAnsibleNextWazuh

Last updated