4.5. USING FIREWALLS
The dynamic firewall daemon
firewalld
provides a dynamically managed firewall with support for network
“zones” to assign a level of trust to a network and its associated connections and interfaces. It has support for
IPv4
and
IPv6
firewall settings. It supports Ethernet bridges and has a separation of runtime and permanent configuration options. It also has an interface for services or applications to add firewall rules directly.
NOTE
To expand your expertise, you might also be interested in the
Red Hat Server Hardening (RH413) training course.
A graphical configuration tool,
firewall-config, is used to configure
firewalld
, which in turn uses
iptables tool to communicate with
Netfilterin the kernel which implements packet filtering.
To use the graphical
firewall-config tool, press the
Super key to enter the Activities Overview, type
firewall
and then press
Enter. The
firewall-config tool appears. You will be prompted for an administrator password.
The
firewall-config tool has a drop-down selection menu labeled
Configuration. This enables selecting between
and
mode. Notice that if you select
, an additional row of icons will appear in the left hand corner. These icons only appear in permanent configuration mode because a service's parameters cannot be changed in runtime mode.
The firewall service provided by
firewalld
is dynamic rather than static because changes to the configuration can be made at anytime and are immediately implemented, there is no need to save or apply the changes. No unintended disruption of existing network connections occurs as no part of the firewall has to be reloaded.
A command line client,
firewall-cmd, is provided. It can be used to make permanent and non-permanent runtime changes as explained in
man firewall-cmd(1)
. Permanent changes need to be made as explained in the
firewalld(1)
man page. Note that the
firewall-cmd
command can be run by the
root
user and also by an administrative user, in other words, a member of the
wheel
group. In the latter case the command will be authorized via the
polkit mechanism.
The configuration for
firewalld
is stored in various XML files in
/usr/lib/firewalld/
and
/etc/firewalld/
. This allows a great deal of flexibility as the files can be edited, written to, backed up, used as templates for other installations and so on.
Other applications can communicate with
firewalld
using D-bus.
The essential differences between
Both use
iptables tool to talk to the kernel packet filter.
firewalld
and the
iptables service are:
-
The iptables service stores configuration in
/etc/sysconfig/iptables
whilefirewalld
stores it in various XML files in/usr/lib/firewalld/
and/etc/firewalld/
. Note that the/etc/sysconfig/iptables
file does not exist asfirewalld
is installed by default on Red Hat Enterprise Linux. -
With the iptables service, every single change means flushing all the old rules and reading all the new rules from
/etc/sysconfig/iptables
while withfirewalld
there is no re-creating of all the rules; only the differences are applied. Consequently,firewalld
can change the settings during runtime without existing connections being lost.
Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network.
NetworkManager informs
firewalld
to which zone an interface belongs. An interface's assigned zone can be changed by
NetworkManager or via the
firewall-config tool which can open the relevant
NetworkManager window for you.
The zone settings in
/etc/firewalld/
are a range of preset settings which can be quickly applied to a network interface. They are listed here with a brief explanation:
-
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
-
Any incoming network connections are rejected with an icmp-host-prohibited message for
IPv4
and icmp6-adm-prohibited forIPv6
. Only network connections initiated from within the system are possible. -
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
-
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
-
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
-
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
-
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
-
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
-
All network connections are accepted.
drop
block
public
external
dmz
work
home
internal
trusted
It is possible to designate one of these zones to be the default zone. When interface connections are added to
NetworkManager, they are assigned to the default zone. On installation, the default zone in
firewalld
is set to be the public zone.
Choosing a Network Zone
The network zone names have been chosen to be self-explanatory and to allow users to quickly make a reasonable decision. However, a review of the default configuration settings should be made and unnecessary services disabled according to your needs and risk assessments.
A service can be a list of local ports and destinations as well as a list of firewall helper modules automatically loaded if a service is enabled. The use of predefined services makes it easier for the user to enable and disable access to a service. Using the predefined services, or custom defined services, as opposed to opening ports or ranges of ports, may make administration easier. Service configuration options and generic file information are described in the
firewalld.service(5)
man page. The services are specified by means of individual XML configuration files which are named in the following format:
service-name.xml
.
To view the list of services using the graphical
firewall-config tool, press the
Super key to enter the Activities Overview, type
firewall
and then press
Enter. The
firewall-config tool appears. You will be prompted for an administrator password. You can now view the list of services under the
Services tab.
To list the default predefined services available using the command line, issue the following command as
root
:
~]# ls /usr/lib/firewalld/services/
Files in
/usr/lib/firewalld/services/
must not be edited. Only the files in
/etc/firewalld/services/
should be edited.
To list the system or user created services, issue the following command as
root
:
~]# ls /etc/firewalld/services/
Services can be added and removed using the graphical
firewall-config tool and by editing the XML files in
/etc/firewalld/services/
. If a service has not been added or changed by the user, then no corresponding XML file will be found in
/etc/firewalld/services/
. The files
/usr/lib/firewalld/services/
can be used as templates if you want to add or change a service. As
root
, issue a command in the following format:
~]# cp /usr/lib/firewalld/services/[service].xml /etc/firewalld/services/[service].xml
You may then edit the newly created file.
firewalld
will prefer files in
/etc/firewalld/services/
but will fall back to
/usr/lib/firewalld/services/
should a file be deleted, but only after a reload.
firewalld
has a so called
“direct interface”, which enables directly passing rules to
iptables,
ip6tables and
ebtables. It is intended for use by applications and not users. It is dangerous to use the direct interface if you are not very familiar with
iptables as you could inadvertently cause a breach in the firewall.
firewalld
still tracks what has been added, so it is still possible to query
firewalld
and see the changes made by an application using the direct interface mode. The direct interface is used by adding the
--direct
option to the
firewall-cmd
command.
The direct interface mode is intended for services or applications to add specific firewall rules during runtime. The rules can be made permanent by adding the
--permanent
option using the
firewall-cmd --permanent --direct
command or by modifying
/etc/firewalld/direct.xml
. If the rules are not made permanent then they need to be applied every time after receiving the start, restart, or reload message from
firewalld
using D-BUS.
In Red Hat Enterprise Linux 7
firewalld
is installed by default. If required, to ensure that it is, enter the following command as
root
:
~]# yum install firewalld
The graphical user interface configuration tool
firewall-config is installed by default in some versions of Red Hat Enterprise Linux 7. If required, to ensure that it is, enter the following command as
root
:
~]# yum install firewall-config
Stopping firewalld
To stop
firewalld
, enter the following command as
root
:
~]# systemctl stop firewalld
To prevent
firewalld
from starting automatically at system start, issue the following command as
root
:
~]# systemctl disable firewalld
Starting firewalld
To start
firewalld
, enter the following command as
root
:
~]# systemctl start firewalld
To ensure
firewalld
starts automatically at system start, enter the following command as
root
:
~]# systemctl enable firewalld
Checking if firewalld is Running
To check if
firewalld
is running, enter the following command:
~]$ systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Sat 2013-04-06 22:56:59 CEST; 2 days ago
Main PID: 688 (firewalld)
CGroup: name=systemd:/system/firewalld.service
In addition, check if
firewall-cmd can connect to the daemon by entering the following command:
~]$ firewall-cmd --state
running
The firewall service, implemented by the daemon
firewalld
, can be configured using the graphical user interface tool
firewall-config, using the command line interface tool
firewall-cmd, and by editing XML configuration files. These methods will be described in order.
To start the graphical
firewall-config tool, press the
Super key to enter the Activities Overview, type
firewall
and then press
Enter. The
firewall-config tool appears. You will be prompted for an administrator password.
To start the graphical firewall configuration tool using the command line, enter the following command as
root
user:
~]# firewall-config
The
Firewall Configuration window opens. Note, this command can be run as normal user but you will then be prompted for an administrator password from time to time.
Look for the word
“Connected” in the lower left corner. This indicates that the
firewall-config tool is connected to the user space daemon,
firewalld
. Note that the
ICMP Types,
Direct Configuration, and
Lockdown Whitelisttabs are only visible after being selected from the
View drop-down menu.
To immediately change the current firewall settings, ensure the current view is set to
. Alternatively, to edit the settings to be applied at the next system start, or firewall reload, select
from the drop-down list.
NOTE
When making changes to the firewall settings in
mode, your selection takes immediate effect when you set or clear the check box associated with the service. You should keep this in mind when working on a system that may be in use by other users.
When making changes to the firewall settings in
Filemenu, or click the
menu and select
Reload Firewall.
mode, your selection will only take effect when you reload the firewall or the system restarts. You can use the reload icon below the
You can select zones in the left hand side column. You will notice the zones have some services enabled, you may need to resize the window or scroll to see the full list. You can customize the settings by selecting and deselecting a service.
To add or reassign an interface of a connection to a zone, start
firewall-config, select
from the menu bar, select
Change Zones of Connections from the drop-down menu, the
Connections list is displayed. Select the connection to be reassigned. The
Select Zone for Connectionwindow appears. Select the new firewall zone from the drop-down menu and click
OK.
To set the default zone that new interfaces will be assigned to, start
firewall-config, select
from the menu bar, select
Change Default Zonefrom the drop-down menu. The
Default Zone window appears. Select the zone form the list that you want to be used as the default zone and click
OK.
To enable or disable a predefined or custom service, start the
firewall-configtool and select the network zone whose services are to be configured. Select the
Services tab and select the check box for each type of service you want to trust. Clear the check box to block a service.
To edit a service, start the
firewall-config tool and then select
mode from the drop-down selection menu labeled
Configuration. Additional icons and menu buttons appear at the bottom of the
window. Select the service you want to configure.
The
Ports and Protocols tab enables adding, changing, and removing of ports and protocols for the selected service. The modules tab is for configuring
Netfilter helper modules. The
Destination tab enables limiting traffic to a particular destination address and Internet Protocol (
IPv4
or
IPv6
).
To permit traffic through the firewall to a certain port, start the
firewall-configtool and select the network zone whose settings you want to change. Select the
Ports tab and the click the
button on the right hand side. The
Port and Protocol window opens.
Enter the port number or range of ports to permit. Select
tcp or
udp from the drop-down list.
To translate
IPv4
addresses to a single external address, start the
firewall-config tool and select the network zone whose addresses are to be translated. Select the
Masquerading tab and select the check box to enable the translation of
IPv4
addresses to a single address.
To forward inbound network traffic, or
“packets”, for a specific port to an internal address or alternative port, first enable IP address masquerading, then select the
Port Forwarding tab.
Select the protocol of the incoming traffic and the port or range of ports on the upper section of the window. The lower section is for setting details about the destination.
To forward traffic to a local port (a port on the same system), select the
Local forwarding check box. Enter the local port or range of ports for the traffic to be sent to.
To forward traffic to another
IPv4
address, select the
Forward to another port check box. Enter the destination IP address and port or port range. The default is to send to the same port if the port field is left empty. Click
OK to apply the changes.
To enable or disable an
ICMP
filter, start the
firewall-config tool and select the network zone whose messages are to be filtered. Select the
ICMP Filtertab and select the check box for each type of
ICMP
message you want to filter. Clear the check box to disable a filter. This setting is per direction and the default allows everything.
To edit an
ICMP
type, start the
firewall-config tool and then select
mode from the drop-down selection menu labeled
Configuration. Additional icons appear at the bottom of the
window.
The command line tool
firewall-cmd is part of the
firewalld
application which is installed by default. You can verify that it is installed by checking the version or displaying the help output. Enter the following command to check the version:
~]$ firewall-cmd --version
Enter the following command to view the help output:
~]$ firewall-cmd --help
We list a selection of commands below, for a full list see the
man firewall-cmd(1)
man page.
NOTE
In order to make a command permanent or persistent, add the
--permanent
option to all commands apart from the
--direct
commands (which are by their nature temporary). Note that this not only means the change will be permanent but that the change will only take effect after firewall reload, service restart, or after system reboot. Settings made with
firewall-cmd without the
--permanent
option take effect immediately, but are only valid till next firewall reload, system boot, or
firewalld
service restart. Reloading the firewall does not in itself break connections, but be aware you are discarding temporary changes by doing so.
In order to make a command both persistent and take effect immediately, enter the command twice, once with the
--permanent
and once without. This is because a firewall reload takes more time than just repeating a command because it has to reload all configuration files and recreate the whole firewall configuration. While reloading, the policy for built-in chains is set to DROP for security reasons and is then reset to ACCEPT at the end. Service disruption is therefore possible during the reload.
IMPORTANT
The
--permanent --add-interface
option is supposed to be used only for interfaces that are not managed by the
NetworkManager utility. This is because
NetworkManager, or the legacy network service, adds interfaces into zones automatically according to the
ZONE=
directive in the
ifcfg
interface configuration file. See the
Red Hat Enterprise Linux 7 Networking Guide for information on
NetworkManager and working with
ifcfg
files.
To get a text display of the state of
firewalld
, enter the following command:
~]$ firewall-cmd --state
To view the list of active zones, with a list of the interfaces currently assigned to them, enter the following command:
~]$ firewall-cmd --get-active-zones
public
interfaces: em1
To find out the zone that an interface, for example
em1, is currently assigned to, enter the following command:
~]$ firewall-cmd --get-zone-of-interface=em1
public
To find out all the interfaces assigned to a zone, for example the public zone, enter the following command as
root
:
~]# firewall-cmd --zone=public --list-interfaces
em1 wlan0
This information is obtained from
NetworkManager and only shows interfaces, not connections.
To find out all the settings of a zone, for example the public zone, enter the following command as
root
:
~]# firewall-cmd --zone=public --list-all
public
interfaces:
services: mdns dhcpv6-client ssh
ports:
forward-ports:
icmp-blocks: source-quench
To view the list of services currently loaded, enter the following command as
root
:
~]# firewall-cmd --get-services
cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba dhcpv6-client dns openvpn imaps samba-client http https ntp vnc-server telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp libvirt-tls
This will list the names of the predefined services loaded from
/usr/lib/firewalld/services/
as well as any custom services that are currently loaded. Note that the configuration files themselves are named
service-name.xml
.
If custom services have been created but not loaded, they can be listed as follows:
~]# firewall-cmd --permanent --get-services
This will list all services, including custom services configured in
/etc/firewalld/services/
, even if they are not yet loaded.
To start dropping all incoming and outgoing packets, enter the following command as
root
:
~]# firewall-cmd --panic-on
All incoming and outgoing packets will be dropped. Active connections will be terminated after a period of inactivity; the time taken depends on the individual session time out values.
To start passing incoming and outgoing packets again, enter the following command as
root
:
~]# firewall-cmd --panic-off
After disabling panic mode, established connections might work again if panic mode was enabled for a short period of time.
To find out if panic mode is enabled or disabled, enter the following command:
~]$ firewall-cmd --query-panic
Prints
yes
with exit status
0
if enabled and
no
with exit status
1
otherwise.
To reload the firewall without interrupting user connections (without losing state information), enter the following command as
root
:
~]# firewall-cmd --reload
A firewall reload involves reloading all configuration files and recreating the whole firewall configuration. While reloading, the policy for built-in chains is set to DROP for security reasons and is then reset to ACCEPT at the end. Service disruption is therefore possible during the reload.
To reload the firewall and interrupt user connections, discarding state information, enter the following command as
root
:
~]# firewall-cmd --complete-reload
This command should normally only be used in case of severe firewall problems. For example, if there are state information problems and no connection can be established but the firewall rules are correct.
To add an interface to a zone (for example, to add
em1 to the
public
zone), enter the following command as
root
:
~]# firewall-cmd --zone=public --add-interface=em1
To make this setting persistent, repeat the commands adding the
--permanent
option.
To add an interface to a zone by editing the
ifcfg-em1
configuration file (for example, to add
em1 to the
work
zone), add the following line to
ifcfg-em1
as
root
:
ZONE=work
Note that if you omit the
ZONE
option, or use
ZONE=
, or
ZONE=''
, then the default zone will be used.
NetworkManager will automatically reconnect and the zone will be set accordingly.
As
root
, open
/etc/firewalld/firewalld.conf
and edit the file as follows:
# default zone # The default zone used if an empty zone string is used. # Default: public DefaultZone=home
Reload the firewall by entering the following command as
root
:
~]# firewall-cmd --reload
This will reload the firewall without losing state information (TCP sessions will not be terminated), but service disruption is possible during the reload.
To set the default zone (to
public
, for example), enter the following command as
root
:
~]# firewall-cmd --set-default-zone=public
This change will take immediate effect and in this case it is not necessary to reload the firewall.
To list all open ports for a zone (
dmz
, for example), enter the following command as
root
:
~]# firewall-cmd --zone=dmz --list-ports
Note that this will not show ports opened as a result of the
--add-services
command.
To add a port to a zone (for example, to allow
TCP
traffic to port
8080
to the
dmz
zone), enter the following command as
root
:
~]# firewall-cmd --zone=dmz --add-port=8080/tcp
To make this setting persistent, repeat the command adding the
--permanent
option.
To add a range of ports to a zone (for example, to allow the ports from
5060
to
5061
to the
public
zone, enter the following command as
root
:
~]# firewall-cmd --zone=public --add-port=5060-5061/udp
To make this setting persistent, repeat the command adding the
--permanent
option.
To add a service to a zone (for example, to allow
SMTP
to the
work
zone), enter the following command as
root
:
~]# firewall-cmd --zone=work --add-service=smtp
To make this setting persistent, repeat the command adding the
--permanent
option.
To remove a service from a zone (for example, to remove
SMTP
from the
work
zone), enter the following command as
root
:
~]# firewall-cmd --zone=work --remove-service=smtp
To make this change persistent, repeat the command adding the
--permanent
option. This change will not break established connections. If that is your intention, you can use the
--complete-reload
option, but this will break all established connections—not just for the service you have removed.
To view the default zone files, enter the following command as
root
:
~]# ls /usr/lib/firewalld/zones/
block.xml drop.xml home.xml public.xml work.xml
dmz.xml external.xml internal.xml trusted.xml
These files must not be edited. They are used by default if no equivalent file exists in the
/etc/firewalld/zones/
directory.
To view the zone files that have been changed from the default, enter the following command as
root
:
~]# ls /etc/firewalld/zones/
external.xml public.xml public.xml.old
In the example shown above, the
work
zone file does not exist. To add the work zone file, enter the following command as
root
:
~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
You can now edit the file in the
/etc/firewalld/zones/
directory. If you delete the file,
firewalld
will fall back to using the default file in
/usr/lib/firewalld/zones/
.
To add a service to a zone (for example, to allow
SMTP
to the
work
zone), add the following line to the
/etc/firewalld/zones/work.xml
file as
root
:
<service name="smtp"/>
An editor running with
root
privileges is required to edit the XML zone files. To view the files for previously configured zones, enter the following command as
root
:
~]# ls /etc/firewalld/zones/
external.xml public.xml work.xml
To remove a service from a zone (for example, to remove
SMTP
from the
work
zone), use an editor with
root
privileges to edit the
/etc/firewalld/zones/work.xml
file to remove the following line:
<service name="smtp"/>
If no other changes have been made to the
work.xml
file, it can be removed and
firewalld
will use the default
/usr/lib/firewalld/zones/work.xml
configuration file after the next reload or system boot.
To check if IP masquerading is enabled (for the
external
zone, for example), enter the following command as
root
:
~]# firewall-cmd --zone=external --query-masquerade
The command prints
yes
with exit status
0
if enabled. It prints
no
with exit status
1
otherwise. If
zone
is omitted, the default zone will be used.
To enable IP masquerading, enter the following command as
root
:
~]# firewall-cmd --zone=external --add-masquerade
To make this setting persistent, repeat the command adding the
--permanent
option.
To disable IP masquerading, enter the following command as
root
:
~]# firewall-cmd --zone=external --remove-masquerade
To make this setting persistent, repeat the command adding the
--permanent
option.
To forward inbound network packets from one port to an alternative port or address, first enable IP address masquerading for a zone (
external
, for example), by entering the following command as
root
:
~]# firewall-cmd --zone=external --add-masquerade
To forward packets to a local port (a port on the same system), enter the following command as
root
:
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753
In this example, the packets intended for port
22
are now forwarded to port
3753
. The original destination port is specified with the
port
option. This option can be a port or port range, together with a protocol. The protocol, if specified, must be one of either
tcp
or
udp
. The new local port (the port or range of ports to which the traffic is being forwarded to) is specified with the
toport
option. To make this setting persistent, repeat the commands adding the
--permanent
option.
To forward packets to another
IPv4
address, usually an internal address, without changing the destination port, enter the following command as
root
:
~]# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toaddr=192.0.2.55
In this example, the packets intended for port
22
are now forwarded to the same port at the address given with the
toaddr
. The original destination port is specified with the
port
option. This option can be a port or port range, together with a protocol. The protocol, if specified, must be one of either
tcp
or
udp
. The new destination port (the port or range of ports to which the traffic is being forwarded to) is specified with the
toport
option. To make this setting persistent, repeat the command adding the
--permanent
option.
To forward packets to another port at another
IPv4
address, usually an internal address, enter the following command as
root
:
~]#firewall-cmd --zone=external /
--add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.0.2.55
In this example, the packets intended for port
22
are now forwarded to port
2055
at the address given with the
toaddr
option. The original destination port is specified with the
port
option. This option can be a port or port range, together with a protocol. The protocol, if specified, must be one of either
tcp
or
udp
. The new destination port, the port or range of ports to which the traffic is being forwarded to, is specified with the
toport
option. To make this setting persistent, repeat the command adding the
--permanent
option.
The configuration settings for
firewalld are stored in XML files in the
/etc/firewalld/
directory. Do not edit the files in the
/usr/lib/firewalld/
directory (the files define the default settings). You will need
root
user permissions to view and edit the XML files. The XML files are explained in three man pages:
-
firewalld.icmptype(5)
man page — Describes XML configuration files forICMP
filtering.
-
firewalld.service(5)
man page — Describes XML configuration files for firewalld service.
-
firewalld.zone(5)
man page — Describes XML configuration files forfirewalld
zone configuration.
The XML files can be created and edited directly or created indirectly using the graphical and command line tools. Organizations can distribute them in RPM files which can make management and version control easier. Tools such as
Puppet can distribute such configuration files.
It is possible to add and remove chains during runtime by using the
--direct
option with the
firewall-cmd tool. A few examples are presented here, see the
firewall-cmd(1)
man page for more information.
It is dangerous to use the direct interface if you are not very familiar with
iptables as you could inadvertently cause a breach in the firewall.
The direct interface mode is intended for services or applications to add specific firewall rules during runtime. The rules can be made permanent by adding the
--permanent
option using the
firewall-cmd --permanent --direct
command or by modifying
/etc/firewalld/direct.xml
. See man
firewalld.direct(5)
for information on the
/etc/firewalld/direct.xml
file.
To add a custom rule to the
“IN_public_allow” chain, issue the following command as
root
:
~]#firewall-cmd --direct --add-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the
--permanent
option to make the setting persistent.
To remove a custom rule from the
“IN_public_allow” chain, issue the following command as
root
:
~]#firewall-cmd --direct --remove-rule ipv4 filter IN_public_allow \
0 -m tcp -p tcp --dport 666 -j ACCEPT
Add the
--permanent
option to make the setting persistent.
To list the rules in the
“IN_public_allow” chain, issue the following command as
root
:
~]# firewall-cmd --direct --get-rules ipv4 filter IN_public_allow
Note that this command (the
--get-rules
option) only lists rules previously added using the
--add-rule
option. It does not list existing
iptables rules added by other means.
With the
“rich language” syntax, complex firewall rules can be created in a way that is easier to understand than the direct-interface method. In addition, the settings can be made permanent. The language uses keywords with values and is an abstract representation of
iptables rules. Zones can be configured using this language, the current configuration method will still be supported.
All the commands in this section need to be run as
root
. The format of the command to add a rule is as follows:
firewall-cmd [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
This will add a rich language rule
rule for zone
zone. This option can be specified multiple times. If the zone is omitted, the default zone is used. If a timeout is supplied, the rule or rules only stay active for the amount of time specified and will be removed automatically afterwards. The time value can be followed by
s
(seconds),
m
(minutes), or
h
(hours) to specify the unit of time. The default is seconds.
To remove a rule:
firewall-cmd [--zone=zone] --remove-rich-rule='rule'
This will remove a rich language rule
rule for zone
zone. This option can be specified multiple times. If the zone is omitted, the default zone is used.
To check if a rule is present:
firewall-cmd [--zone=zone] --query-rich-rule='rule'
This will return whether a rich language rule
rule has been added for the zone
zone. The command prints
yes
with exit status
0
if enabled. It prints
no
with exit status
1
otherwise. If the zone is omitted, the default zone is used.
For information about the rich language representation used in the zone configuration files, see the
firewalld.zone(5) man page.
The format or structure of the rich rule commands is as follows:
rule [family="rule family"] [ source address="address" [invert="True"] ] [ destination address="address" [invert="True"] ] [ element ] [ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ] [ audit ] [ action ]
A rule is associated with a particular zone. A zone can have several rules. If some rules interact or contradict, the first rule that matches the packet applies.
-
If the rule family is provided, either
ipv4
oripv6
, it limits the rule toIPv4
orIPv6
respectively. If the rule family is not provided, the rule is added for bothIPv4
andIPv6
. If source or destination addresses are used in a rule, then the rule family needs to be provided. This is also the case for port forwarding.
family
Source and Destination Addresses
-
By specifying the source address the origin of a connection attempt can be limited to the source address. A source address or address range is either an IP address or a network IP address with a mask for
IPv4
orIPv6
. The network family (IPv4
orIPv6
) will be automatically discovered. ForIPv4
, the mask can be a network mask or a plain number. ForIPv6
the mask is a plain number. The use of host names is not supported. It is possible to invert the sense of the source address command by addinginvert
=" true" orinvert
=" yes"; all but the supplied address will match. -
By specifying the destination address the target can be limited to the destination address. The destination address uses the same syntax as the source address. The use of source and destination addresses is optional and the use of a destination addresses is not possible with all elements. This depends on the use of destination addresses, for example in service entries.
source
destination
Elements
The element can be
only one of the following element types:
service
,
port
,
protocol
,
masquerade
,
icmp-block
and
forward-port
.
-
The service element is one of the firewalld provided services. To get a list of the predefined services, issue the following command:
~]$
If a service provides a destination address, it will conflict with a destination address in the rule and will result in an error. The services using destination addresses internally are mostly services using multicast. The command takes the following form:firewall-cmd --get-services
service name=service_name
-
The port element can either be a single port number or a port range, for example,
5060-5062
, followed by the protocol, either astcp
orudp
. The command takes the following form:port port=number_or_range protocol=protocol
-
The protocol value can be either a protocol ID number or a protocol name. For allowed protocol entries, see
/etc/protocols
. The command takes the following form:protocol value=protocol_name_or_ID
-
Use this command to block one or more
ICMP
types. TheICMP
type is one of theICMP
types firewalld supports. To get a listing of supportedICMP
types, issue the following command:~]$
Specifying an action is not allowed here.firewall-cmd --get-icmptypes
icmp-block
uses the actionreject
internally. The command takes the following form:icmp-block name=icmptype_name
-
Turns on IP masquerading in the rule. A source address can be provided to limit masquerading to this area, but not a destination address. Specifying an action is not allowed here.
-
Forward packets from a local port with protocol specified as
tcp
orudp
to either another port locally, to another machine, or to another port on another machine. Theport
andto-port
can either be a single port number or a port range. The destination address is a simple IP address. Specifying an action is not allowed here. Theforward-port
command uses the actionaccept
internally. The command takes the following form:forward-port port=number_or_range protocol=protocol /
to-port=number_or_range to-addr=address
service
port
protocol
icmp-block
masquerade
forward-port
Logging
-
Log new connection attempts to the rule with kernel logging, for example in syslog. You can define a prefix text that will be added to the log message as a prefix. Log level can be one of
emerg
,alert
,crit
,error
,warning
,notice
,info
ordebug
. The use of log is optional. It is possible to limit logging as follows:
The rate is a natural positive number [1, ..], the duration oflog [prefix=prefix text] [level=log level] limit value=rate/duration
s
,m
,h
,d
.s
means seconds,m
minutes,h
hours andd
days. The maximum limit value is1/d
which means at maximum one log entry per day. -
Audit provides an alternative way for logging using audit records sent to the service
auditd
. The audit type can be one ofACCEPT
,REJECT
orDROP
but it is not specified after the commandaudit
as the audit type will be automatically gathered from the rule action. Audit does not have its own parameters, but limit can be added optionally. The use of audit is optional.
log
audit
Action
-
An action can be one of
accept
,reject
ordrop
. The rule can only contain an element or a source. If the rule contains an element, then new connections matching the element will be handled with the action. If the rule contains a source, then everything from the source address will be handled with the action specified.accept | reject [type=reject type] | drop
Withaccept
all new connection attempts will be granted. Withreject
they will be rejected and their source will get a reject message. The reject type can be set to use another value. Withdrop
all packets will be dropped immediately and no information is sent to the source.
accept|reject|drop
Logging can be done with the
Netfilter log target and also with the audit target. A new chain is added to all zones with a name in the format
“zone_log”, where
zone is the zone name. This is processed before the
deny
chain in order to have proper ordering. The rules or parts of them are placed in separate chains, according to the action of the rule, as follows:
zone_log zone_deny zone_allow
All logging rules will be placed in the
“zone_log” chain, which will be parsed first. All
reject
and
drop
rules will be placed in the
“zone_deny” chain, which will be parsed after the log chain. All
accept
rules will be placed in the
“zone_allow” chain, which will be parsed after the
deny
chain. If a rule contains
log
and also
deny
or
allow
actions, the parts of the rule that specify these actions are placed in the matching chains.
Enable new
IPv4
and
IPv6
connections for authentication header protocol
AH
:
rule protocol value="ah" accept
Allow new
IPv4
and
IPv6
connections for protocol
FTP
and log 1 per minute using audit:
rule service name="ftp" log limit value="1/m" audit accept
Allow new
IPv4
connections from address
192.168.0.0/24
for protocol
TFTP
and log 1 per minute using syslog:
rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept
New
IPv6
connections from
1:2:3:4:6::
for protocol
RADIUS
are all rejected and logged at a rate of 3 per minute. New
IPv6
connections from other sources are accepted:
rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject rule family="ipv6" service name="radius" accept
Forward
IPv6
packets received from
1:2:3:4:6::
on port 4011 with protocol
TCP
to
1::2:3:4:7
on port 4012.
rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
Local applications or services are able to change the firewall configuration if they are running as
root
(for example,
libvirt). With this feature, the administrator can lock the firewall configuration so that either no applications, or only applications that are added to the lockdown whitelist, are able to request firewall changes. The lockdown settings default to disabled. If enabled, the user can be sure that there are no unwanted configuration changes made to the firewall by local applications or services.
Using an editor running as
root
, add the following line to the
/etc/firewalld/firewalld.conf
file as follows:
Lockdown=yesReload the firewall using the following command as
root
:
~]# firewall-cmd --reload
Try to enable the
imaps
service in the default zone using the following command as an administrative user (a user in the
wheel
group; usually the first user on the system). You will be prompted for the user password:
~]$ firewall-cmd --add-service=imaps
Error: ACCESS_DENIED: lockdown is enabled
To enable the use of
firewall-cmd, issue the following command as
root
:
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/firewall-cmd*'
Add the
--permanent
option if you want to make it persistent.
Reload the firewall as
root
:
~]# firewall-cmd --reload
Try to enable the
imaps
service again in the default zone by entering the following command as an administrative user. You will be prompted for the user password:
~]$ firewall-cmd --add-service=imaps
This time the command succeeds.
To query whether lockdown is enabled, enter the following command as
root
:
~]# firewall-cmd --query-lockdown
Prints
yes
with exit status
0
, if lockdown is enabled, prints
no
with exit status
1
otherwise.
To enable lockdown, enter the following command as
root
:
~]# firewall-cmd --lockdown-on
To disable lockdown, enter the following command as
root
:
~]# firewall-cmd --lockdown-off
The lockdown whitelist can contain commands, security contexts, users and user IDs. If a command entry on the whitelist ends with an asterisk
“*”, then all command lines starting with that command will match. If the
“*” is not there then the absolute command including arguments must match.
The context is the security (SELinux) context of a running application or service. To get the context of a running application use the following command:
~]$ ps -e --context
That command returns all running applications. Pipe the output through the
grep tool to get the application of interest. For example:
~]$ ps -e --context | grep example_program
To list all command lines that are on the whitelist, enter the following command as
root
:
~]# firewall-cmd --list-lockdown-whitelist-commands
To add a command
command to the whitelist, enter the following command as
root
:
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
To remove a command
command from the whitelist, enter the following command as
root
:
~]# firewall-cmd --remove-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
To query whether the command
command is on the whitelist, enter the following command as
root
:
~]# firewall-cmd --query-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
Prints
yes
with exit status
0
, if true, prints
no
with exit status
1
otherwise.
To list all security contexts that are on the whitelist, enter the following command as
root
:
~]# firewall-cmd --list-lockdown-whitelist-contexts
To add a context
context to the whitelist, enter the following command as
root
:
~]# firewall-cmd --add-lockdown-whitelist-context=context
Add the
--permanent
option to make it persistent.
To remove a context
context from the whitelist, enter the following command as
root
:
~]# firewall-cmd --remove-lockdown-whitelist-context=context
Add the
--permanent
option to make it persistent.
To query whether the context
context is on the whitelist, enter the following command as
root
:
~]# firewall-cmd --query-lockdown-whitelist-context=context
Prints
yes
with exit status
0
, if true, prints
no
with exit status
1
otherwise.
To list all user IDs that are on the whitelist, enter the following command as
root
:
~]# firewall-cmd --list-lockdown-whitelist-uids
To add a user ID
uid to the whitelist, enter the following command as
root
:
~]# firewall-cmd --add-lockdown-whitelist-uid=uid
Add the
--permanent
option to make it persistent.
To remove a user ID
uid from the whitelist, enter the following command as
root
:
~]# firewall-cmd --remove-lockdown-whitelist-uid=uid
Add the
--permanent
option to make it persistent.
To query whether the user ID
uid is on the whitelist, enter the following command:
~]$ firewall-cmd --query-lockdown-whitelist-uid=uid
Prints
yes
with exit status
0
, if true, prints
no
with exit status
1
otherwise.
To list all user names that are on the whitelist, enter the following command as
root
:
~]# firewall-cmd --list-lockdown-whitelist-users
To add a user name
user to the whitelist, enter the following command as
root
:
~]# firewall-cmd --add-lockdown-whitelist-user=user
Add the
--permanent
option to make it persistent.
To remove a user name
user from the whitelist, enter the following command as
root
:
~]# firewall-cmd --remove-lockdown-whitelist-user=user
Add the
--permanent
option to make it persistent.
To query whether the user name
user is on the whitelist, enter the following command:
~]$ firewall-cmd --query-lockdown-whitelist-user=user
Prints
yes
with exit status
0
, if true, prints
no
with exit status
1
otherwise.
The default whitelist configuration file contains the
NetworkManager context and the default context of
libvirt. Also the user ID 0 is in the list.
<?xml version="1.0" encoding="utf-8"?> <whitelist> <selinux context="system_u:system_r:NetworkManager_t:s0"/> <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/> <user id="0"/> </whitelist>
Here follows an example whitelist configuration file enabling all commands for the
firewall-cmd
utility, for a user called
user whose user ID is
815
:
<?xml version="1.0" encoding="utf-8"?> <whitelist> <command name="/usr/bin/python -Es /bin/firewall-cmd*"/> <selinux context="system_u:system_r:NetworkManager_t:s0"/> <user id="815"/> <user name="user"/> </whitelist>In this example we have shown both
user id
and
user name
but only one is required. Python is the interpreter and therefore prepended to the command line. You can also use a very specific command, for example:
/usr/bin/python /bin/firewall-cmd --lockdown-on
In that example only the
--lockdown-on
command will be allowed.
NOTE
In Red Hat Enterprise Linux 7, all utilities are now placed in
/usr/bin/
and the
/bin/
directory is sym-linked to the
/usr/bin/
directory. In other words, although the path for
firewall-cmd
when run as
root
might resolve to
/bin/firewall-cmd
,
/usr/bin/firewall-cmd
can now be used. All new scripts should use the new location but be aware that if scripts that run as
root
have been written to use the
/bin/firewall-cmd
path then that command path must be whitelisted in addition to the
/usr/bin/firewall-cmd
path traditionally used only for non-
root
users.
The
“*” at the end of the name attribute of a command means that all commands that start with this string will match. If the
“*” is not there then the absolute command including arguments must match.
To use the
iptables
and
ip6tables
services instead of
firewalld
, first disable
firewalld
by running the following command as
root
:
~]#systemctl disable firewalld
~]#systemctl stop firewalld
Then install the
iptables-services package by entering the following command as
root
:
~]# yum install iptables-services
The
iptables-services package contains the
iptables
service and the
ip6tables
service.
Then, to start the
iptables
and
ip6tables
services, run the following commands as
root
:
~]#To enable the services to start on every system start, enter the following commands:systemctl start iptables
~]#systemctl start ip6tables
~]#systemctl enable iptables
~]#systemctl enable ip6tables
The
ipset utility is used to administer
IP sets in the Linux kernel. An IP set is a framework for storing IP addresses, port numbers, IP and MAC address pairs, or IP address and port number pairs. The sets are indexed in such a way that very fast matching can be made against a set even when the sets are very large. IP sets enable simpler and more manageable configurations as well as providing performance advantages when using
iptables. The
iptablesmatches and targets referring to sets create references which protect the given sets in the kernel. A set cannot be destroyed while there is a single reference pointing to it.
The use of
ipset enables
iptables commands, such as those below, to be replaced by a set:
~]#The set is created as follows:iptables -A INPUT -s 10.0.0.0/8 -j DROP
~]#iptables -A INPUT -s 172.16.0.0/12 -j DROP
~]#iptables -A INPUT -s 192.168.0.0/16 -j DROP
~]#The set is then referenced in an iptables command as follows:ipset create my-block-set hash:net
~]#ipset add my-block-set 10.0.0.0/8
~]#ipset add my-block-set 172.16.0.0/12
~]#ipset add my-block-set 192.168.0.0/16
~]# iptables -A INPUT -m set --set my-block-set src -j DROP
If the set is used more than once a saving in configuration time is made. If the set contains many entries a saving in processing time is made.
To use IP sets with
firewalld, a permanent direct rule is required to reference the set, and a custom service must be created and started before
firewalldstarts for every
ipset
. You can add permanent direct rules with the
/etc/firewalld/direct.xml
file.
Procedure 4.1. Configuring a Custom Service for an IP Set
Configure a custom service to create and load the IP set structure before
firewalld starts.
-
Using an editor running as
root
, create a file as follows:~]#
vi /etc/systemd/system/ipset_name.service
[Unit] Description=ipset_name Before=firewalld.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/bin/ipset_name.sh start ExecStop=/usr/local/bin/ipset_name.sh stop [Install] WantedBy=basic.target -
Use the IP set permanently in firewalld:
~]# vi
/etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?> <direct> <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set --match-set <replaceable>ipset_name</replaceable> src -j DROP</rule> </direct> -
A firewalld reload is required to activate the changes:
~]#
This will reload the firewall without losing state information (TCP sessions will not be terminated), but service disruption is possible during the reload.firewall-cmd --reload
To install the
ipset utility, issue the following command as
root
:
~]# yum install ipset
To see the usage message:
~]$ ipset --help
ipset v6.11
Usage: ipset [options] COMMAND
output truncated
The format of the
ipset command is as follows:
ipset [options] command [command-options]
Where
command is one of:
create | add | del | test | destroy | list | save | restore | flush | rename | swap | help | version | -Allowed options are:
-exist | -output [ plain | save | xml ] | -quiet | -resolve | -sorted | -name | -terse
The
create
command is used to create a new data structure to store a set of IP data. The
add
command adds new data to the set, the data added is referred to as an element of the set.
The
-exist
option suppresses error message if the element already exists, and it has a special role in updating a time out value. To change a time out, use the
ipset add
command and specify all the data for the element again, changing only the time out value as required, and using the
-exist
option.
The
test
option is for testing if the element already exists within a set.
The format of the
create
command is as follows:
ipset create set-name type-name [create-options]
The
set-name is a suitable name chosen by the user, the
type-name is the name of the data structure used to store the data comprising the set. The format of the
type-name is as follows:
method:datatype[,datatype[,datatype]]
The allowed methods for storing data are:
bitmap | hash | listThe allowed data types are:
ip | net | mac | port | ifaceWhen adding, deleting, or testing entries in a set, the same comma separated data syntax must be used for the data that makes up one entry, or element, in the set. For example:
ipset add set-name ipaddr,portnum,ipaddr
NOTE
A set cannot contain
IPv4
and
IPv6
addresses at the same time. When a set is created it is bound to a family,
inet
for
IPv4
or
inet6
for
IPv6
, and the default is
inet
.
Example 4.2. Create an IP Set
To create an IP set consisting of a source IP address, a port, and destination IP address, issue a command as follows:
~]# ipset create my-set hash:ip,port,ip
Once the set is created, entries can be added as follows:
~]#ipset add my-set 192.168.1.2,80,192.168.2.2
~]#ipset add my-set 192.168.1.2,443,192.168.2.2
The set types have the following optional parameters in common. They must be specified when the set is created in order for them to be used:
-
timeout
— The value given with thecreate
command will be the default value for the set created. If a value is given with theadd
command, it will be the initial non-default value for the element. -
counters
— If the option is given with thecreate
command then packet and byte counters are created for every element in the set. If no value is given with theadd
command then the counters start from zero. -
comment
— If the option is given with thecreate
command then a quoted string of text can be passed with theadd
command to document the purpose of the element being added. Note that quotation marks are not allowed within the string, and escape characters will have no effect within IP set.
Example 4.3. List an IP Set
To list the contents of a specific IP Set,
my-set
, issue a command as follows:
~]# ipset list my-set
Name: my-set
Type: hash:ip,port,ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8360
References: 0
Members:
192.168.1.2,tcp:80,192.168.2.2
192.168.1.2,tcp:443,192.168.2.2
Omit the set name to list all sets.
Example 4.4. Test the Elements of an IP Set
Listing the contents of large sets is time consuming. You can test for the existence of an element as follows:
~]# ipset test my-set 192.168.1.2,80,192.168.2.2
192.168.1.2,tcp:80,192.168.2.2 is in set my-set.
-
bitmap:ip
-
Stores an IPv4 host address, a network range, or an IPv4 network addresses with the prefix-length in CIDR notation if the
netmask
option is used when the set is created. It can optionally store a timeout value, a counter value, and a comment. It can store up to65536
entries. The command to create thebitmap:ip
set has the following format:ipset create set-name range start_ipaddr-end_ipaddr |ipaddr/prefix-length [netmask prefix-length] [timeout value] [counters] [comment]
Example 4.5. Create an IP Set for a Range of Addresses Using a Prefix Length
To create an IP set for a range of addresses using a prefix length, make use of the
bitmap:ip
set type as follows:
~]# ipset create my-range bitmap:ip range 192.168.33.0/28
Once the set is created, entries can be added as follows:
~]# ipset add my-range 192.168.33.1
Review the members of the list:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
To add a range of addresses:
~]# ipset add my-range 192.168.33.2-192.168.33.4
Review the members of the list:
~]# ipset list my-range
Name: my-range
Type: bitmap:ip
Header: range 192.168.33.0-192.168.33.15
Size in memory: 84
References: 0
Members:
192.168.33.1
192.168.33.2
192.168.33.3
192.168.33.4
Example 4.6. Create an IP Set for a Range of Addresses Using a Netmask
To create an IP set for a range of address using a netmask, make use of the
bitmap:ip
set type as follows:
~]# ipset create my-big-range bitmap:ip range 192.168.124.0-192.168.126.0 netmask 24
Once the set is created, entries can be added as follows:
~]# ipset add my-big-range 192.168.124.0
If you attempt to add an address, the range containing that address will be added:
~]#ipset add my-big-range 192.168.125.150
~]#ipset list my-big-range
Name: my-big-range Type: bitmap:ip Header: range 192.168.124.0-192.168.126.255 netmask 24 Size in memory: 84 References: 0 Members: 192.168.124.0 192.168.125.0
-
bitmap:ip,mac
-
Stores an IPv4 address and a MAC address as a pair. It can store up to
65536
entries.ipset create my-range bitmap:ip,mac range start_ipaddr-end_ipaddr | ipaddr/prefix-length [timeout value ] [counters] [comment]
Example 4.7. Create an IP Set for a Range of IPv4 MAC Address Pairs
To create an IP set for a range of IPv4 MAC address pairs, make use of the
bitmap:ip,mac
set type as follows:
~]# ipset create my-range bitmap:ip,mac range 192.168.1.0/24
It is not necessary to specify a MAC address when creating the set.
Once the set is created, entries can be added as follows:
~]# ipset add my-range 192.168.1.1,12:34:56:78:9A:BC
-
bitmap:port
-
Stores a range of ports. It can store up to
65536
entries.ipset create my-port-range bitmap:port range start_port-end_port [timeout value ] [counters] [comment]
The set match and SET target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers. The protocol can optionally be specified together with the port. Theproto
only needs to be specified if a service name is used, and that name does not exist as a TCP service.
Example 4.8. Create an IP Set for a Range of Ports
To create an IP set for a range of ports, make use of the
bitmap:port
set type as follows:
~]# ipset create my-permitted-port-range bitmap:port range 1024-49151
Once the set is created, entries can be added as follows:
~]# ipset add my-permitted-port-range 5060-5061
-
hash:ip
-
Stores a host or network address in the form of a hash. By default, an address specified without a network prefix length is a host address. The all-zero IP address cannot be stored.
ipset create my-addresses hash:ip [family[ inet | inet6 ]] [hashsize value] [maxelem value ] [netmask prefix-length] [timeout value ]
Theinet
family is the default, iffamily
is omitted addresses will be interpreted as IPv4 addresses. Thehashsize
value is the initial hash size to use and defaults to1024
. Themaxelem
value is the maximum number of elements which can be stored in the set, it defaults to65536
.The netfilter tool searches for a network prefix which is the most specific, it tries to find the smallest block of addresses that match.
Example 4.9. Create an IP Set for IP Addresses
To create an IP set for IP addresses, make use of the
hash:ip
set type as follows:
~]# ipset create my-addresses hash:ip
Once the set is created, entries can be added as follows:
~]# ipset add my-addresses 10.10.10.0
If additional options such as netmask and timeout are required, they must be specified when the set is created. For example:
~]# ipset create my-busy-addresses hash:ip maxelem 24 netmask 28 timeout 100
The
maxelem
option restricts to total number of elements in the set, thus conserving memory space.
The timeout option means that elements will only exist in the set for the number of seconds specified. For example:
~]# ipset add my-busy-addresses 192.168.60.0 timeout 100
The following output shows the time counting down:
~]#The element will be removed from the set when the timeout period ends.ipset list my-busy-addresses
Name: my-busy-addresses Type: hash:ip Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100 Size in memory: 8300 References: 0 Members: 192.168.60.0 timeout 90 ~]#ipset list my-busy-addresses
Name: my-busy-addresses Type: hash:ip Header: family inet hashsize 1024 maxelem 24 netmask 28 timeout 100 Size in memory: 8300 References: 0 Members: 192.168.60.0 timeout 83
See the
ipset(8)
manual page for more examples.
The following sources of information provide additional resources regarding
firewalld
.
-
firewalld(1)
man page — Describes command options forfirewalld
. -
firewalld.conf(5)
man page — Contains information to configurefirewalld
. -
firewall-cmd(1)
man page — Describes command options for thefirewalld
command line client. -
firewalld.icmptype(5)
man page — Describes XML configuration files forICMP
filtering. -
firewalld.service(5)
man page — Describes XML configuration files for firewalld service. -
firewalld.zone(5)
man page — Describes XML configuration files forfirewalld
zone configuration. -
firewalld.direct(5)
man page — Describes thefirewalld
direct interface configuration file. -
firewalld.lockdown-whitelist(5)
man page — Describes thefirewalld
lockdown whitelist configuration file. -
firewall.richlanguage(5)
man page — Describes thefirewalld
rich language rule syntax. -
firewalld.zones(5)
man page — General description of what zones are and how to configure them.