Difference between revisions of "Additional Firewall-Cmd Commands"

From Rhomicom Wiki
Jump to navigation Jump to search
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
''# Basic firewall-cmd setups''
+
''<span style="color:#009999"># Basic firewall-cmd setups</span>''<syntaxhighlight lang="shell">
 +
sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent
 +
sudo firewall-cmd --reload
 +
</syntaxhighlight>''<span style="color:#009999"># Zimbra firewall-cmd setups</span>''<syntaxhighlight lang="shell">
 +
sudo firewall-cmd --zone=public --add-port=25/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=110/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=143/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=465/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=587/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=993/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=995/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=7025/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=7071/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=7110/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=7143/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=7993/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=7995/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=8443/tcp --permanent
 +
sudo firewall-cmd --zone=public --add-port=9071/tcp --permanent
 +
sudo firewall-cmd --reload
 +
</syntaxhighlight>''<span style="color:#009999"><nowiki>#</nowiki> Query Firewall Settings</span>''<syntaxhighlight lang="shell">
 +
firewall-cmd --list-all
 +
firewall-cmd --list-all-zones
 +
firewall-cmd --get-default-zone
 +
firewall-cmd --get-active-zones
 +
firewall-cmd --list-services
 +
firewall-cmd --list-ports
 +
firewall-cmd --zone=public --list-services
 +
firewall-cmd --zone=internal --list-services
 +
</syntaxhighlight>''<span style="color:#009999"><nowiki>#</nowiki> Add Permanently to Public Zone''
 +
 
 +
<code>sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https && sudo firewall-cmd --reload</code>
 +
''<span style="color:#009999"># Add Temporarily to Internal Zone</span>''<syntaxhighlight lang="shell">
 +
firewall-cmd --zone=internal --add-service=ssh
 +
firewall-cmd --zone=internal --add-source=53.52.51.50/16 --permanent
 +
firewall-cmd --zone=internal --add-source=100.99.98.97/16 --permanent
 +
firewall-cmd --zone=public --remove-service=ssh
 +
firewall-cmd --zone=public --remove-port=22/tcp
 +
</syntaxhighlight>''<span style="color:#009999"># Commit Temporary Changes Permanently</span>''
 +
<code>firewall-cmd --runtime-to-permanent</code>
 +
 
 +
''<span style="color:#009999"># Remove an IP from Allowed IPs</span>''
 +
 
 +
<code>firewall-cmd --zone=internal --remove-source=100.99.98.97/16</code>
 +
 
 +
''<span style="color:#009999"># DOCKER FIREWALLD</span>''
 +
 
 +
''<span style="color:#009999"># Masquerading allows for docker ingress and egress (this is the juicy bit)</span>''
 +
 
 +
<code>firewall-cmd --zone=public --add-masquerade --permanent</code>
  
<code>sudo firewall-cmd --zone=public --add-port=22/tcp --permanent</code>
+
''<span style="color:#009999"># Specifically allow incoming traffic on port 80/443 (nothing new here)</span>''
  
<code>sudo firewall-cmd --zone=public --add-port=80/tcp --permanent</code>
+
<code>firewall-cmd --zone=public --add-port=80/tcp</code>
  
<code>sudo firewall-cmd --zone=public --add-port=443/tcp --permanent</code>
+
<code>firewall-cmd --zone=public --add-port=443/tcp</code>
  
<code>sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent</code>
+
''<span style="color:#009999"># Reload firewall to apply permanent rules</span>''
  
<code>sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent</code>
+
<code>firewall-cmd --reload</code>
  
<code>sudo firewall-cmd --reload</code>
+
''<span style="color:#009999"># docker firewalld 2</span>''
 +
 
 +
''<span style="color:#009999"># Check what interface docker is using, e.g. 'docker0'</span>''
 +
 
 +
<code>ip link show</code>
 +
 
 +
''<span style="color:#009999"># Check available firewalld zones, e.g. 'public'</span>''
  
<nowiki>#</nowiki> Query Firewall Settings
+
<code>sudo firewall-cmd --get-active-zones</code>
  
<code>firewall-cmd --list-all</code>
+
''<span style="color:#009999"># Check what zone the docker interface it bound to, most likely 'no zone' yet</span>''
  
<code>firewall-cmd --list-all-zones</code>
+
<code>sudo firewall-cmd --get-zone-of-interface=docker0</code>
  
<code>firewall-cmd --get-default-zone</code>
+
''<span style="color:#009999"># So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload</span>''
  
<code>firewall-cmd --get-active-zones</code>
+
<code>sudo nmcli connection modify docker0 connection.zone public</code>
  
<code>firewall-cmd --list-services</code>
+
''<span style="color:#009999"># Masquerading allows for docker ingress and egress (this is the juicy bit)</span>''
  
<code>firewall-cmd --list-ports</code>
+
<code>sudo firewall-cmd --zone=public --add-masquerade --permanent</code>
  
<code>firewall-cmd --zone=public --list-services</code>
+
''<span style="color:#009999"># Optional open required incomming ports (wasn't required in my tests)</span>''
  
<code>firewall-cmd --zone=internal --list-services</code>
+
<code>sudo firewall-cmd --zone=public --add-port=443/tcp</code>
  
<nowiki>#</nowiki> Add Permanently to Public Zone
+
''<span style="color:#009999"># Reload firewalld</span>''
  
<code>sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https
+
<code>sudo firewall-cmd --reload</code>
sudo firewall-cmd --reload</code>
 
# Add Temporarily to Internal Zone
 
firewall-cmd --zone=internal --add-service=ssh
 
firewall-cmd --zone=internal --add-source=154.160.26.149/16
 
firewall-cmd --zone=internal --add-source=102.176.65.133/16
 
firewall-cmd --zone=public --remove-service=ssh
 
firewall-cmd --zone=public --remove-port=22/tcp
 
# Commit Temporary Changes Permanently
 
firewall-cmd --runtime-to-permanent
 
# Remove an IP from Allowed IPs
 
firewall-cmd --zone=internal --remove-source=102.176.65.133/16
 
#DOCKER FIREWALLD
 
# Masquerading allows for docker ingress and egress (this is the juicy bit)
 
firewall-cmd --zone=public --add-masquerade --permanent
 
# Specifically allow incoming traffic on port 80/443 (nothing new here)
 
firewall-cmd --zone=public --add-port=80/tcp
 
firewall-cmd --zone=public --add-port=443/tcp
 
  
 +
''<span style="color:#009999"># Reload dockerd</span>''
  
# Reload firewall to apply permanent rules
+
<code>sudo systemctl restart docker</code>
firewall-cmd --reload
 
# docker firewalld 2
 
# Check what interface docker is using, e.g. 'docker0'
 
ip link show
 
# Check available firewalld zones, e.g. 'public'
 
sudo firewall-cmd --get-active-zones
 
# Check what zone the docker interface it bound to, most likely 'no zone' yet
 
sudo firewall-cmd --get-zone-of-interface=docker0
 
# So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload
 
sudo nmcli connection modify docker0 connection.zone public
 
# Masquerading allows for docker ingress and egress (this is the juicy bit)
 
sudo firewall-cmd --zone=public --add-masquerade --permanent
 
# Optional open required incomming ports (wasn't required in my tests)
 
# sudo firewall-cmd --zone=public --add-port=443/tcp
 
# Reload firewalld
 
sudo firewall-cmd --reload
 
# Reload dockerd
 
sudo systemctl restart docker
 

Latest revision as of 06:59, 1 September 2021

# Basic firewall-cmd setups

sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent
sudo firewall-cmd --reload

# Zimbra firewall-cmd setups

sudo firewall-cmd --zone=public --add-port=25/tcp --permanent
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=110/tcp --permanent
sudo firewall-cmd --zone=public --add-port=143/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --zone=public --add-port=465/tcp --permanent
sudo firewall-cmd --zone=public --add-port=587/tcp --permanent
sudo firewall-cmd --zone=public --add-port=993/tcp --permanent
sudo firewall-cmd --zone=public --add-port=995/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7025/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7071/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7110/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7143/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7993/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7995/tcp --permanent
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port=8443/tcp --permanent
sudo firewall-cmd --zone=public --add-port=9071/tcp --permanent
sudo firewall-cmd --reload

# Query Firewall Settings

firewall-cmd --list-all
firewall-cmd --list-all-zones
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
firewall-cmd --list-services
firewall-cmd --list-ports
firewall-cmd --zone=public --list-services
firewall-cmd --zone=internal --list-services

# Add Permanently to Public Zone

sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https && sudo firewall-cmd --reload

# Add Temporarily to Internal Zone

firewall-cmd --zone=internal --add-service=ssh
firewall-cmd --zone=internal --add-source=53.52.51.50/16 --permanent
firewall-cmd --zone=internal --add-source=100.99.98.97/16 --permanent
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --remove-port=22/tcp

# Commit Temporary Changes Permanently

firewall-cmd --runtime-to-permanent

# Remove an IP from Allowed IPs

firewall-cmd --zone=internal --remove-source=100.99.98.97/16

# DOCKER FIREWALLD

# Masquerading allows for docker ingress and egress (this is the juicy bit)

firewall-cmd --zone=public --add-masquerade --permanent

# Specifically allow incoming traffic on port 80/443 (nothing new here)

firewall-cmd --zone=public --add-port=80/tcp

firewall-cmd --zone=public --add-port=443/tcp

# Reload firewall to apply permanent rules

firewall-cmd --reload

# docker firewalld 2

# Check what interface docker is using, e.g. 'docker0'

ip link show

# Check available firewalld zones, e.g. 'public'

sudo firewall-cmd --get-active-zones

# Check what zone the docker interface it bound to, most likely 'no zone' yet

sudo firewall-cmd --get-zone-of-interface=docker0

# So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload

sudo nmcli connection modify docker0 connection.zone public

# Masquerading allows for docker ingress and egress (this is the juicy bit)

sudo firewall-cmd --zone=public --add-masquerade --permanent

# Optional open required incomming ports (wasn't required in my tests)

sudo firewall-cmd --zone=public --add-port=443/tcp

# Reload firewalld

sudo firewall-cmd --reload

# Reload dockerd

sudo systemctl restart docker

Retrieved from "https://wiki.rhomicom.com/index.php?title=Additional_Firewall-Cmd_Commands&oldid=331"