Difference between revisions of "Additional Firewall-Cmd Commands"
Jump to navigation
Jump to search
| (11 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | ''<span style="color:#009999"># Basic firewall-cmd setups''<syntaxhighlight lang="shell" | + | ''<span style="color:#009999"># Basic firewall-cmd setups</span>''<syntaxhighlight lang="shell"> |
sudo firewall-cmd --zone=public --add-port=22/tcp --permanent | sudo firewall-cmd --zone=public --add-port=22/tcp --permanent | ||
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent | sudo firewall-cmd --zone=public --add-port=80/tcp --permanent | ||
| Line 6: | Line 6: | ||
sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent | sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent | ||
sudo firewall-cmd --reload | sudo firewall-cmd --reload | ||
| − | </syntaxhighlight>''<nowiki>#</nowiki> Query Firewall Settings''<syntaxhighlight lang="shell"> | + | </syntaxhighlight>''<span style="color:#009999"># Zimbra firewall-cmd setups</span>''<syntaxhighlight lang="shell"> |
| + | sudo firewall-cmd --zone=public --add-port=25/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=80/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=110/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=143/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=443/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=465/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=587/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=993/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=995/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=7025/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=7071/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=7110/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=7143/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=7993/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=7995/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=8443/tcp --permanent | ||
| + | sudo firewall-cmd --zone=public --add-port=9071/tcp --permanent | ||
| + | sudo firewall-cmd --reload | ||
| + | </syntaxhighlight>''<span style="color:#009999"><nowiki>#</nowiki> Query Firewall Settings</span>''<syntaxhighlight lang="shell"> | ||
firewall-cmd --list-all | firewall-cmd --list-all | ||
firewall-cmd --list-all-zones | firewall-cmd --list-all-zones | ||
| Line 15: | Line 35: | ||
firewall-cmd --zone=public --list-services | firewall-cmd --zone=public --list-services | ||
firewall-cmd --zone=internal --list-services | firewall-cmd --zone=internal --list-services | ||
| − | </syntaxhighlight>''<nowiki>#</nowiki> Add Permanently to Public Zone'' | + | </syntaxhighlight>''<span style="color:#009999"><nowiki>#</nowiki> Add Permanently to Public Zone'' |
| − | <code>sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https | + | <code>sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https && sudo firewall-cmd --reload</code> |
| − | sudo firewall-cmd --reload</code> | + | ''<span style="color:#009999"># Add Temporarily to Internal Zone</span>''<syntaxhighlight lang="shell"> |
| − | ''# Add Temporarily to Internal Zone''<syntaxhighlight lang="shell"> | ||
firewall-cmd --zone=internal --add-service=ssh | firewall-cmd --zone=internal --add-service=ssh | ||
| − | firewall-cmd --zone=internal --add-source= | + | firewall-cmd --zone=internal --add-source=53.52.51.50/16 --permanent |
| − | firewall-cmd --zone=internal --add-source= | + | firewall-cmd --zone=internal --add-source=100.99.98.97/16 --permanent |
firewall-cmd --zone=public --remove-service=ssh | firewall-cmd --zone=public --remove-service=ssh | ||
firewall-cmd --zone=public --remove-port=22/tcp | firewall-cmd --zone=public --remove-port=22/tcp | ||
| − | </syntaxhighlight>''# Commit Temporary Changes Permanently'' | + | </syntaxhighlight>''<span style="color:#009999"># Commit Temporary Changes Permanently</span>'' |
<code>firewall-cmd --runtime-to-permanent</code> | <code>firewall-cmd --runtime-to-permanent</code> | ||
| − | ''# Remove an IP from Allowed IPs'' | + | ''<span style="color:#009999"># Remove an IP from Allowed IPs</span>'' |
| − | <code>firewall-cmd --zone=internal --remove-source= | + | <code>firewall-cmd --zone=internal --remove-source=100.99.98.97/16</code> |
| − | ''# DOCKER FIREWALLD'' | + | ''<span style="color:#009999"># DOCKER FIREWALLD</span>'' |
| − | ''# Masquerading allows for docker ingress and egress (this is the juicy bit)'' | + | ''<span style="color:#009999"># Masquerading allows for docker ingress and egress (this is the juicy bit)</span>'' |
<code>firewall-cmd --zone=public --add-masquerade --permanent</code> | <code>firewall-cmd --zone=public --add-masquerade --permanent</code> | ||
| − | ''# Specifically allow incoming traffic on port 80/443 (nothing new here)'' | + | ''<span style="color:#009999"># Specifically allow incoming traffic on port 80/443 (nothing new here)</span>'' |
<code>firewall-cmd --zone=public --add-port=80/tcp</code> | <code>firewall-cmd --zone=public --add-port=80/tcp</code> | ||
| Line 44: | Line 63: | ||
<code>firewall-cmd --zone=public --add-port=443/tcp</code> | <code>firewall-cmd --zone=public --add-port=443/tcp</code> | ||
| − | ''# Reload firewall to apply permanent rules'' | + | ''<span style="color:#009999"># Reload firewall to apply permanent rules</span>'' |
<code>firewall-cmd --reload</code> | <code>firewall-cmd --reload</code> | ||
| − | ''# docker firewalld 2'' | + | ''<span style="color:#009999"># docker firewalld 2</span>'' |
| − | ''# Check what interface docker is using, e.g. 'docker0''' | + | ''<span style="color:#009999"># Check what interface docker is using, e.g. 'docker0'</span>'' |
<code>ip link show</code> | <code>ip link show</code> | ||
| − | ''# Check available firewalld zones, e.g. 'public''' | + | ''<span style="color:#009999"># Check available firewalld zones, e.g. 'public'</span>'' |
<code>sudo firewall-cmd --get-active-zones</code> | <code>sudo firewall-cmd --get-active-zones</code> | ||
| − | ''# Check what zone the docker interface it bound to, most likely 'no zone' yet'' | + | ''<span style="color:#009999"># Check what zone the docker interface it bound to, most likely 'no zone' yet</span>'' |
<code>sudo firewall-cmd --get-zone-of-interface=docker0</code> | <code>sudo firewall-cmd --get-zone-of-interface=docker0</code> | ||
| − | ''# So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload'' | + | ''<span style="color:#009999"># So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload</span>'' |
<code>sudo nmcli connection modify docker0 connection.zone public</code> | <code>sudo nmcli connection modify docker0 connection.zone public</code> | ||
| − | ''# Masquerading allows for docker ingress and egress (this is the juicy bit)'' | + | ''<span style="color:#009999"># Masquerading allows for docker ingress and egress (this is the juicy bit)</span>'' |
<code>sudo firewall-cmd --zone=public --add-masquerade --permanent</code> | <code>sudo firewall-cmd --zone=public --add-masquerade --permanent</code> | ||
| − | ''# Optional open required incomming ports (wasn't required in my tests)'' | + | ''<span style="color:#009999"># Optional open required incomming ports (wasn't required in my tests)</span>'' |
<code>sudo firewall-cmd --zone=public --add-port=443/tcp</code> | <code>sudo firewall-cmd --zone=public --add-port=443/tcp</code> | ||
| − | ''# Reload firewalld'' | + | ''<span style="color:#009999"># Reload firewalld</span>'' |
<code>sudo firewall-cmd --reload</code> | <code>sudo firewall-cmd --reload</code> | ||
| − | ''# Reload dockerd'' | + | ''<span style="color:#009999"># Reload dockerd</span>'' |
<code>sudo systemctl restart docker</code> | <code>sudo systemctl restart docker</code> | ||
Latest revision as of 06:59, 1 September 2021
# Basic firewall-cmd setups
sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port=10000/tcp --permanent
sudo firewall-cmd --reload# Zimbra firewall-cmd setups
sudo firewall-cmd --zone=public --add-port=25/tcp --permanent
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --zone=public --add-port=110/tcp --permanent
sudo firewall-cmd --zone=public --add-port=143/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --zone=public --add-port=465/tcp --permanent
sudo firewall-cmd --zone=public --add-port=587/tcp --permanent
sudo firewall-cmd --zone=public --add-port=993/tcp --permanent
sudo firewall-cmd --zone=public --add-port=995/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7025/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7071/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7110/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7143/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7993/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7995/tcp --permanent
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --zone=public --add-port=8443/tcp --permanent
sudo firewall-cmd --zone=public --add-port=9071/tcp --permanent
sudo firewall-cmd --reload# Query Firewall Settings
firewall-cmd --list-all
firewall-cmd --list-all-zones
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
firewall-cmd --list-services
firewall-cmd --list-ports
firewall-cmd --zone=public --list-services
firewall-cmd --zone=internal --list-services# Add Permanently to Public Zone
sudo firewall-cmd --permanent --zone=public --add-service=http --add-service=https && sudo firewall-cmd --reload
# Add Temporarily to Internal Zone
firewall-cmd --zone=internal --add-service=ssh
firewall-cmd --zone=internal --add-source=53.52.51.50/16 --permanent
firewall-cmd --zone=internal --add-source=100.99.98.97/16 --permanent
firewall-cmd --zone=public --remove-service=ssh
firewall-cmd --zone=public --remove-port=22/tcp# Commit Temporary Changes Permanently
firewall-cmd --runtime-to-permanent
# Remove an IP from Allowed IPs
firewall-cmd --zone=internal --remove-source=100.99.98.97/16
# DOCKER FIREWALLD
# Masquerading allows for docker ingress and egress (this is the juicy bit)
firewall-cmd --zone=public --add-masquerade --permanent
# Specifically allow incoming traffic on port 80/443 (nothing new here)
firewall-cmd --zone=public --add-port=80/tcp
firewall-cmd --zone=public --add-port=443/tcp
# Reload firewall to apply permanent rules
firewall-cmd --reload
# docker firewalld 2
# Check what interface docker is using, e.g. 'docker0'
ip link show
# Check available firewalld zones, e.g. 'public'
sudo firewall-cmd --get-active-zones
# Check what zone the docker interface it bound to, most likely 'no zone' yet
sudo firewall-cmd --get-zone-of-interface=docker0
# So add the 'docker0' interface to the 'public' zone. Changes will be visible only after firewalld reload
sudo nmcli connection modify docker0 connection.zone public
# Masquerading allows for docker ingress and egress (this is the juicy bit)
sudo firewall-cmd --zone=public --add-masquerade --permanent
# Optional open required incomming ports (wasn't required in my tests)
sudo firewall-cmd --zone=public --add-port=443/tcp
# Reload firewalld
sudo firewall-cmd --reload
# Reload dockerd
sudo systemctl restart docker