User Tools

Site Tools

Trace:
firewalld-zones-centos7

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
firewalld-zones-centos7 [2015/03/04 10:45] – created herwarthfirewalld-zones-centos7 [2017/04/27 11:54] (current) herwarth
Line 1: Line 1:
-{{tag>centos}} +======Using firewalld to create zones with subnets on CentOS 7====== 
-====Using firewalld to create zones with subnets==== +=====Configuration===== 
-===Remove all default rules=== +====Remove all default rules==== 
-<code> +  firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client 
-firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client +  firewall-cmd --permanent --zone=home --remove-service=ipp-client 
-firewall-cmd --permanent --zone=home --remove-service=ipp-client +  firewall-cmd --permanent --zone=home --remove-service=mdns 
-firewall-cmd --permanent --zone=home --remove-service=mdns +  firewall-cmd --permanent --zone=home --remove-service=samba-client 
-firewall-cmd --permanent --zone=home --remove-service=samba-client +  firewall-cmd --permanent --zone=home --remove-service=ssh 
-firewall-cmd --permanent --zone=home --remove-service=ssh + 
-</code> +  firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client 
-<code> +  firewall-cmd --permanent --zone=internal --remove-service=ipp-client 
-firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client +  firewall-cmd --permanent --zone=internal --remove-service=mdns 
-firewall-cmd --permanent --zone=internal --remove-service=ipp-client +  firewall-cmd --permanent --zone=internal --remove-service=samba-client 
-firewall-cmd --permanent --zone=internal --remove-service=mdns +  firewall-cmd --permanent --zone=internal --remove-service=ssh 
-firewall-cmd --permanent --zone=internal --remove-service=samba-client + 
-firewall-cmd --permanent --zone=internal --remove-service=ssh +  firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client 
-</code> +  firewall-cmd --permanent --zone=work --remove-service=ipp-client 
-<code> +  firewall-cmd --permanent --zone=work --remove-service=ssh 
-firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client + 
-firewall-cmd --permanent --zone=work --remove-service=ipp-client +  firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client 
-firewall-cmd --permanent --zone=work --remove-service=ssh +  firewall-cmd --permanent --zone=public --remove-service=ssh 
-</code> + 
-<code> +  firewall-cmd --permanent --zone=external --remove-service=ssh 
-firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client +  firewall-cmd --permanent --zone=external --remove-masquerade 
-firewall-cmd --permanent --zone=public --remove-service=ssh + 
-</code> +  firewall-cmd --permanent --zone=dmz --remove-service=ssh
-<code> +
-firewall-cmd --permanent --zone=external --remove-service=ssh +
-firewall-cmd --permanent --zone=external --remove-masquerade +
-</code> +
-<code> +
-firewall-cmd --permanent --zone=dmz --remove-service=ssh +
-</code>+
  
-===Create new zones===+====Create new zones====
   firewall-cmd --permanent --new-zone=management   firewall-cmd --permanent --new-zone=management
   firewall-cmd --permanent --new-zone=local   firewall-cmd --permanent --new-zone=local
  
-===Add subnets to zones===+====Add subnets to zones====
  
   firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0   firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0
   firewall-cmd --permanent --zone=public --add-source=::/0   firewall-cmd --permanent --zone=public --add-source=::/0
-<code> + 
-firewall-cmd --permanent --zone=dmz --add-source=5.200.9.240/28 +  firewall-cmd --permanent --zone=dmz --add-source=185.106.153.224/29 
-firewall-cmd --permanent --zone=dmz --add-source=2a00:1630:59::/64 +  firewall-cmd --permanent --zone=dmz --add-source=2a02:22a0:bbb7:400::/64 
-firewall-cmd --permanent --zone=dmz --add-source=46.44.183.176/28 +  firewall-cmd --permanent --zone=dmz --add-source=192.168.10.0/24 
-firewall-cmd --permanent --zone=dmz --add-source=2a02:22a0:bbb7:400::/64 +  firewall-cmd --permanent --zone=dmz --add-source=2a02:22a0:bbb7:401::/64 
-firewall-cmd --permanent --zone=dmz --add-source=94.142.242.32/28 + 
-firewall-cmd --permanent --zone=dmz --add-source=2a02:898:126::/64 + 
-</code> +  firewall-cmd --permanent --zone=local --add-source=172.16.3.0/24 
-<code> +  firewall-cmd --permanent --zone=local --add-source=2a02:22a0:bbb7:403::/64 
-firewall-cmd --permanent --zone=local --add-source=172.16.3.0/24 + 
-firewall-cmd --permanent --zone=local --add-source=2a02:22a0:bbb7:403::/64 +  firewall-cmd --permanent --zone=management --add-source=172.16.2.0/24 
-firewall-cmd --permanent --zone=local --add-source=172.16.5.0/24 +  firewall-cmd --permanent --zone=management --add-source=2a02:22a0:bbb7:402::/64 
-firewall-cmd --permanent --zone=local --add-source=2a00:1630:59:5::/64 + 
-firewall-cmd --permanent --zone=local --add-source=172.16.7.0/24 +====Create additional services==== 
-firewall-cmd --permanent --zone=local --add-source=2a02:898:126:7::/64 +<code /etc/firewalld/services/check-mk-agent.xml>
-</code> +
-<code> +
-firewall-cmd --permanent --zone=management --add-source=172.16.2.0/24 +
-firewall-cmd --permanent --zone=management --add-source=2a02:22a0:bbb7:402::/64 +
-firewall-cmd --permanent --zone=management --add-source=172.16.4.0/24 +
-firewall-cmd --permanent --zone=management --add-source=2a00:1630:59:4::/64 +
-firewall-cmd --permanent --zone=management --add-source=172.16.6.0/24 +
-firewall-cmd --permanent --zone=management --add-source=2a02:898:126:6::/64 +
-</code> +
-===Create additional services=== +
-<code+
-cat << EOF > /etc/firewalld/services/check-mk-agent.xml+
 <?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
 <service> <service>
Line 74: Line 55:
   <port protocol="tcp" port="6556"/>   <port protocol="tcp" port="6556"/>
 </service> </service>
-EOF 
 </code> </code>
  
-===Enable services on zones===+====Enable services on zones====
   firewall-cmd --permanent --zone=management --add-service=ssh   firewall-cmd --permanent --zone=management --add-service=ssh
   firewall-cmd --permanent --zone=local --add-service=ssh   firewall-cmd --permanent --zone=local --add-service=ssh
Line 85: Line 65:
   firewall-cmd --permanent --zone=management --add-rich-rule="rule family="ipv6" \   firewall-cmd --permanent --zone=management --add-rich-rule="rule family="ipv6" \
   source address="2a00:1630:59:4::14" service name="check-mk-agent" accept"   source address="2a00:1630:59:4::14" service name="check-mk-agent" accept"
-  
-  firewall-cmd --permanent --zone=management --add-service=check-mk-agent 
  
-===Set default zone=== 
-  firewall-cmd --set-default-zone=dmz 
  
-===Example: for example an web-server listening on http and https on zone public and local+====Set default zone==== 
 +  firewall-cmd --set-default-zone=public 
 + 
 +=====Examples===== 
 +====Web server==== 
 +web-server allowing connections on service http and https matching zones dmz and local. Remember sources in a zone other than dmz and local cannot connect to the http and https service. 
   firewall-cmd --permanent --zone=local --add-service=http   firewall-cmd --permanent --zone=local --add-service=http
   firewall-cmd --permanent --zone=local --add-service=https   firewall-cmd --permanent --zone=local --add-service=https
-  firewall-cmd --permanent --zone=public --add-service=http +  firewall-cmd --permanent --zone=dmz --add-service=http 
-  firewall-cmd --permanent --zone=public --add-service=https+  firewall-cmd --permanent --zone=dmz --add-service=https
  
 +
 +{{tag>centos}}
firewalld-zones-centos7.1425465928.txt.gz · Last modified: by herwarth

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki