[CentOS] firewalld

Sat Jan 28 12:11:02 UTC 2017
TE Dukes <tdukes at palmettoshopper.com>


> -----Original Message-----
> From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Pete Biggs
> Sent: Saturday, January 28, 2017 6:02 AM
> To: centos at centos.org
> Subject: Re: [CentOS] firewalld
> 
> 
> >
> > The zone apparently means something because an interface can only be on
> one.
> > Moving it to a different zone results in the same error (same
> > services/ports opened in each zone).
> 
> The "zones" are just labels and are used to create kernel iptables.
> Each zone has a default set of open and closed ports ranging from "trusted"
> which accepts all packets to "public" which has everything closed. You can
> modify the allowed ports and services on each zone at will.
> 
> Some of the zones have "special" features - "block" rejects all packets,
> "drop" drops all packets, "external" has masquerading turned on and so on.
> 
> If you have a single network, then that interface will, by default, be put in the
> "public" zone, so most ports will be closed. That's fine, just leave it in that
> zone, it's just a label/container.
> 
> You can list the services open in the default zone by doing
> 
>   firewall-cmd --list-services
> 
> or for ports not services
> 
>   firewall-cmd --list-ports
> 
> or for a different zone
> 
>   firewall-cmd --zone=public --list-services
> 
> You can also find out which zones your interface(s) is in with
> 
>   firewall-cmd --get-active-zones
> 
> One of the gotchas with firewalld is that the changes are made in either the
> current running iptables *or* the stored rules, not both. So if you make a
> change to the running rule set, those changes won't be kept the next time
> you restart firewalld. You can either use the '
> --permanent' flag to set the stored rules (but it won't affect the active rules)
> or the '--runtime-to-permanent' flag to copy the current active rules to the
> stored ones.
> 
> The bottom line is that firewalld is just another application that manipulates
> the kernel packet routing tables. Use something else if you prefer it - some
> of the system tools assume firewalld, but if you are aware of what's
> happening it shouldn't be an issue.
> 
> >
> > I may as well disable firewalld and let my router handle the firewall.
> >
> If you are happy that there is nothing behind your firewall that could cause a
> problem then that's an acceptable route.
> 
> P.
Thanks,

That's a better explanation of things than I have read so far.

Yes, initially I wasn't adding the --permanent to the rules but I wasn't doing really any reboots.

I did a few --reloads so that may have gotten me.

I have zoneminder, dns, and  urbackup  working. I can ssh and scp in from work but mail is being a pain.

Thanks