Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Really starting to like firewalld
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Really starting to like firewalld

moonmartinmoonmartin Member
edited February 2017 in General

A new trick I found.

firewall-cmd --set-log-denied=all

That automatically inserts the log lines for you just before the DROP/REJECT statements in INPUT, FORWARD, OUTPUT chains, and any custom chains with DROP/REJECT statements. You could always add logging rules manually to bare iptables but with this command and firewalld it's automatic. They are also given unique prefixes so you can identify the chain it comes from.

There are a lot of things this can be used for. One of the more powerful uses is to search out blocked ports/services that need to be added. This allows you to do it from the outside in rather than having to search out all the ports/services you want to add and then figuring out what they listen on etc.

To have this write to log files uncomment $ModLoad imklog in /etc/rsyslog.conf and systemctl restart rsyslog

To watch from console (at least on CE7) just cat /proc/kmsg

To turn off, firewall-cmd --set-log-denied=off

This may seem like a little thing to some but I think it's a pretty nice feature.

Thanked by 1ehab

Comments

  • i have a question.... how to remove all services at once? without prior service knowledge. for example

    firewall-cmd --zone=public --permanent --remove-service={*}

    didn't do the job, any tricks you came across such as my question?

  • moonmartinmoonmartin Member
    edited February 2017

    @ehab said:
    i have a question.... how to remove all services at once? without prior service knowledge. for example

    firewall-cmd --zone=public --permanent --remove-service={*}

    didn't do the job, any tricks you came across such as my question?

    Not aware of a command but that doesn't mean it's not there. You can just edit the config file directly in /etc/firewalld to remove multiple lines.

  • mfsmfs Banned, Member
    edited February 2017

    I have no grudge against firewalld per se, but one of the first things I always do is to disable/remove it and use those plain old iptables &ipset I've given my blood to when I was learning the first bits

    There's nothing more crystalline than performing some editing on /etc/sysconfig/iptables

    @ehab how about

    IFS=' ' ; mapfile -t k< <(firewall-cmd --zone=public --list-services) ; for i in ${k[@]} ; do firewall-cmd --zone=public --remove-service="$i" && echo "$i removed" ; done
    
    Thanked by 1ehab
  • moonmartinmoonmartin Member
    edited February 2017

    @mfs said:
    I have no grudge against firewalld per se, but one of the first things I always do is to disable/remove it and use those plain old iptables &ipset I've given my blood to when I was learning the first bits

    There's nothing more crystalline than performing some editing on /etc/sysconfig/iptables

    @ehab how about

    IFS=' ' ; mapfile -t k< <(firewall-cmd --zone=public --list-services) ; for i in ${k[@]} ; do firewall-cmd --zone=public --remove-service="$i" && echo "$i removed" ; done
    

    If you want to edit config files you can do the same sort of things in /etc/firewalld. Actually it's more well suited because it is designed to be edited directly. I don't think /etc/sysconfig/iptables is intended to. You can edit the standard files and you can create your own custom config files.

    Only thing with firewalld config files is that they use xml.

    So a custom config file might look like

    cat /etc/firewalld/services/myspecialsnowflake.xml

    <?xml version="1.0" encoding="utf-8"?>
    <service>
    <short>My Special Snowflake</short>
    <description>This is an example service covering a few different protocols.</description>
    <port port="12000-13000" protocol="tcp"/>
    <port port="1382" protocol="udp"/>
    </service>
    

    Then just add that service as a firewalld rule.

    firewall-cmd --new-service=myspecialsnowflake --permanent

  • thanks for the script, i'll checkit out.

Sign In or Register to comment.