1 00:00:00,000 --> 00:00:09,000 In this video you'll learn about Firewall-D. 2 00:00:09,000 --> 00:00:13,000 Firewall-D is the default firewall on Red Hat and Family. 3 00:00:13,000 --> 00:00:17,000 Firewall-D uses a couple of ingredients. 4 00:00:17,000 --> 00:00:19,000 First ingredient is the zone. 5 00:00:19,000 --> 00:00:22,000 A zone is a collection of one or more network cards 6 00:00:22,000 --> 00:00:24,000 that is facing a specific direction 7 00:00:24,000 --> 00:00:26,000 and to which rules can be assigned. 8 00:00:26,000 --> 00:00:29,000 So if you have multiple internal network cards 9 00:00:29,000 --> 00:00:31,000 or multiple outgoing network cards, 10 00:00:31,000 --> 00:00:33,000 you can put all of them in a zone 11 00:00:33,000 --> 00:00:36,000 and build your rules on top of that. 12 00:00:36,000 --> 00:00:40,000 Interfaces is how we call individual network cards. 13 00:00:40,000 --> 00:00:44,000 But interfaces in Firewall-D are always part of a zone. 14 00:00:44,000 --> 00:00:46,000 And then there are services. 15 00:00:46,000 --> 00:00:49,000 A service in Firewall-D is an XML-based configuration 16 00:00:49,000 --> 00:00:52,000 that specifies ports to be opened 17 00:00:52,000 --> 00:00:54,000 and modules that should be used. 18 00:00:54,000 --> 00:00:56,000 We have forward ports, 19 00:00:56,000 --> 00:00:59,000 which are used to send traffic coming in on a specific port 20 00:00:59,000 --> 00:01:02,000 to another port which may be on another machine. 21 00:01:02,000 --> 00:01:04,000 This is port forwarding. 22 00:01:04,000 --> 00:01:07,000 And you can use it to redirect traffic. 23 00:01:07,000 --> 00:01:10,000 And there is masquerading, IP masquerading, 24 00:01:10,000 --> 00:01:14,000 which provides network address translation on the router. 25 00:01:14,000 --> 00:01:17,000 So if your Firewall-D server is a router, 26 00:01:17,000 --> 00:01:19,000 enable IP masquerading 27 00:01:19,000 --> 00:01:21,000 and all the nodes on the private network 28 00:01:21,000 --> 00:01:23,000 that this router is connected to 29 00:01:23,000 --> 00:01:26,000 can use your Firewall to go out into the Internet 30 00:01:26,000 --> 00:01:29,000 without being visible themselves. 31 00:01:29,000 --> 00:01:33,000 Firewall-D rich rules are an extension to the Firewall-D syntax 32 00:01:33,000 --> 00:01:37,000 to make more complex configuration possible. 33 00:01:37,000 --> 00:01:39,000 In order to work with Firewall-D, 34 00:01:39,000 --> 00:01:42,000 Firewall-CMD is your main command. 35 00:01:42,000 --> 00:01:44,000 It may appear overwhelming, 36 00:01:44,000 --> 00:01:48,000 but it is not, and it is very well structured. 37 00:01:48,000 --> 00:01:52,000 The elements previously listed can be managed easily 38 00:01:52,000 --> 00:01:55,000 by using Firewall-CMD minus minus help. 39 00:01:55,000 --> 00:01:57,000 You can get the syntax description. 40 00:01:57,000 --> 00:01:59,000 And I would advise you do that. 41 00:01:59,000 --> 00:02:04,000 Try, for instance, Firewall-CMD minus minus help pipe grab services, 42 00:02:04,000 --> 00:02:08,000 and you will see all the commands that relate to services. 43 00:02:08,000 --> 00:02:13,000 Now, many elements in Firewall-D have a get, set, and list option. 44 00:02:13,000 --> 00:02:17,000 So list services will list your current configuration. 45 00:02:17,000 --> 00:02:20,000 Get services will show you what is available. 46 00:02:20,000 --> 00:02:22,000 Add service will add something, 47 00:02:22,000 --> 00:02:25,000 and remove service is going to remove it. 48 00:02:25,000 --> 00:02:28,000 Now, there is one more thing to remember about Firewall-D, 49 00:02:28,000 --> 00:02:31,000 and that is the minus minus permanent option. 50 00:02:31,000 --> 00:02:35,000 Whatever you do in Firewall-D, you need to do it twice. 51 00:02:35,000 --> 00:02:38,000 First, you add it to a runtime. 52 00:02:38,000 --> 00:02:40,000 Then you add it to permanent. 53 00:02:40,000 --> 00:02:45,000 So if you want to use Firewall-CMD minus minus add services SSH, 54 00:02:45,000 --> 00:02:47,000 you add the SSH service. 55 00:02:47,000 --> 00:02:49,000 You need to repeat your commands 56 00:02:49,000 --> 00:02:54,000 and do it again using Firewall-CMD minus minus add services SSH 57 00:02:54,000 --> 00:02:56,000 minus minus permanent, 58 00:02:56,000 --> 00:02:59,000 because otherwise you will lose it after a reboot. 59 00:02:59,000 --> 00:03:01,000 Let me show you. 60 00:03:01,000 --> 00:03:06,000 So I'm starting with Firewall-CMD minus minus list all, 61 00:03:06,000 --> 00:03:08,000 which is giving the current configuration. 62 00:03:08,000 --> 00:03:12,000 And there we can see that we are in the default zone. 63 00:03:12,000 --> 00:03:14,000 Default, that's the zone name. 64 00:03:14,000 --> 00:03:16,000 And Firewall-D is active. 65 00:03:16,000 --> 00:03:18,000 In this default zone, 66 00:03:18,000 --> 00:03:22,000 we have the one and only network interface ENS160, 67 00:03:22,000 --> 00:03:25,000 and we have some default services that are available, 68 00:03:25,000 --> 00:03:31,000 including Cockpit, DHCP, v6 client, and SSH. 69 00:03:31,000 --> 00:03:37,000 Now, if I use Firewall-CMD minus minus get services, 70 00:03:37,000 --> 00:03:41,000 I get a list of all the services that are available. 71 00:03:41,000 --> 00:03:46,000 So if I want to see what is behind, let's say, NFS v3, 72 00:03:46,000 --> 00:03:48,000 I can look up the service file, 73 00:03:48,000 --> 00:03:57,000 which is in user lib Firewall-D services NFS3.xml. 74 00:03:57,000 --> 00:04:02,000 And there you can see that NFS3.xml is opening TCP 75 00:04:02,000 --> 00:04:06,000 as well as UDP port 2049. 76 00:04:06,000 --> 00:04:08,000 And how about NFS.xml? 77 00:04:08,000 --> 00:04:11,000 It's also opening port 2049. 78 00:04:11,000 --> 00:04:13,000 Well, that's kind of disappointing. 79 00:04:13,000 --> 00:04:15,000 But if I want to add it, 80 00:04:15,000 --> 00:04:23,000 then I'm going to use Firewall-CMD minus minus add service NFS3. 81 00:04:23,000 --> 00:04:28,000 And now Firewall-CMD minus minus list services 82 00:04:28,000 --> 00:04:32,000 is showing all the services that are currently available. 83 00:04:32,000 --> 00:04:35,000 You might be better off using list all, by the way. 84 00:04:35,000 --> 00:04:38,000 That will show all the information, including the services. 85 00:04:38,000 --> 00:04:42,000 And as you can see, NFS3 is available. 86 00:04:42,000 --> 00:04:47,000 But if I would use Firewall-CMD minus minus reload, 87 00:04:47,000 --> 00:04:51,000 then it reloads, and look here, NFS3 is gone. 88 00:04:51,000 --> 00:04:53,000 So what are we going to do about it? 89 00:04:53,000 --> 00:04:56,000 Well, one option is to use it twice. 90 00:04:56,000 --> 00:05:02,000 Another option would be to use Firewall-CMD minus minus add service 91 00:05:03,000 --> 00:05:08,000 is NFS3 minus minus permanent. 92 00:05:08,000 --> 00:05:12,000 And now list all is not showing it. 93 00:05:12,000 --> 00:05:15,000 But if we do the Firewall-CMD reload again, 94 00:05:15,000 --> 00:05:19,000 it's going to reload, including the persistent configuration. 95 00:05:19,000 --> 00:05:23,000 And then you will see that NFS3 will show up as well. 96 00:05:23,000 --> 00:05:27,000 And that concludes our small introduction to Firewall-CMD.