2

I have multiple CentOS 7 machines in the same LAN. Each one is communicating with a few others and having one or more applications installed that each listen on various ports (database, webserver, load-balancing service etc.). Typical web-architecture stuff.

Now firewalld is disabled on all of them. And I want to enable it everywhere.

Normally it would go something like:

  1. systemctl enable firewalld
  2. systemctl start firewalld
  3. firewall-cmd <...> (add ports, sources, services etc.)

The problem is that, once I start firewalld service, by default it blocks most of my stuff1, until I get the chance to do the 3rd step. And, given the big number of configurations (ports, sources) I have to add, my services will basically become unusable/unreachable until I figure it out.

I'm most concerned of some of these features:

  • I use GlusterFS on some machines to create a network-file-system which I then mount on other machines
  • I use Corosync+Pacemaker to create a couple of clusters between some of the machines; these tools use various ports for heartbeat-like functionality

If I turn on firewalld on these machines, it would immediately block all these services, until I get the chance to execute my many firewall-cmd <...> statements. And I don't know the consequences of that.

My question is: Is there some way to execute the 3rd step BEFORE the 2nd step? So that everything is in place when I turn on the service.

My one single idea is to somehow manually edit the XML files in the /etc/firewalld/zones folder. But it seems extremely error-prone, especially since I'm not that familiar with firewalld to be confortable making such edits.

1 = From what I know, only ports 80/443 (HTTP/HTTPS) and 22 (SSH) will be opened, all others are blocked until you explicitly open them.

Improve this question

3 Answers 3

Reset to default
3

Before you start firewalld service you should specify parameters via config files. I recommend to you to create file of rules for every service (GlusterFS, Pacemaker ...) and put in the file all ports that you need. For example (for pacemaker got from Configuring the iptables Firewall to Allow Cluster Components) /etc/firewalld/services/pacemaker.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Pacemaker</short>
  <description>Pacemaker service</description>
  <port protocol="tcp" port="2224"/>
  <port protocol="tcp" port="3121"/>
  <port protocol="tcp" port="5403"/>
  <port protocol="udp" port="5404"/>
  <port protocol="udp" port="5405"/>
  <port protocol="tcp" port="21064"/>
</service>

More info with examples you can got from How To Set Up a Firewall Using FirewallD on CentOS 7.

Then you can start firewalld safely.

If you are afraid of break firewalld by editing zone files by hand you can test in virtual environment before apply in working system.

Improve this answer
3
  • So you're saying you can manually add such files in /etc/firewalld/services and they will be read/loaded when you turn on firewalld? Interesting, that might work. I'll take a closer look, thanks. Commented Jun 24, 2019 at 12:57
  • @RaduMurzea Yes it will be read/reloaded when you turn on firewall via systemctl start firewalld or reload config via firewall-cmd --reload. I took this info from "How To Set Up a Firewall Using FirewallD on CentOS 7". Commented Jun 24, 2019 at 13:01
  • Wouldn't firewall-offline-cmd <...> be a better fit here? I didn't know it existed, just found it in the man-pages a few minutes ago... Commented Jul 2, 2019 at 13:32
0

Easy. Just add the option --permanent to all your rules, e.g. 

firewall-cmd --zone=trusted --add-port=1234/tcp --permanent

This will register rules in the permanent configuration but won't apply them, until you run the command 

firewall-cmd --reload

By the way, this is the recommended way to operate firewalld; if you don't use the --permanent option, changes will be applied temporarily and will be erased at the next firewall reload or restart.

Improve this answer
2
  • 2
    Maybe I'm getting it wrong, but I think the question was how to do this without actually having to start firewalld first. Commented Jun 24, 2019 at 12:56
  • Ah, you're right. My mistake. Commented Jun 24, 2019 at 12:59
0

In days like these most products do not document their network protocols any more, so you'll have to find out yourself what is going on before starting the firewall configuration.

For example to see all TCP sockets that are listening you can use ss -tln (TCP,listening,non-resolved):

# ss -tln
State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port  Process
LISTEN   0        128              0.0.0.0:22            0.0.0.0:*
LISTEN   0        100            127.0.0.1:25            0.0.0.0:*
LISTEN   0        100                [::1]:25               [::]:*
LISTEN   0        128                 [::]:22               [::]:*

As the list may be much longer, you could also filter by processes that se the sockets by adding option -p:

# ss -tlnp
State   Recv-Q   Send-Q     Local Address:Port     Peer Address:Port  Process
LISTEN  0        128              0.0.0.0:22            0.0.0.0:*      users:(("sshd",pid=10392,fd=3))
LISTEN  0        100            127.0.0.1:25            0.0.0.0:*      users:(("master",pid=1876,fd=13))
LISTEN  0        100                [::1]:25               [::]:*      users:(("master",pid=1876,fd=14))
LISTEN  0        128                 [::]:22               [::]:*      users:(("sshd",pid=10392,fd=4))

You should cross-check existing connections by leaving out option -l.

(UDP is another animal (i.e.: protocol) to look for)

When done, arrange ports and protocols by applications, and define services for each (unless there already).

You can also define "super services" that include other services. For example an application uses a web server and a database server, so you could define two services for database and web, and then include both in the app.

As other questions deal with defining firewall services, I won't repeat the answers here.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.