Firewalld (Demo): Zones and Run Time

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey there Cybrarians.
00:00
>> Welcome back to the Linux+ course here at Cybrary.
00:00
>> I'm your instructor Rob Goelz.
00:00
>> In today's lesson,
00:00
>> we're going to be working with firewalld.
00:00
>> Upon completion of this lesson,
00:00
you're going to be able to understand how
00:00
firewalld builds upon iptables and Netfilter.
00:00
What we've been talking about thus far in this module
00:00
and we're going to explain how
00:00
firewalld groups get their network traffic.
00:00
Then finally, we're going to create and modify rules
00:00
with firewall cmd in our demo at the end of the lesson.
00:00
Firewalld is basically a kinder and gentler iptables.
00:00
Modern red-hat based distros use
00:00
firewalld to configure iptables rules.
00:00
If you thought we're through iptables
00:00
fast the in last lesson and we glossed over things,
00:00
there was a reason for that and that's because you're
00:00
not really going to have to use iptables anymore.
00:00
Modern Red-Hat based distributions use firewalld.
00:00
You can use firewalld on Debian
00:00
based systems like Ubuntu but they
00:00
actually generally use UFW.
00:00
We're probably going to end up using these.
00:00
We don't have to worry as much about iptables,
00:00
but we do have to go with that for
00:00
the purposes of the exam and also to
00:00
give you some background
00:00
on what's happening under the surface.
00:00
Firewalld has a GUI and command line interface,
00:00
and it interfaces with the D-bus, message bus daemon.
00:00
Now, that daemon communicates between
00:00
applications and services and
00:00
it can receive notification of events.
00:00
Well, why do we care about the daemon standard?
00:00
What does this mean? Why is that important?
00:00
Well, firewalld is referred to as
00:00
the dynamic firewall daemon.
00:00
This means that you can change an ACL rule without having
00:00
to restart the firewalld service and the way
00:00
that this works is that rules are loaded
00:00
instantaneously because firewalld sends a notification,
00:00
an event notification to the D-bus interface.
00:00
So it just picks up the change. No problem.
00:00
Now, firewalld groups network
00:00
traffic into predefined rule sets,
00:00
and these are known as zones.
00:00
Now, each zone has a configuration file
00:00
that defines the rules.
00:00
The default zones directory is at
00:00
user lib firewalld zones and then you can
00:00
also create custom zones at etc firewalld zones.
00:00
Now, traffic can be grouped based on
00:00
the network interface or a source address range.
00:00
But if you're using a network connection,
00:00
that network connection can only be
00:00
a member of one zone at a time.
00:00
Please keep that in mind. Now, there are
00:00
a couple of types of predefined firewalld zones.
00:00
We'll try and go through these real quickly.
00:00
We have drop, which is going to
00:00
drop all incoming packets and
00:00
only allows outbound traffic and it says no response.
00:00
There's the block zone which blocks
00:00
incoming packets and provides an error message.
00:00
It accepts only outgoing network connections.
00:00
Drop and block are equivalent to
00:00
drop and reject when we look
00:00
at ACLs and things like that.
00:00
There's the public zone.
00:00
The public zone is used in
00:00
public areas where other systems
00:00
on the network are not trusted.
00:00
If we're in a cafe or something like that,
00:00
we're on a wireless network,
00:00
we don't trust anything.
00:00
We only accept selected incoming network connections,
00:00
maybe our internet traffic.
00:00
External is going to be similar to public.
00:00
It's going to be used on external networks
00:00
with masquerading enabled.
00:00
We'll talk a little bit more about masquerading later.
00:00
There's also a DMZ zone which is similar to public.
00:00
It's used in DMZ networks and these
00:00
are the networks that sit out there.
00:00
They're not exactly external.
00:00
They're usually behind like an external firewall,
00:00
but they're not exactly public.
00:00
They're not exactly internal.
00:00
We have a work zone which is
00:00
basically allowed to select
00:00
incoming network connections,
00:00
a little bit more permissive than public.
00:00
We're on a work network but
00:00
maybe we're not in the internal network.
00:00
This is going to be similar to in DMZ.
00:00
We have the home zone which
00:00
is similar to work but more permissive.
00:00
Usually, if you're in your home network,
00:00
you pretty much trust everything on the network and then
00:00
internal is similar to work but
00:00
used on internal work networks.
00:00
Then the trusted zone accepts
00:00
just absolutely every network connection.
00:00
The firewall CMD command is what we
00:00
use to manage and create rules when
00:00
we're working with firewalld
00:00
and this firewall CMD command though,
00:00
it only modifies the runtime environment.
00:00
The thing that we got to think about is
00:00
the same as iptables.
00:00
If we want to set a permanent configuration,
00:00
we can do one of two things.
00:00
We can either say firewall CMD runtime to permanent,
00:00
and that will take any rules that we have in place
00:00
that are just created on the fly
00:00
and then make them permanent or when we're creating
00:00
the the rule with firewall CMD,
00:00
we can specify the permanent options.
00:00
Firewall CMD dash dash permanent,
00:00
and then the rest of the information
00:00
about the rule we want to set up.
00:00
But let's take a look at all of this with some demo time.
00:00
Here we are in our demo environment
00:00
and today we're going to be in CentOS.
00:00
Like I said, this is mostly firewall.
00:00
D is going to be found on modern Red Hat
00:00
based distributions so CentOS is a good place to do this.
00:00
What we're going to do first to get
00:00
started is we're going to check and enable firewalld.
00:00
Make sure that it's enabled, make sure that it started.
00:00
[NOISE]. You'd use one command, [inaudible] system CTL,
00:00
enable dash dash now,
00:00
which is not only going to enable it but
00:00
it's also going to start it and then we'll
00:00
say we want to do that for firewalld and we'll see.
00:00
I've typed in my password to
00:00
elevate privileges, of course,
00:00
and we see that it's started
00:00
and it's also created the same links that
00:00
need to be in place in order for it to work properly.
00:00
We can see the first [inaudible] create is
00:00
for the D-bus because as I said remember this
00:00
is working with the D-bus daemon so that
00:00
it can load rules without having to restart the service.
00:00
To see all zones,
00:00
we can do sudo firewall dash CMD dash,
00:00
dash, get dash zone.
00:00
This will display all the zones
00:00
on the system that we have and
00:00
we can see all the zones
00:00
across the board block, DMZ drop.
00:00
All the ones we talked about previously in this lesson.
00:00
Now, if we want to see the default zone,
00:00
we can do sudo firewalld, dash, dash,
00:00
get default zone and
00:00
we'll see that the fault zone and our system is public.
00:00
To list all the configurations that are in place,
00:00
we can do sudo firewall CMD,
00:00
and we'll do dash, dash list,
00:00
dash all, and these are
00:00
all the configurations that we have on the system.
00:00
We see in public, we have quite a few things in place.
00:00
We have some services we're allowing,
00:00
we have an interface to defined.
00:00
Remember, an interface can only be
00:00
in one zone at a time.
00:00
Our network that we're using,
00:00
our interface that we're on,
00:00
ENP0S3, is defined in the public zone.
00:00
If we want to change the firewall zone, we can do that.
00:00
We can do sudo firewall cmd [NOISE] and then we can do
00:00
set default equal to
00:00
internal and that is success.
00:00
Now, if we go and we do get the fault zone,
00:00
we'll see that it's been changed to internal.
00:00
Here we can also see all of the services allowed
00:00
on the internal zone by default,
00:00
we can do the same thing we did before.
00:00
We can do a sudo firewall CMD list
00:00
all and now we'll see that this is slightly different.
00:00
We have some additional things that are allowed through.
00:00
We have HTTPS, we see mDNS and Samba here.
00:00
Those weren't available in the public,
00:00
they are available on the internal network instead.
00:00
Also, let's go ahead and add
00:00
HTTPS to the internal network.
00:00
Actually, we already see HTTPS here.
00:00
Let's go ahead and add DNS instead.
00:00
What we can do is we can do sudo firewall, CMD,
00:00
[NOISE] add dash service and we'll say that equals
00:00
DNS and we see success.
00:00
Now if we run the list again,
00:00
[NOISE] we see DNS added there as well.
00:00
But keep in mind none of these changes are persistent.
00:00
Like we talked about, if we want to make them persistent,
00:00
we can either do that when we create the role by saying,
00:00
we could say dash, dash permanent.
00:00
But now since we've already created the rule,
00:00
what we can do instead is we can say sudo firewall,
00:00
[NOISE] CMD and we can say
00:00
runtime to permanent and
00:00
that commits those rules.
00:00
Now, if you want to,
00:00
we can reload the rules by doing
00:00
a sudo firewall CMD reload.
00:00
This is basically just going out and saying,
00:00
Hey D-bus, just go ahead and reload this for us.
00:00
We're not actually restarting firewall CMD,
00:00
we're just reloading the rules and it helps if you spell
00:00
reload right so let's do that and there we go.
00:00
Success. With that, we've reached the end of
00:00
this lesson and in this lesson we covered how
00:00
firewalld builds upon iptables and Netfilter.
00:00
We talked about how zones are used to
00:00
group traffic in firewalld and then finally,
00:00
we did some creating and modifying
00:00
firewalld with the firewall CMD command.
00:00
Thanks so much for being here and I look
00:00
forward to seeing you in the next lesson.
Up Next