firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the nftables userspace utility (before v0.6.0 iptables backend), acting as an alternative to the nft command line program. The name firewalld adheres to the Unix convention of naming system daemons by appending the letter "d".
firewalld supports both IPv4 and IPv6 networks and can administer separate firewall zones with varying degrees of trust as defined in zone profiles. Administrators can configure Network Manager to automatically switch zone profiles based on known Wi-Fi (wireless) and Ethernet (wired) networks, but firewalld cannot do this on its own.
Services and applications can use the D-Bus interface to query and configure the firewall. firewalld supports timed rules, meaning the number of connections (or "hits") to a service can be limited globally. There is no support for hit-counting and subsequent connection rejection per source IP; a common technique deployed to limit the impact of brute-force hacking and distributed denial-of-service attacks.
firewalld's command syntax is similar to but more verbose than other iptables front-ends like Ubuntu's Uncomplicated Firewall (ufw). The command-line interface allows managing firewall rulesets for protocol, ports, source and destination; or predefined services by name.
Services are defined as XML files containing port- and protocol-mappings, and optionally extra information like specifying subnets and listing required Kernel helper modules.[8] The syntax resembles that of systemd's service files. A simple service file for a web server listening on TCP port 443 might look like this:
<?xml version="1.0" encoding="utf-8"?>
<service> <short>Web Server</short> <description>Public web host over HTTPS.</description> <port port="443" protocol="tcp" /> </service>
Firewalld should be enabled by default. You can checkit.
# systemctl status firewalld
If not enabled by default enter on the command-line:
# systemctl start firewalld # systemctl enable firewalld
Never disable firewalld.
# firewall-cmd --permanent --zone=public --add-service=xxxx # firewall-cmd --reload
# firewall-cmd --permanent --zone=public --add-port=xxxx/<protocol> # firewall-cmd --reload
For a range use --add-port=10080-10100/tcp.
# firewall-cmd --remove-port=port-number/port-type
We can see which zone is currently selected as the default by typing:
# firewall-cmd --get-default-zone
Since we haven't given firewalld any commands to deviate from the default zone, and none of our interfaces are configured to bind to another zone, that zone will also be the only "active" zone (the zone that is controlling the traffic for our interfaces). We can verify that by typing:
# firewall-cmd --get-active-zones
How do we know what rules are associated with the public zone though? We can print out the default zone's configuration by typing:
# firewall-cmd --list-all
You can do a portscan on another device that has the scanning software. For Android and iPhone/iPad there is "Net Analyzer".
For windows you can use Wireshark.
SELinux defines port types to represent TCP and UDP ports.
If you need to know what ports are used enter:
# semanage port -l SELinux Port Type Proto Port Number afs3_callback_port_t tcp 7001 afs3_callback_port_t udp 7001 afs_bos_port_t udp 7007 ..... zookeeper_election_port_t tcp 3888 zookeeper_leader_port_t tcp 2888 zope_port_t tcp 8021
The ports not listed can be used.
Fail2ban is arguably the best software to secure a Linux server and protect it against automated attacks. When enabled, it offers many customizable rules to ban source addresses that may try to gain access to your machine. Fail2ban works hand in hand with a firewall, so we recommend you to install and enable them as separate security layers.
After you have added the firewall rules and tested it on your LAN, you can do portforwarding in your ISP-router to your server per service.
The safest setting for the router is when all inbound ports are stealthed. you can check it at Shields-up.
Only forward port that use TLS and that are needed.
If possible don't forward ssh. Use the private VPN if it is built-in. Never forward telnet.
Don't use DMZ function for your server.
For mail forward only IMAPS and POP3S ports. The SMTP ports - 25, 465, 587 - are all needed.