Skip to content

Firewalld is a secure way to manage simple firewall rules on a managed virtual machine without needing to interact with NFtables directly. The Hosting Engineering and Automation Team (HEAT) has helpful documentation for firewall management on their documentation site.

Depending on your VM's security level you may not have all of these zones, but if they do exist and the source IPs are included when you run sudo firewall-cmd --list-all-zones on the server, you will need to account for this in your firewall adjustments.

Zones of Interest#

The following zones of interest are included by default on Hosting-provisioned VMs. You may need to open a service or port in multiple zones if the network is referenced as a source in multiple networks.

Admin-Net: Hosting management and UMN VPN#

Port 22/tcp is open by default.

  • Sources from UMN - Split Tunnel - General Access or AnyConnect-UofMvpnFull

Bastions: Bastion and Ale jump servers#

Port 22/tcp is open by default.

  • Sources from the Ale jump servers

Campus: All campus networks#

Port 22/tcp is open by default.

  • Sources with IP addresses included in any of the summary campus networks listed

Public: Default zone#

This is the zone of the main network interface. Any firewall adjustments made without declaring a zone explicitly will be made to this zone.

The following other zones have been established at provision time but are for infrastructure use and should not be adjusted in order to ensure normal functioning of monitoring and Ansible Tower: Admin-Zabbix, Ansible-Tower

Ansible#

Here is an example of opening port 80 on a private low security VM that contains the Campus network:

Text Only
    - name: permit traffic in Campus zone on port 80/tcp
      ansible.posix.firewalld:
        port: 80/tcp
        permanent: true
        state: enabled
        zone: Campus
        immediate: true
      notify: 
        - restart firewalld
If you are using standard ports for a typical service, you can instead specify the service. In this case, allowing the http/https services in three different zones.

Text Only
- name: "Allow https and http services in firewalld"
    firewalld:
      service: "{{ item[0] }}"
      permanent: yes
      state: enabled
      immediate: yes
      zone: "{{ item[1] }}"
    loop: "{{ ['http', 'https'] | product(['public', 'Campus', 'Bastions']) | list}}"

NOTE: IF you are experimenting with opening the firewall in different zones to troubleshoot connectivity, do not use the permanent: true or permanent: yes until you are sure of the configuration you want to set.

Useful Command Examples#

In general if you are opening or closing access to your server by standard ports for a service, you can

  • View list of zones with no details: firewall-cmd --get-zones
  • View list of zones with details: sudo firewall-cmd --list-all-zones
  • Remove Ports to default zone: sudo firewall-cmd --remove-port={80/tcp,443/tcp}
  • Make ad-hoc changes permanent: sudo firewall-cmd --runtime-to-permanent
  • Reload firewalld: sudo firewall-cmd --reload

Creating New Zones#

If the network you need to adjust is not already included in a zone that is listed and the changes you need to make are specific enough that you do not want to just adjust the public zone, you can create a new one.

Firewalld does acknowledge priority but it will factor the priority inside the zone and process each zone in alphabetical order. If the packets match a source in a prior zone, it will perform the action indicated by the zone that comes first in alphabetical order. In order to ensure your new zone is processed first, you can append something like "AAA" to the name.

Additionally, you cannot add the same source to two different zones; this is a feature of firewalld. In general you should be able to configure the zones in such a way that the sources are limited to one zone.

Rich Rules#

Rich rules can be used if the desired firewall rules aren't able to be established through conventional syntax. It is recommended to use these only sparingly as they ignore other port and service settings in the zone they're added to.

Troubleshooting#

When you're troubleshooting the firewall, pay attention to any messages you receive, this may help you determine which zone is processing the packets.

Any zone with a DROP target will refuse the connection. Any zone with %%REJECT%% will simply time out. If you experience an unexpected action, a zone "higher up" may have processed the packet.

Additional Resources#

RedHat: Beginner's Guide to FirewallD

Linux Journal: Understanding Firewalld Multizone configurations