Firewalld is a secure way to manage simple firewall rules on a managed virtual machine without needing to interact with NFtables directly. The Hosting Engineering and Automation Team (HEAT) has helpful documentation for firewall management on their documentation site.

Depending on your VM's security level you may not have all of these zones, but if they do exist and the source IPs are included when you run sudo firewall-cmd --list-all-zones on the server, you will need to account for this in your firewall adjustments.

Getting started

• RedHat: Beginner's Guide to FirewallD

• RedHat: Working with Zones - Creating a new zone using a Configuration File

  • NOTE: This is a RHEL7 guide but useful for knowing how to customize FirewallD zones

• Linux Journal: Understanding Firewalld Multizone configurations

Zones of interest

The following zones of interest are included by default on Hosting-provisioned VMs. You may need to open a service or port in multiple zones if the network is referenced as a source in multiple networks.

Admin-Net: Hosting management and UMN VPN

Port 22/tcp is open by default.

• Sources from UMN - Split Tunnel - General Access or AnyConnect-UofMvpnFull

Bastions: Bastion and Ale jump servers

Port 22/tcp is open by default. If your machine has a Campus zone, you can disable this zone entirely, in order to limit unnecessary firewall rules, because it is covered by the Campus zone networks.

• Sources from the Ale jump servers

Campus: All campus networks

Port 22/tcp is open by default. This zone is excluded from high security servers.

• Sources with IP addresses included in any of the summary campus networks listed

Public: Default zone

This is the zone of the main network interface. Any firewall adjustments made without declaring a zone explicitly will be made to this zone.

The following other zones have been established at provision time but are for infrastructure use and should not be adjusted in order to ensure normal functioning of monitoring and Ansible Tower: Admin-Zabbix, Ansible-Tower

Ansible

Example of opening port 80 on a private low security VM that contains the Campus network:

Text Only

    - name: permit traffic in Campus zone on port 80/tcp
      ansible.posix.firewalld:
        port: 80/tcp
        permanent: true
        state: enabled
        zone: Campus
        immediate: true
      notify: 
        - restart firewalld

If you are using standard ports for a typical service, you can instead specify the service. In this case, allowing the http/https services in three different zones:

Text Only

- name: "Allow https and http services in firewalld"
    firewalld:
      service: "{{ item[0] }}"
      permanent: yes
      state: enabled
      immediate: yes
      zone: "{{ item[1] }}"
    loop: "{{ ['http', 'https'] | product(['public', 'Campus', 'Bastions']) | list}}"

If you omit the zone parameter, the changes you define will be set on the default zone:

Text Only

    - name: Modify Public zone to add ports
      ansible.posix.firewalld:
        state: enabled
        port: "{{ item }}"
        permanent: true
      loop:
        - 443/tcp
        - 22/tcp

NOTE: IF you are experimenting with opening the firewall in different zones to troubleshoot connectivity, do not use the permanent: true or permanent: yes until you are sure of the configuration you want to set.

Useful Command Examples

In general if you are opening or closing access to your server by standard ports for a service, you can

• View list of zones with no details: firewall-cmd --get-zones
• View list of zones with details: sudo firewall-cmd --list-all-zones
• Remove Ports to default zone: sudo firewall-cmd --remove-port={80/tcp,443/tcp}
• Make ad-hoc changes permanent: sudo firewall-cmd --runtime-to-permanent
• Reload firewalld: sudo firewall-cmd --reload

Creating New Zones

If the network you need to adjust is not already included in a zone that is listed and the changes you need to make are specific enough that you do not want to just adjust the public zone, you can create a new one.

Firewalld does acknowledge priority but it will factor the priority inside the zone and process each zone in alphabetical order. If the packets match a source in a prior zone, it will perform the action indicated by the zone that comes first in alphabetical order. In order to ensure your new zone is processed first, you can append something like "AAA" to the name.

Additionally, you cannot add the same source to two different zones; this is a feature of firewalld. In general you should be able to configure the zones in such a way that the sources are limited to one zone.

Rich Rules

Rich rules can be used if the desired firewall rules aren't able to be established through conventional syntax. It is recommended to use these only sparingly as they ignore other port and service settings in the zone they're added to.

Troubleshooting

When you're troubleshooting the firewall, pay attention to any messages you receive, this may help you determine which zone is processing the packets.

Any zone with a DROP target will refuse the connection. Any zone with %%REJECT%% will simply time out. If you experience an unexpected action, a zone "higher up" may have processed the packet.