Firewalld is a zone-based firewall solution that available for many Linux distributions. It provides a dynamically managed firewall rules with zones.Each zone can be configured to accept or deny any requests or services. It supports IPV4 and IPV6. Zones can be associated with different network interfaces.
By default firewalld comes with already defined zones. “firewall-cmd” will be used to monitor and manage firewall zones. This command set returns available zones that already defined to use. Zone names should indicate their purpose.
# firewall-cmd --get-zones Consul block dmz drop external home internal public trusted work
The predefined zone can be used to manage traffic but it should be a good point to define a specific zone. When adding a new zone, you must use the “permanent” option to add it to the firewall configuration. After defining all configuration you must reload firewall daemon.
At this post, we will perform a test scenario that will isolate Consul service. Create a black and white list to give access to consul-clients.
Create a new Zone
#This command set will create a new zone which named Consul. firewall-cmd --new-zone=Consul –permanent
Define Network Interface to the Zone
firewall-cmd --permanent --zone=Consul --change-interface=ens192
Accept all request
Set-target has these options: default, ACCEPT, DROP, REJECT
firewall-cmd --permanent --zone=Consul --set-target=ACCEPT
Define the sources IP address
Add your source IP address that will always have access to service or any ports.
firewall-cmd --permanent --zone=Consul --add-source=192.168.1.87/32
Drop all request to a specific port
We defined a rich rule that drops all requests which comes to 8500 port. Only the IP address that we added source will have access to port 8500.
firewall-cmd --permanent --zone=Consul --add-rich-rule=' rule family="ipv4" source address="0.0.0.0/0" port protocol="tcp" port="8500" drop'
Reload Firewall Service
firewall-cmd --permanent --zone=Consul --list-all firewall-cmd --reload firewall-cmd --permanent --zone=Consul --list-all
If you need to remove a rule
firewall-cmd --permanent --zone=Consul --remove-rich-rule=' rule family="ipv4" source address="0.0.0.0/0" port protocol="tcp" port="7500" drop'