===== firewalld =====
==== references ====
* http://www.tecmint.com/configure-firewalld-in-centos-7/
* http://www.tecmint.com/firewalld-rules-for-centos-7/
* https://www.certdepot.net/rhel7-get-started-firewalld/
* https://www.certdepot.net/rhel7-get-started-nmcli/
* https://access.redhat.com/discussions/1455033
* https://bugzilla.redhat.com/show_bug.cgi?id=1112742
* https://www.it-connect.fr/centos-7-utilisation-et-configuration-de-firewalld/
==== install ====
# yum install firewalld firewall-config
# systemctl start firewalld.service
# systemctl status firewalld.service
# firewall-cmd --get-active-zones
# firewall-cmd --get-services
# firewall-cmd --zone=public --list-all
# firewall-cmd --get-zones
# firewall-cmd --get-default-zone
# firewall-cmd --list-all-zones
==== fichiers ====
# cat /etc/firewalld/firewalld.conf
# ls /etc/firewalld/zones
# cat /etc/firewalld/zones/public.xml
==== lier une interface a une zone ====
# firewall-cmd --get-zone-of-interface=eth0
# firewall-cmd --zone=public --change-interface=eth0
# firewall-cmd --permanent --zone=public --change-interface=eth0
# grep eth0 /etc/firewalld/zones/public.xml
==== gestion de services simples ====
ajout httpd et retait ssh pour tous
# firewall-cmd --add-service=http --permanent
# firewall-cmd --zone=public --remove-service=ssh --permanent
# firewall-cmd --reload
# firewall-cmd --list-all
==== gestion de regles complexes ====
afin d'integrer la source par exemple + log + exemple ajout et retrait :
# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.1.11/32" service name="http" log prefix="http_192.168.1.11" accept'
# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.0.1/32" service name="ssh" log prefix="ssh_" accept'
# firewall-cmd --permanent --remove-rich-rule 'rule family="ipv4" source address="192.168.0.1/32" service name="ssh" log prefix="ssh_192.168.0.1" accept'
# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" port port=8080 protocol=tcp log prefix="http8080" accept'
# firewall-cmd --reload