Setup firewalld for PHP server on CentOS 7 minimal

1. [root]# yum install firewalld

 

2. [root]# service firewalld start

 

3. Block SSH except specific IP address

[root]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s 111.111.111.111 -p tcp -m tcp --dport 22 -j ACCEPT

[root]# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable

 

* Find out all active direct rules

[root]# firewall-cmd --direct --get-all-rules

ipv4 filter INPUT 1 -m tcp --source 111.111.111.111 -p tcp --dport 22 -j ACCEPT

ipv4 filter INPUT 1 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable

 

4. [root]# service firewalld restart
 

 

References

 

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

For a server, these zones are not as immediately important because the network environment rarely, if ever, changes.

=> Direct rule만으로 구성하는 것이 좋을 것으로 보임 

=> 그런데 이러면 iptables를 그냥 쓰는 것과 차이가 없음..

 

 

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

* List of firewalld zones

Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network. NeworkManager informs firewalld to which zone an interface belongs. an interface`s assigned zone can be changed by NetworkManager or via the firewall-config tool which can open the relevant networkManager window for you.

 

- drop : Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.

- block : Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.

- public : For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.

- external : For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm you computer. Only selected incoming connections are accepted.

- dmz : For computers in your demilitarized zone that are publicly-accessible with limited access to you internal network. Only selected incoming connections are accepted.

- work : For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

- home : For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

- internal : For use on internal networks. You mostly trush the other computers on t he networks to not harm your computer. Only selected incoming connections are accepted.

- trusted : All network connections are accepted.

 

https://liquidat.wordpress.com/2013/04/09/howto-firewalld-basics/

 

http://serverfault.com/questions/680780/block-all-but-a-few-ips-with-firewalld

 

https://ask.fedoraproject.org/en/question/40916/configure-source-ip-in-firewalld-services/