In the previous part we saw the FirewallD on Ubuntu, now we can manage it using the most commands, remember, you can use the man to find out other options. Today we will see another method for the management of firewalld, the files.
Going to operate directly in the files is almost like giving the
--permanent to the command, I say almost because to run the changes until you reload. All files are in two locations in the file system, the default is
/usr/lib/firewalld, while all the rules, the following services are added in / etc / firewalld. This distinction is very important because it allows you to have an always-on firewall with default settings even in the event of an error in writing the rules, if the file being edited may contain errors of firewalld simply ignores the contents from where there is the error.
We see the contents of the
$ cd /etc/firewalld $ ls -la -rw------- 1 root root 710 nov 21 15:09 firewalld.conf drwxr-xr-x 2 root root 4096 ott 22 2013 icmptypes/ -rw-r--r-- 1 root root 267 ott 22 2013 lockdown-whitelist.xml drwxr-xr-x 2 root root 4096 nov 15 21:03 services/ drwxr-xr-x 2 root root 4096 nov 25 14:19 zones/
firewalld.conf file is written in the default zone used and other parameters. The part that interests us is within the directory services and zones .
We have already seen are written the services file , see the related to the area that we have modified files.
the zone files exist here ONLY if we have them modified using its utility , otherwise we find them in the default directory .
$ sudo cat zones/public.xml
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <service name="Skype"/> <rule> <protocol value="icmp"/> <log prefix="Drop-Icmp" level="info"> <limit value="2/h"/> </log> <drop/> </rule> </zone>
It does not need further explanation for those who have never seen an XML file. Clear where the service is said to be as open and adds a rich -rule. Each rule must be inserted in a
<rule> and specify in it the other elements and options. Very important is the element
</drop> that defines the type of rule, in our case we wanted to prevent pings to anyone. Obviously, any changes made to these files requires reload of the service.
$ sudo firewall-cmd --reload
In the next part we will see how to write rules using the
firewall-config graphical utility.
Go to part tree of FirewallD on Ubuntu