Sedikit Tentang Firewall di Linux Centos 7

Di Linux Centos 7 by default sudah tidak menggunakan lagi firewall dengan iptables, namun menggunakan firewalld, konsep nya sudah mirip dengan firewall beneran yang ada dipasaran.

Jadi ada beberapa re-defined zones untuk firewalld ini :

- drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.

- block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.

- public: Represents public, untrusted networks. You don't trust other computers but may allow selected incoming connections on a case-by-case basis.

- external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.

- internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.

- dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.

- work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.

- home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.

- trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.

Untuk mengaktifkan firewalld perintah nya :

# systemctl start firewalld.service

Untuk melihat sudah running atau belum, perintah nya :

# firewall-cmd --state

output
running

Untuk melihat zone yang ada :

# firewall-cmd --get-default-zone

output
public

Untuk melihat zone yang aktif :

# firewall-cmd --get-active-zones

output
public
  interfaces: eth0 eth1

Untuk melihat list service dan zone yang aktif :

# firewall-cmd --list-all

output
public (default, active)
  interfaces: eth0 eth1
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Contoh, saya ingin menambahkan untuk membuka port untuk service http dan https (80 dan 443), maka perintah nya adalah :

# firewall-cmd --zone=public --permanent --add-service=http
# firewall-cmd --zone=public --permanent --add-service=https

Kalau mau merubah port ssh di firewall bisa edit file ini :

# more /usr/lib/firewalld/services/ssh.xml


  SSH
  Secure Shell (SSH) is a protocol for logging into and executing commands on remote machi
nes. It provides secure encrypted communications. If you plan on accessing your machine remotely via SS
H over a firewalled interface, enable this option. You need the openssh-server package installed for th
is option to be useful.
 

Setelah selesai melakukan edit firewall, silahkan di reload :

# firewall-cmd --reload

Untuk restart service firewall :

# systemctl restart firewalld.service

Untuk stop service firewall :

# systemctl stop firewalld.service

Agar firewalld aktif pada saat boot :

# systemctl enable firewalld

Referensi : https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7#enable-your-firewall-to-start-at-boot

Semoga bermanfaat untuk pembaca semua.

Dony Ramansyah

site : http://donyramansyah.net

blog : dony-ramansyah.blogspot.com

email : dony.ramansyah[at]gmail.com

Registered linux user : ID 40017