Jump to content
Not connected, Your IP: 54.234.136.147

Recommended Posts

Hi,

 

I'd like to try Fedora so I'm interested how can I configure firewalld killswitch rules like those in ufw?

 

 

ufw default deny incoming

ufw default deny outgoing

ufw allow out to 178.162.198.40 port 443 proto udp
ufw allow out on tun0
ufw allow in on tun0 from any to any port 60002

Share this post


Link to post

Somewhat comparable to ufw, firewalld is just an interface to iptables. It allows for convenient higher-level rule constructs ("rich rules" and zones) but also allows direct iptables manipulation (so called "direct rules"). The actual rule syntax for direct rules is virtually identical to iptables.

There are two ways to manage firewalld - graphically (firewall-config) or on the commandline (firewall-cmd).
I compiled some notes and screenshots on firewalld usage in this post. Written last year, so some parts of my post concerning Air's config generator are no longer accurate or useful. Anything concerning firewalld and Fedora is still valid.

More importantly though, read the man page for firewall-cmd and also understand the different between the runtime and permanent ruleset.
 

 

This is how I would "translate" your UFW rules:

(All systemctl and firewall-cmd commands need root privileges! drop to a root shell or use sudo)

 

1. First, make sure that the firewalld service is enabled and started:

 

systemctl enable firewalld
systemctl start firewalld

2. Now configure your permanent rules:
 

firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT

firewall-cmd --direct --permanent --add-rule ipv6 filter INPUT 0 -j DROP
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 1 -i tun+ -p tcp --dport 60002 -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 1 -i tun+ -p udp --dport 60002 -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 999 -j DROP

firewall-cmd --direct --permanent --add-rule ipv6 filter OUTPUT 0 -j DROP
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 443 -d 178.162.198.40 -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 999 -j DROP

3. Runtime rules (omitting the --permanent switch) take effect immediately (but don't survive reboots etc.). Permanent rules, however, only take effect after restarting or reloading firewalld:
 

firewall-cmd --reload

4. To review your current runtime ruleset:

 

firewall-cmd --direct --get-all-rules

And your permanent ruleset:

 

firewall-cmd --direct --permanent --get-all-rules

 

 

5. One final task: Thoroughly test your ruleset to make sure it actually accomplishes what you had in mind.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

​Thanks. I read a few firewalld tutorials but wasn't sure how to "translate" those rules. Fedora here I come.

Share this post


Link to post

I'm trying Fedora 24 and the sheivoko commands to setup a killswitch for firewalld worked great. Unfortunately I can figure out how to turn off the killswitch using the firewalld GUI when I disconnect from the vpn, whereas with gufw it was easy to turn off the killswitch. Can someone point me in the right direction as to how the killswitch can be turned off using the firewalld GUI?

 

Thanks

 

 

edit: I found a way to take care of this without using the gui. It's not very clean but it works.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...