FirewallD killswitch

[grampa 0]

Hi,

 

I'd like to try Fedora so I'm interested how can I configure firewalld killswitch rules like those in ufw?

 

 

ufw default deny incoming

ufw default deny outgoing

ufw allow out to 178.162.198.40 port 443 proto udp
ufw allow out on tun0
ufw allow in on tun0 from any to any port 60002

[InactiveUser 188]

Somewhat comparable to ufw, firewalld is just an interface to iptables. It allows for convenient higher-level rule constructs ("rich rules" and zones) but also allows direct iptables manipulation (so called "direct rules"). The actual rule syntax for direct rules is virtually identical to iptables.

There are two ways to manage firewalld - graphically (firewall-config) or on the commandline (firewall-cmd).
I compiled some notes and screenshots on firewalld usage in this post. Written last year, so some parts of my post concerning Air's config generator are no longer accurate or useful. Anything concerning firewalld and Fedora is still valid.

More importantly though, read the man page for firewall-cmd and also understand the different between the runtime and permanent ruleset.
 

 

This is how I would "translate" your UFW rules:

(All systemctl and firewall-cmd commands need root privileges! drop to a root shell or use sudo)

 

1. First, make sure that the firewalld service is enabled and started:

 

systemctl enable firewalld
systemctl start firewalld

2. Now configure your permanent rules:
 

firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -o tun+ -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT

firewall-cmd --direct --permanent --add-rule ipv6 filter INPUT 0 -j DROP
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -i lo -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 1 -i tun+ -p tcp --dport 60002 -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 1 -i tun+ -p udp --dport 60002 -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 999 -j DROP

firewall-cmd --direct --permanent --add-rule ipv6 filter OUTPUT 0 -j DROP
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -o lo -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -o tun+ -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 1 -p udp -m udp --dport 443 -d 178.162.198.40 -j ACCEPT
firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 999 -j DROP

3. Runtime rules (omitting the --permanent switch) take effect immediately (but don't survive reboots etc.). Permanent rules, however, only take effect after restarting or reloading firewalld:
 

firewall-cmd --reload

4. To review your current runtime ruleset:

 

firewall-cmd --direct --get-all-rules

And your permanent ruleset:

 

firewall-cmd --direct --permanent --get-all-rules

 

 

5. One final task: Thoroughly test your ruleset to make sure it actually accomplishes what you had in mind.

[grampa 0]

​Thanks. I read a few firewalld tutorials but wasn't sure how to "translate" those rules. Fedora here I come.

[7mTuBZi4BYku 0]

I'm trying Fedora 24 and the sheivoko commands to setup a killswitch for firewalld worked great. Unfortunately I can figure out how to turn off the killswitch using the firewalld GUI when I disconnect from the vpn, whereas with gufw it was easy to turn off the killswitch. Can someone point me in the right direction as to how the killswitch can be turned off using the firewalld GUI?

 

Thanks

 

 

edit: I found a way to take care of this without using the gui. It's not very clean but it works.