Firewall is a new generation of system firewall management tools under Linux. Compared with the old iptables tools, Firewall provides more management functions, such as zone-based access authorization management, dynamic loading rules and so on. But there are many advanced functions that we don't have a chance to use in our daily life. So here we don't talk about firewalld principles. In our work, we often encounter the problem of configuring various access authorization and release rules based on ports and services. This paper provides some common configurations of these aspects for reference.

Conventional Configuration Method

Port release restriction

1) Open UDP 161/162 port

firewall-cmd --permanent --zone=public --add-port=161/udp
firewall-cmd --permanent --zone=public --add-port=162/udp
firewall-cmd --reload //Update firewall rules

2) Disable UDP 161/162 ports

firewall-cmd --permanent --zone=public --remove-port=161/udp
firewall-cmd --permanent --zone=public --remove-port=162/udp
firewall-cmd --reload

3) Release continuous ports (1000-2000)

firewall-cmd --permanent --zone=public --add-port=1000-2000/tcp
firewall-cmd --reload

4) Release discontinuous ports (9000,9001)

firewall-cmd --permanent --zone=public --add-port=9000/tcp --add-port=9001/tcp
firewall-cmd --reload

Restrictions on Service Release

1) Release of ssh services

firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd --reload

2) Disabling ssh services

firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --reload

Port Release Limitation with Source Address

1) Release IP address and port

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.1.110/32" port protocol="tcp" port="12345" accept"
firewall-cmd --reload

2) Disable Release IP Address and Port

firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.1.110/32" port port="12345" protocol="tcp" accept"
firewall-cmd --reload

3) Release IP Address and Continuous Ports

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.1.110/32" port port="8080-8081" protocol="tcp" accept"
firewall-cmd --reload

4) Disable Release IP Address and Continuous Ports

firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.1.110/32" port port="8080-8081" protocol="tcp" accept"
firewall-cmd --reload

View open ports and services

1) View the currently released services

firewall-cmd --permanent --zone=public --list-services

2) View the currently released ports

firewall-cmd --permanent --zone=public --list-ports

3) Check whether the service is in effect (e.g. the port added is 8080)

firewall-cmd --zone=public --query-port=8080/tcp

4) Look at all rich rules

firewall-cmd --list-rich-rules

5) View all rules in the default domain

firewall-cmd --list-all

6) Load configuration from configuration file

firewall-cmd --reload

ipset set set set configuration method

Ipset itself is a tool for configuring firewall rules in Linux system. It is good at batch management of IP addresses that need access control. Compared with conventional configuration methods, ipset does not significantly reduce filtering efficiency.
The ipset toolkit needs to be installed when configuring rules using the ipset method.

yum -y install ipset 

Get the specified ipset information

firewall-cmd --get-ipsets
firewall-cmd --info-ipset=[ipset_name]

Add ipset

firewall-cmd --permanent --new-ipset=[ipset_name] --type=[type] --option
For example:

firewall-cmd --permanent --new-ipset=ssh_22 --type=hash:net
firewall-cmd --reload

Applying ipset to firewalld domain policy

firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source ipset="ssh_22" port port=22 protocol=tcp accept'
firewall-cmd --reload

Added/deleted IP address records that need to be released to the ipset collection

Increase:

firewall-cmd --permanent --ipset=ssh_22 --add-entry="192.168.1.110"
firewall-cmd --reload

Delete:

firewall-cmd --permanent --ipset=ssh_22 --remove-entry="192.168.1.110"
firewall-cmd --reload

View the address in the ipset collection

firewall-cmd --permanent --ipset=ssh_22 --get-entries

Delete ipset

Delete Domain Release Policy in firewalld

firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" source ipset="ssh_22" port protocol="tcp" port="22" accept"
firewall-cmd --reload

Clear the ipset collection

firewall-cmd --permanent --delete-ipset=ssh_22
firewall-cmd --reload