Electrical-Forenics Home ray@RayFranco.com                       601.529.7473
   © Dr. Ray Franco, PhD, PE  -  208 Fairways Dr., Vicksburg, MS 39183

Firewalld

Linux has two firewall management tools: firewalld and iptables. ufw (uncomplicated firewall) is a frontend for iptables. And there is nftables. Firewalld and iptables are incompatible and only one should be used. Neither are installed by default with the Raspberry Pi OS.

Firewalld (firewall daemon) has replaced iptables on most distros. As you might have guessed from its name, firewalld is part of the systemd family. Firewalld is incompatilbe with iptables and should never be used with it. To stop iptables services:

systemctl mask iptables
systemctl mask ip6tables
systemctl mask ebtables

Well, thats what the Internet says. However, when I installed firewalld on my Raspberry Pi 4, it installed iptables. So maybe firewalld is just another frontend for iptables.

To install firewalld:

sudo apt update
sudo apt install firewalld

To get a list of all available firewall zones:

sudo firewall-cmd --get-zones

An interface can only be added to a single zone.

sudo firewall-cmd --zone=public --permanent --add-interface=eth0
sudo firewall-cmd --zone=public --permanent --add-interface=wlan0
sudo firewall-cmd --zone=public --permanent --remove-interface=wlan0
# adding an interface to a zone makes it an active zone.

sudo firewall-cmd --zone=internal --add-source=192.168.0.1/24 --permanent
# white list local computers
# Adding a source to a zone makes it an active zone.

In addition to IP addresses, MAC addresses can be used for LAN sources. However, MAC addresses do not go past the router.

Firewalld Services

sudo firewall-cmd --get-services # list available services
sudo firewall-cmd --zone=internal --add-service=ssh --permanent
sudo firewall-cmd --zone=internal --remove-service=ssh --permanent

sudo firewall-cmd --get-active-zones
sudo firewall-cmd --zone=public --list-all
sudo firewall-cmd --list-all-zones

Firewalld - Raspberry Pi Printers

By default, firewalld will prevent the Raspberry Pi OS from discovering any printers. To enable the Raspberry Pi to discover printers, you have to whitelist the local network and add the Internet Printer Protocol (ipp) service. More precisely:
 
sudo firewall-cmd --zone=internal --add-source=192.168.0.1/24 --permanent
 
sudo firewall-cmd --zone=internal --add-service=ipp --permanent

To be able to access via Microsoft Windows, I had to enable the samba service:
 
sudo firewall-cmd --zone=internal --add-service=samba --permanent
 
In addition, I had to remove the printer and re-install it after enabling samaba.

To disable firewlld:   sudo systemctl stop firewalld
sudo systemctl mask --now firewalld

Firewalld - VNC

In order to get VNC to work on local computers, you have to enable the service vnc-server:
 
sudo firewall-cmd --zone-internal --add-service=vnc-server --permanent

Reference: Wikipedia - Internet Printer Protocol

fail2ban

fail2ban is supported by firewalld: https://firewalld.org

Fail2ban monitors the log files for mallicious activities and bans the user. It adds a firewall rule and blocks the user for a certain period of time. It will stop brute fore attacks. You need to have either "firewalld" or "iptables" set up before fail2ban is installed.

To install fail2ban:

sudo apt update
sudp apt install fail2ban

When fail2ban is installed it creates a directory /etc/fail2ban. Inside this directory is "jail.conf". This informs you how to setup jails, but do NOT modify it because it might get overwritten when fail2ban is updated. Instead create a new file "jail.local". Anything in "jail.local" will overide what is in "jail.conf".

To create a jail for ssh, put the following in /etc/jail.local:

[DEFAULT]
bantime = 600
action = %(action_)s
[sshd]
enable = true maxretry = 3

My "jail.local"

If you right click "save link as", it will download this file. After downloading you might need to change the extension back to "local".

To see a list of jails:

sudo fail2ban-client status