Firewall is a network security system that controls the incoming and outgoing network traffic. Keeping a firewall enabled and properly configured reduces risk of security threat from the Internet.

The operation of the firewall in Plinth web interface of FreedomBox is automatic. When you enable a service it is automatically permitted in the firewall and when you disable a service it is automatically disabled in the firewall. For services which are enabled by default on FreedomBox, firewall ports are also enabled by default during the first run process.

Firewall management in FreedomBox is done using FirewallD.

Ports/Services

The following table attempts to document the ports, services and their default statuses in FreedomBox. If you find this page outdated, see the Plinth source for lib/freedombox/first-run.d/90_firewall and Firewall status page in Plinth UI.

Service

Port

External

Enabled by default

Status shown in Plinth

Managed by Plinth

SSH

22/tcp

{*}

(./)

(./)

{X}

JWChat

80/tcp

{*}

(./)

(./)

{X}

JWChat

443/tcp

{*}

(./)

(./)

{X}

?OwnCloud

80/tcp

{*}

(./)

(./)

(./)

?OwnCloud

443/tcp

{*}

(./)

(./)

(./)

Plinth

443/tcp

{*}

(./)

(./)

{X}

Tor (Socks)

9050/tcp

{o}

(./)

{X}

{X}

NTP

123/udp

{o}

(./)

{X}

{X}

DNS

53/tcp

{o}

(./)

{X}

{X}

DNS

53/tdp

{o}

(./)

{X}

{X}

mDNS

5353/udp

{o}

(./)

{X}

{X}

DHCP

67/udp

{o}

(./)

{X}

{X}

Bootp

67/tcp

{o}

{X}

{X}

{X}

Bootp

67/udp

{o}

{X}

{X}

{X}

Bootp

68/tcp

{o}

{X}

{X}

{X}

Bootp

68/udp

{o}

{X}

{X}

{X}

LDAP

389/tcp

{o}

{X}

{X}

{X}

LDAPS

636/tcp

{o}

{X}

{X}

{X}

OpenVPN

1194/udp

{*}

{X}

{X}

{X}

Privoxy

8118/tcp

{o}

(./)

{X}

{X}

XMPP Server

5269/tcp

{*}

(./)

(./)

{X}

XMPP Client

5222/tcp

{*}

(./)

(./)

{X}

XMPP Bosh

5280/tcp

{*}

(./)

(./)

{X}

Obfsproxy

<random>/tcp

{*}

{X}

{X}

{X}

Interfaces

Each interface is needs to be assigned to one (and only one) zone. Whatever rules are in effect for a zone, those rules start to apply for that interface. For example, if HTTP traffic is allowed in a particular zone, then web requests will be accepted on all the addresses configured for all the interfaces assigned to that zone.

If the hardware has only one network interface, then that interface is configured into internal zone. This means all services that are external and internal will be available on interface. Consequently, if the interface is configured with an external address, the internal services will exposed externally increasing the potential for an attack on the system. One way to avoid is to create an alias interface like eth0:1 and configure it in internal zone with a local address while eth0 can be configured into external zone with external address.

If the hardware has two or more network interfaces, then the interface named eth0 is configured into external zone while all other interfaces are configured into internal zone.

No. of Interfaces

Interface

Zone

Masquerading

1

eth0

Internal

{X}

2 or more

eth0

External

(./)

others

Internal

{X}

Internet Connection Sharing

Masquerading is a process by which all computers in an internal network can share the Internet connection available to one computer. Since FreedomBox is meant to play the role of a router, it allows all the internal networks to share the Internet connection configured on the box. Masquerading is enabled by default on all the interfaces in external zone.

To configure your computer to share the Internet connection on FreedomBox, set the default gateway to the internal address of the FreedomBox machine. If your computer obtains the address from FreedomBox itself, this will be automatically done via the DHCP protocol and no manual setup is needed.

Manual operation

See FirewallD documentation for more information on the basic concepts and comprehensive documentation.

Enable/disable firewall

To disable firewall

service firewalld stop

or with systemd

systemctl stop firewalld

To re-enable firewall

service firewalld start

or with systemd

systemctl start firewalld

Modifying services/ports

You can manually add or remove a service from a zone.

To see list of services enabled:

firewall-cmd --zone=<zone> --list-services

Example:

firewall-cmd --zone=internal --list-services

To see list of ports enabled:

firewall-cmd --zone=<zone> --list-ports

Example:

firewall-cmd --zone=internal --list-ports

To remove a service from a zone:

firewall-cmd --zone=<zone> --remove-service=<service>
firewall-cmd --permanent --zone=<zone> --remove-service=<interface>

Example:

firewall-cmd --zone=internal --remove-service=xmpp-bosh
firewall-cmd --permanent --zone=internal --remove-service=xmpp-bosh

To remove a port from a zone:

firewall-cmd --zone=internal --remove-port=<port>/<protocol>
firewall-cmd --permanent --zone=internal --remove-port=<port>/<protocol>

Example:

firewall-cmd --zone=internal --remove-service=5353/udp
firewall-cmd --permanent --zone=internal --remove-port=5353/udp

To add a port to a zone:

firewall-cmd --zone=<zone> --add-service=<service>
firewall-cmd --permanent --zone=<zone> --add-service=<interface>

Example:

firewall-cmd --zone=internal --add-service=xmpp-bosh
firewall-cmd --permanent --zone=internal --add-service=xmpp-bosh

To add a port to a zone:

firewall-cmd --zone=internal --add-port=<port>/<protocol>
firewall-cmd --permanent --zone=internal --add-port=<port>/<protocol>

Example:

firewall-cmd --zone=internal --add-service=5353/udp
firewall-cmd --permanent --zone=internal --add-port=5353/udp

Modifying the zone of interfaces

You can manually change the assignment of zones of each interfaces after they have been autuomatically assigned by the first boot process.

To see current assignment of interfaces to zones:

firewall-cmd --list-all-zones

To remove an interface from a zone:

firewall-cmd --zone=<zone> --remove-interface=<interface>
firewall-cmd --permanent --zone=<zone> --remove-interface=<interface>

Example:

firewall-cmd --zone=external --remove-interface=eth0
firewall-cmd --permanent --zone=external --remove-interface=eth0

To add an interface to a zone:

firewall-cmd --zone=<zone> --add-interface=<interface>
firewall-cmd --permanent --zone=<zone> --remove-interface=<interface>

Example:

firewall-cmd --zone=internal --add-interface=eth0
firewall-cmd --permanent --zone=internal --remove-interface=eth0


CategoryFreedomBox