9885
Comment: Add advanced firewall operations section referring to Cockpit
|
9896
Minor clarification
|
Deletions are marked like this. | Additions are marked like this. |
Line 29: | Line 29: |
=== Ports/Services === | === FreedomBox Ports/Services === |
Contents
Firewall
Firewall is a network security system that controls the incoming and outgoing network traffic. Keeping a firewall enabled and properly configured reduces risk of security threat from the Internet.
The operation of the firewall in FreedomBox web interface is automatic. When you enable a service it is automatically permitted in the firewall and when you disable a service it is automatically disabled in the firewall. For services which are enabled by default on FreedomBox, firewall ports are also enabled by default during the first run process.
Firewall management in FreedomBox is done using FirewallD.
Interfaces
Each interface is needs to be assigned to one (and only one) zone. If an interface is not assigned any zone, it is automatically assigned external zone. Whatever rules are in effect for a zone, those rules start to apply for that interface. For example, if HTTP traffic is allowed in a particular zone, then web requests will be accepted on all the addresses configured for all the interfaces assigned to that zone.
There are primarily two firewall zones used. The internal zone is meant for services that are provided to all machines on the local network. This may include services such as streaming media and simple file sharing. The external zone is meant for services that are provided publicly on the Internet. This may include services such as blog, website, email web client etc.
For details on how network interfaces are configured by default, see the Networks section.
Opening Custom Ports
Cockpit app provides advanced management of firewall. Both FreedomBox and Cockpit operate over firewalld and are hence compatible with each other. In particular, Cockpit can be used to open custom services or ports on FreedomBox. This is useful if you are manually running your own services in addition to the services provided by FreedomBox on the same machine.
FreedomBox Ports/Services
The following table attempts to document the ports, services and their default statuses in FreedomBox. If you find this page outdated, see the Firewall status page in FreedomBox interface.
Service |
Port |
External |
Enabled by default |
Status shown in FreedomBox |
Managed by FreedomBox |
Minetest |
30000/udp |
|
|
|
|
XMPP Client |
5222/tcp |
|
|
|
|
XMPP Server |
5269/tcp |
|
|
|
|
XMPP Bosh |
5280/tcp |
|
|
|
|
NTP |
123/udp |
|
|
|
|
FreedomBox Web Interface (Plinth) |
443/tcp |
|
|
|
|
Quassel |
4242/tcp |
|
|
|
|
SIP |
5060/tcp |
|
|
|
|
SIP |
5060/udp |
|
|
|
|
SIP-TLS |
5061/tcp |
|
|
|
|
SIP-TLS |
5061/udp |
|
|
|
|
RTP |
1024-65535/udp |
|
|
|
|
SSH |
22/tcp |
|
|
|
|
mDNS |
5353/udp |
|
|
|
|
Tor (Socks) |
9050/tcp |
|
|
|
|
Obfsproxy |
<random>/tcp |
|
|
|
|
OpenVPN |
1194/udp |
|
|
|
|
Mumble |
64378/tcp |
|
|
|
|
Mumble |
64378/udp |
|
|
|
|
Privoxy |
8118/tcp |
|
|
|
|
JSXC |
80/tcp |
|
|
|
|
JSXC |
443/tcp |
|
|
|
|
DNS |
53/tcp |
|
|
|
|
DNS |
53/udp |
|
|
|
|
DHCP |
67/udp |
|
|
|
|
Bootp |
67/tcp |
|
|
|
|
Bootp |
67/udp |
|
|
|
|
Bootp |
68/tcp |
|
|
|
|
Bootp |
68/udp |
|
|
|
|
LDAP |
389/tcp |
|
|
|
|
LDAPS |
636/tcp |
|
|
|
|
Manual operation
See FirewallD documentation for more information on the basic concepts and comprehensive documentation.
Enable/disable firewall
To disable firewall
service firewalld stop
or with systemd
systemctl stop firewalld
To re-enable firewall
service firewalld start
or with systemd
systemctl start firewalld
Modifying services/ports
You can manually add or remove a service from a zone.
To see list of services enabled:
firewall-cmd --zone=<zone> --list-services
Example:
firewall-cmd --zone=internal --list-services
To see list of ports enabled:
firewall-cmd --zone=<zone> --list-ports
Example:
firewall-cmd --zone=internal --list-ports
To remove a service from a zone:
firewall-cmd --zone=<zone> --remove-service=<service> firewall-cmd --permanent --zone=<zone> --remove-service=<interface>
Example:
firewall-cmd --zone=internal --remove-service=xmpp-bosh firewall-cmd --permanent --zone=internal --remove-service=xmpp-bosh
To remove a port from a zone:
firewall-cmd --zone=internal --remove-port=<port>/<protocol> firewall-cmd --permanent --zone=internal --remove-port=<port>/<protocol>
Example:
firewall-cmd --zone=internal --remove-port=5353/udp firewall-cmd --permanent --zone=internal --remove-port=5353/udp
To add a service to a zone:
firewall-cmd --zone=<zone> --add-service=<service> firewall-cmd --permanent --zone=<zone> --add-service=<interface>
Example:
firewall-cmd --zone=internal --add-service=xmpp-bosh firewall-cmd --permanent --zone=internal --add-service=xmpp-bosh
To add a port to a zone:
firewall-cmd --zone=internal --add-port=<port>/<protocol> firewall-cmd --permanent --zone=internal --add-port=<port>/<protocol>
Example:
firewall-cmd --zone=internal --add-port=5353/udp firewall-cmd --permanent --zone=internal --add-port=5353/udp
Modifying the zone of interfaces
You can manually change the assignment of zones of each interfaces after they have been autuomatically assigned by the first boot process.
To see current assignment of interfaces to zones:
firewall-cmd --list-all-zones
To remove an interface from a zone:
firewall-cmd --zone=<zone> --remove-interface=<interface> firewall-cmd --permanent --zone=<zone> --remove-interface=<interface>
Example:
firewall-cmd --zone=external --remove-interface=eth0 firewall-cmd --permanent --zone=external --remove-interface=eth0
To add an interface to a zone:
firewall-cmd --zone=<zone> --add-interface=<interface> firewall-cmd --permanent --zone=<zone> --add-interface=<interface>
Example:
firewall-cmd --zone=internal --add-interface=eth0 firewall-cmd --permanent --zone=internal --add-interface=eth0
Back to Features introduction or manual pages.
Intro |
Information |
Support |
Contribute |
Reports |
Promote |
|
|
|
|||||
|
|
|
HELP & DISCUSSIONS: Discussion Forum - Matrix - Mailing List - #freedombox irc.debian.org | CONTACT Foundation | JOIN Project
Next call: Saturday, April 13 at 14:00 UTC
This page is copyright its contributors and is licensed under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.