Lab 21: Configure Firewall
Objective Focus
- Manage basic networking
- Restrict network access using firewall-cmd/firewall
Official RHCSA EX200 Exam Objectives
Intro to the firewalld service
Firewalld is a host-based firewall that helps with controlling, monitoring, and securing network traffic to a box. This is how I think about it.
The ‘host-based’ part is how we know it is specifically the ‘host’ machine.
$ systemctl status firewalld.service - Check firewalld is running on your machine
$ firewall-cmd --help- Remember getting to the help menu because trying to remember commands is not the best approach
$ man firewall-cmd - the man page for firewall-cmd is very detailed with great explanations
Please note that any changes made need to survive a reboot. We have to add --permanent to our commands below where appropriate.
What are zones?
Zones are predefined network rules packaged for ease of use. They contain configurations that define the level of trust and network communication allowed to the host machine.
$ firewall-cmd --get-zones- short list with no descriptions
$ firewall-cmd --list-all-zones- long list with better details
| Zone | Short Description |
|---|---|
drop |
All incoming network packets are dropped without any reply. Only outgoing connections are possible. |
block |
All incoming network packets are rejected with an icmp-host-prohibited message. Only outgoing connections are possible. |
public |
For public, untrusted networks. Only selected incoming connections are accepted. |
external |
For external networks with NAT enabled. Masquerading is enabled. |
internal |
For internal networks when your system acts as a gateway. Only selected incoming connections are accepted. |
dmz |
For computers in a demilitarized zone. Publicly accessible with limited internal network access. |
work |
For workgroup computers. Mostly trusts other computers on the network. |
home |
For home computers. Mostly trusts other computers on the network. |
trusted |
All network connections are accepted. Use only for fully trusted networks. |
How do I change zones?
Before we change the zone let us check what zone is actively configured.
$ firewall-cmd --get-default-zone - This command shows the current default/active zone.
Now that we know the current/default zone, we can verify after we change it.
$ firewall-cmd --set-default-zone - Change active and zone at boot.
Let us change it to “home” in this example.
$ firewall-cmd --set-default-zone=home - Will set default/active zone to “home”.
How do I allow a service or port?
Services
Please note that services also use logical ports. For example, “ssh” is commonly configured under the service command but also uses port 22.
Also, if no zone is specified they default to active/default zone.
$ firewall-cmd --list-services - list the services running on the active zone
- append
--zone=publicto specify zone
$ firewall-cmd --add-service - Add a service to active zone
$ firewall-cmd --remove-service - Remove a service to active zone
Ports
Ports, in this context, refer to logical ports used in networking. Like tcp port 443 that is used for HTTPS (Hypertext Transfer Protocol Secure).
Also, if no zone is specified they default to active/default zone.
$ firewall-cmd --list-ports - list the ports running on the active zone
$ firewall-cmd --add-port=443/tcp - Example from the man page
$ firewall-cmd --remove-port=443/tcp - We have to add
--permanentto ensure this command survives a reboot.
Other firewalld notes
Things to note
- Please add the
--permanentoption so that changes to the firewall survive reboots. - Sometimes you might need to reload the firewall. That can be done with
--reload.
How do we test our firewall rules?
For this section we both VMs, Server1 and Server2.
On Server1
$ firewall-cmd --remove-service=ssh - We want to remove the ssh service on server1 zone “home”
On Server2
$ ssh root@192.168.50.10 - Attempt to ssh from server2 to server1. Change the IP addresses to match your local environment.
We should see it fail because of our firewall rules not allowing the service, “ssh”.
On Server1
$ firewall-cmd --add-service=ssh - We want to add the ssh service back on the server1 zone “home”
Now re-attempt to ssh into Server1 from Server2.
Important Files
Firewalld Zones and Firewalld Services have a corresponding XML file where the configuration is define. These files are split into two copies. System-defined and User-defined rules.
| Type | Zones Location (RHEL 9) | Services Location (RHEL 9) |
|---|---|---|
| System-defined | /usr/lib/firewalld/zones/ |
/usr/lib/firewalld/services/ |
| User-defined | /etc/firewalld/zones/ |
/etc/firewalld/services/ |
Before making changes to the XML files, first ask yourself “can the task be completed via firewall-cmd?
That is all for this lab, thank you!