Linux red hat firewall

22.14.2. Configure the Firewall Using the Command Line

To enable NTP to pass through the firewall using the command line, issue the following command as root :

Note that this will restart the firewall as long as it has not been disabled with the —disabled option. Active connections will be terminated and time out on the initiating machine.

When preparing a configuration file for multiple installations using administration tools, it is useful to edit the firewall configuration file directly. Note that any mistakes in the configuration file could have unexpected consequences, cause an error, and prevent the firewall setting from being applied. Therefore, check the /etc/sysconfig/system-config-firewall file thoroughly after editing.

To enable NTP to pass through the firewall, by editing the configuration file, become the root user and add the following line to /etc/sysconfig/system-config-firewall :

22.14.2.1. Checking Network Access for Incoming NTP Using the Command Line

To check if the firewall is configured to allow incoming NTP traffic for clients using the command line, issue the following command as root:

~]# less /etc/sysconfig/system-config-firewall # Configuration file for system-config-firewall --enabled --service=ssh

In this example taken from a default installation, the firewall is enabled but NTP has not been allowed to pass through. Once it is enabled, the following line appears as output in addition to the lines shown above:

To check if the firewall is currently allowing incoming NTP traffic for clients, issue the following command as root :

~]# iptables -L -n | grep 'udp.*123' ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:123

Источник

A beginner’s guide to firewalld in Linux

The firewall is essential for controlling the flow of network traffic in and out of the Linux server. In this article, you’ll display, add, and remove firewalld rules.

Great Linux resources

Our world has never been more connected than it is right now. Every person, business, government, etc. uses the web to communicate, exchange currency and data, and generally go through the motions of daily life and operations. However, these connections are not inherently safe, and because of this, we have to put defensive measures in place to keep our location, information, and money protected. In times past, when someone wanted to secure their possessions, they erected gates and fences to keep intruders at a distance. Today, we accomplish these same goals with the use of firewalls. Most Linux systems made use of the iptables utility, however, a new technology was on the horizon.

With the introduction of the Red Hat Enterprise Linux 7.0 (RHEL) in 2011, iptables was superceded as firewalld was born. At its core, firewalld is a zone-based firewall. Zone-based firewalls are network security systems that monitor traffic and take actions based on a set of defined rules applied against incoming/outgoing packets.

All about zones

Firewalld provides different levels of security for different connection zones. A zone is associated with at least one network interface ( eth0 , for example). We see the preconfigured zones by using the following command:

[tcarrigan@server ~]$ firewall-cmd --get-zones block dmz drop external home internal libvirt public trusted work

As you see, the zones listed by default are:

NOTE: I am using a RHEL 8.2 virtual machine for this demo.

Generally, the default rule of a firewall is to deny everything and only allow specific exceptions to pass through for needed services.

Many times, it is helpful to see what services are associated with a given zone. To display this information, use the following command:

Note that if you do not specify a zone, the default zone is queried. Here, the default zone is the public zone.

[tcarrigan@server ~]$ firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: enp0s3 enp0s8 sources: services: cockpit dhcpv6-client mountd nfs rpc-bind ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: 

If you wish to specify a zone, you simply add —zone=zonename

For example, to see the external zone, use the following:

[tcarrigan@server ~]$ firewall-cmd --zone=external --list-all external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: 

If, for some reason, you wanted to change the default zone, you can easily do so by using the following command:

Allow and deny by service

Now, the good thing about firewalls is that they keep our networks safe. The bad thing is that there is no «one-size fits all» firewall that fits every situation. Because of this, firewalls are customized to fit the exact needs of the situation that they are employed in. For example, if I need to allow FTP (File Transfer Protocol) transfers in the external zone so that I can move a file over port 21, I might use something like this:

firewall-cmd —zone=external —add-service=ftp

Here is the actual example from my VM:

[tcarrigan@server ~]$ sudo firewall-cmd --zone=external --add-service=ftp [sudo] password for tcarrigan: success

We see that the daemon returned success, so we should have the FTP service allowed in the external zone. To verify this, we need to check the external zone services list:

[tcarrigan@server ~]$ firewall-cmd --zone=external --list-services ftp ssh

But, what happens when we reload the firewall configuration?

[tcarrigan@server ~]$ sudo firewall-cmd --reload success [tcarrigan@server ~]$ firewall-cmd --zone=external --list-all external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: 

The new allow rule doesn’t survive the reinitialization of the firewalld configuration. To ensure that our new rule persists, we need to add the —permanent option. The new command is:

# firewall-cmd —permanent —zone=external —add-service=ftp

Once you use the permanent command, you need to reload the configuration for the changes to take hold.

To remove a service, we make one small change to the syntax. Here, I am going to remove the FTP service from the external zone permanently:

[tcarrigan@server ~]$ sudo firewall-cmd --permanent --zone=external --remove-service=ftp Warning: NOT_ENABLED: ftp success

We see that the system warns me that FTP has been disabled and that the operation was a success.

Allow and deny by port

Now, what happens when you need to allow traffic over a non-standard port? Imagine you have a backup service that needs to run over a dedicated UDP port. How would you add this exception to your zone? The syntax is very user friendly and is only slightly different from what we used for services. To add a port to your zone configuration, use the following:

[tcarrigan@server ~]$ sudo firewall-cmd --permanent --zone=external --add-port=60001/udp success

We check the allowed ports with the following command:

[tcarrigan@server ~]$ sudo firewall-cmd --zone=external --list-ports 60001/udp

And to remove the port rule, you guessed it. simply switch —add-port=x to —remove-port=x

[tcarrigan@server ~]$ sudo firewall-cmd --permanent --zone=external --remove-port=60001/udp success

What’s next?

If, after reading this article, you’re wondering what to do with the information, I highly recommend firing up your favorite VM (RHEL, Fedora, CentOS, etc.) and start experimenting with the commands above. The best way to learn is to get hands-on experience. If you found this content interesting, keep an eye on Enable Sysadmin for part two, where you’ll dive into creating custom zones and more advanced rule creation.

[ Make network management easy. Check out Network automation for everyone, a free book from Red Hat. ]

Источник

How to configure firewalld quickly

Learn the basic commands to check your firewall’s configuration, add or remove rules, and reload settings.

This article covers the fundamental tasks necessary to configure the firewalld service quickly. I’ll assume you already appreciate the importance of a firewall and have a general understanding of how firewalls protect servers and workstations.

Great Linux resources

These are the steps for configuring this firewall:

1. Check its current status
2. Check its configuration
3. Open a port
4. Close a port
5. Make the settings persistent
6. Reload the firewall configuration

To help you find the information you need, I’ve organized the article in a How do you? format that addresses these steps. Simply scroll down to your question and find the commands. If you need more detail on managing firewalld , read Shashank Nandishwar Hegde’s article An introduction to firewalld rules and scenarios.

How do you check the firewalld status?

First, ensure the firewalld service is installed, started, and enabled:

$ sudo systemctl status firewalld $ sudo systemctl start firewalld $ sudo systemctl enable firewalld

Starting a service activates it for the current runtime, whereas enabling a service causes it to start when the system boots.

How do you check the current configuration?

To display the services or ports currently open on the firewall for the public zone, type:

$ sudo firewall-cmd --list-all --zone=public

Notice the zone and the services or ports. The zone is a configuration related to a specific location or server role.

If desired, you can display the open ports by service or port number:

$ sudo firewall-cmd --list-services $ sudo firewall-cmd --list-ports

[ Help your colleagues understand containers and hybrid cloud. Download How to explain orchestration in plain English. ]

How do you open a port?

If the existing firewall configuration blocks a service you need, open the appropriate port. You can specify it by service name if it’s a common service. However, if the service is uncommon, developed in-house, or uses a custom port number, you can open the firewall port by port number. Here are two examples for web services:

$ sudo firewall-cmd --zone=public --add-service=http $ sudo firewall-cmd --zone=public --add-port=80/tcp

Note the use of /tcp (or /udp , depending on the protocol).

This configuration is non-persistent. As noted below, you’ll need the —permanent flag to persist the settings.

Use the —list-services or —list-ports option to verify the settings.

[ Dowload the firewall cheat sheet to keep the necessary commands close at hand. ]

How do you close a port?

It’s also possible that an open port represents a no-longer-installed service on the system or that it should be closed for some other reason. Close ports by service name or port number by using these commands:

$ sudo firewall-cmd --zone=public --remove-service=http $ sudo firewall-cmd --zone=public --remove-port=80/tcp

Again, with the above commands, this configuration is non-persistent.

How do you make the firewall settings persistent?

The —permanent option makes the firewall changes persist through reboots. You can integrate the flag into the configuration commands:

$ sudo firewall-cmd --permanent --zone=public --add-port=80/tcp

How do you reload the configuration?

Finally, reload the firewall to integrate your changes into the current runtime. Do this as a separate step following the configuration changes:

Kubernetes and OpenShift

One note regarding restart versus reload : Linux reads configuration files during the boot process, so what do you need to do when changing a configuration file? The obvious answer is to reboot the server, causing the system to reread the configuration file and implement the new changes. A reboot is often a bad idea (causing downtime), so you may choose to restart a service ( systemctl restart sshd ).

However, the problem with restarting a service is that it drops existing connections. In many cases, a better alternative is to reload the service, which rereads the config file but does not drop existing connections, and therefore there is no interruption in service.

Learn more

The importance of a firewall is an established fact. This article provides the basic commands necessary to quickly check the configuration, add or remove rules, and reload the settings. You can check the Red Hat documentation for details on additional configurations, using various zones, port forwarding, and more.

Источник