RHCSA - Manage Basic Networking: Restrict Network Access Using firewall-cmd/firewall
This lesson also covers exam objective:
- Manage Security: Configure Firewall Settings Using firewall-cmd/firewalld.
A firewall is a security system that acts as a barrier between a trusted network and an untrusted network, such as the internet. Its purpose is to control and filter incoming and outgoing network traffic based on a set of predefined rules. This helps prevent unauthorized access, cyber attacks, and the spread of malicious software.
In Red Hat-based Linux systems, firewalld and firewall-cmd are tools used to manage the firewall settings.
firewalld Service Daemon
Firewalld is a dynamic firewall management tool that supports network zones defining connection trust levels. It handles IPv4 and IPv6 firewall settings, Ethernet bridges, and IP sets. The runtime and permanent configuration options are separate. Firewalld allows immediate runtime changes without requiring service restarts. Its D-Bus interface enables easy adjustment of settings for services, applications, and users, serving tools such as the firewall-cmd
command.
Runtime changes take effect immediately, lasting until the next reload, restart, or system reboot. Permanent settings are reloaded after system reboots. The runtime environment is suitable for temporary configurations, allowing testing and evaluation. If the runtime setup is successful, it can be saved as the permanent configuration.
firewall-cmd
firewall-cmd
is the command-line interface for managing the firewall using firewalld
. It allows administrators to interact with the firewall configuration through the terminal. You can use it to create, modify, and delete firewall rules, manage zones, services, ports, and more.
The below table list some commonly used options with examples and a description:
Command | Example Usage | Description |
---|---|---|
--get-zones |
firewall-cmd --get-zones |
Retrieve a list of available firewall zones. |
--get-default-zone |
firewall-cmd --get-default-zone |
Display the currently set default firewall zone. |
--set-default-zone=<zone> |
firewall-cmd --set-default-zone=public |
Set the default firewall zone for new interfaces. |
--get-services |
firewall-cmd --get-services |
List predefined services available for use. |
--list-services |
firewall-cmd --list-services |
List services currently enabled in the zone. |
--add-service=<service> |
firewall-cmd --add-service=http |
Allow traffic for a predefined service in the zone. |
--remove-service=<service> |
firewall-cmd --remove-service=http |
Stop allowing traffic for a service in the zone. |
--list-all-zones |
firewall-cmd --list-all-zones |
List all available zones and their settings. |
--add-port=<port/protocol> |
firewall-cmd --add-port=80/tcp |
Open a specific port for incoming traffic. |
--remove-port=<port/protocol> |
firewall-cmd --remove-port=80/tcp |
Close a specific port for incoming traffic. |
--add-interface=<interface> |
firewall-cmd --add-interface=eth0 |
Associate an interface with the selected zone. |
--remove-interface=<interface> |
firewall-cmd --remove-interface=eth0 |
Disassociate an interface from the zone. |
--add-source=<source> |
firewall-cmd --add-source=192.168.1.0/24 |
Allow traffic from a specific source IP range. |
--remove-source=<source> |
firewall-cmd --remove-source=192.168.1.0/24 |
Stop allowing traffic from a specific source. |
--permanent |
firewall-cmd --add-port=8080/tcp --permanent |
Make changes in the runtime environment permanent. |
--runtime-to-permanent |
firewall-cmd --runtime-to-permanent |
Save runtime changes to the permanent configuration. |
--reload |
firewall-cmd --reload |
Reload the firewall configuration. |
--list-all |
firewall-cmd --list-all |
List default zones and their rules, including runtime. |
--zone=<zone> |
firewall-cmd --zone=public --list-all |
Perform the command in the specified zone. |
The below exercises will get you using the firewall-cmd
command:
Determine the default firewall zone and configuration:
firewall-cmd --get-default-zone
The default zone on my system displays as public
.
Display all the rules assigned to the default zone:
sudo firewall-cmd --list-all
Working with Ports:
Determine if any ports are allowed through the default firewall zone:
If you intend to make changes to, or view information on the default zone, then you can omit the --zone=<zone>
argument in most cases.
sudo firewall-cmd --list-ports --zone=public
In my case the output returns blank as no ports are open.
Allow http port 80
through the firewall for the runtime configuration:
sudo firewall-cmd --add-port=80/tcp --zone=public
Make the runtime configuration permanent:
sudo firewall-cmd --runtime-to-permanent
Reload the firewall to ensure the firewall configuration is now permanent:
sudo firewall-cmd --reload
Confirm if the port is now assigned:
sudo firewall-cmd --list-ports --zone=public
The output should return: 80/tcp
Now remove port 80
from the permanent configuration as we want to allow this port through a firewall service instead.
sudo firewall-cmd --remove-port=80/tcp --zone=public --permanent
Reload the firewall to ensure the firewall configuration is now permanent:
sudo firewall-cmd --reload
Confirm port 80
is no longer allowed:
sudo firewall-cmd --list-ports --zone=public
The output should return nothing.
Working with Services:
Services are predefined rules, and there happens to be one called http
.
Determine if any services are allowed through the default firewall zone:
sudo firewall-cmd --list-services --zone=public
The output should be similar to:
cockpit dhcpv6-client ssh
Add the http
service to the runtime configuration:
sudo firewall-cmd --add-service=http --zone=public
Confirm if the change is as expected:
sudo firewall-cmd --list-services --zone=public
http
will now be present in the output:
cockpit dhcpv6-client http ssh
Make the runtime configuration permanent:
sudo firewall-cmd --runtime-to-permanent
Reload the firewall to ensure the firewall configuration is now permanent:
sudo firewall-cmd --reload
Confirm if the service is assigned:
sudo firewall-cmd --list-services --zone=public
http
will be present in the output:
cockpit dhcpv6-client http ssh
Now remove the http
service permanently:
sudo firewall-cmd --remove-service=http --zone=public --permanent
Reload the firewall to ensure the firewall configuration is now permanent:
sudo firewall-cmd --reload
Confirm if the service is assigned:
sudo firewall-cmd --list-services --zone=public
http
will now be absent in the output:
cockpit dhcpv6-client ssh