Skip to content

RHCSA - Manage Basic Networking: Restrict Network Access Using firewall-cmd/firewall

This lesson also covers exam objective:

  • Manage Security: Configure Firewall Settings Using firewall-cmd/firewalld.

A firewall is a security system that acts as a barrier between a trusted network and an untrusted network, such as the internet. Its purpose is to control and filter incoming and outgoing network traffic based on a set of predefined rules. This helps prevent unauthorized access, cyber attacks, and the spread of malicious software.

In Red Hat-based Linux systems, firewalld and firewall-cmd are tools used to manage the firewall settings.

firewalld Service Daemon

Firewalld is a dynamic firewall management tool that supports network zones defining connection trust levels. It handles IPv4 and IPv6 firewall settings, Ethernet bridges, and IP sets. The runtime and permanent configuration options are separate. Firewalld allows immediate runtime changes without requiring service restarts. Its D-Bus interface enables easy adjustment of settings for services, applications, and users, serving tools such as the firewall-cmd command.

Runtime changes take effect immediately, lasting until the next reload, restart, or system reboot. Permanent settings are reloaded after system reboots. The runtime environment is suitable for temporary configurations, allowing testing and evaluation. If the runtime setup is successful, it can be saved as the permanent configuration.

firewall-cmd

firewall-cmd is the command-line interface for managing the firewall using firewalld. It allows administrators to interact with the firewall configuration through the terminal. You can use it to create, modify, and delete firewall rules, manage zones, services, ports, and more.

The below table list some commonly used options with examples and a description:

Command Example Usage Description
--get-zones firewall-cmd --get-zones Retrieve a list of available firewall zones.
--get-default-zone firewall-cmd --get-default-zone Display the currently set default firewall zone.
--set-default-zone=<zone> firewall-cmd --set-default-zone=public Set the default firewall zone for new interfaces.
--get-services firewall-cmd --get-services List predefined services available for use.
--list-services firewall-cmd --list-services List services currently enabled in the zone.
--add-service=<service> firewall-cmd --add-service=http Allow traffic for a predefined service in the zone.
--remove-service=<service> firewall-cmd --remove-service=http Stop allowing traffic for a service in the zone.
--list-all-zones firewall-cmd --list-all-zones List all available zones and their settings.
--add-port=<port/protocol> firewall-cmd --add-port=80/tcp Open a specific port for incoming traffic.
--remove-port=<port/protocol> firewall-cmd --remove-port=80/tcp Close a specific port for incoming traffic.
--add-interface=<interface> firewall-cmd --add-interface=eth0 Associate an interface with the selected zone.
--remove-interface=<interface> firewall-cmd --remove-interface=eth0 Disassociate an interface from the zone.
--add-source=<source> firewall-cmd --add-source=192.168.1.0/24 Allow traffic from a specific source IP range.
--remove-source=<source> firewall-cmd --remove-source=192.168.1.0/24 Stop allowing traffic from a specific source.
--permanent firewall-cmd --add-port=8080/tcp --permanent Make changes in the runtime environment permanent.
--runtime-to-permanent firewall-cmd --runtime-to-permanent Save runtime changes to the permanent configuration.
--reload firewall-cmd --reload Reload the firewall configuration.
--list-all firewall-cmd --list-all List default zones and their rules, including runtime.
--zone=<zone> firewall-cmd --zone=public --list-all Perform the command in the specified zone.

The below exercises will get you using the firewall-cmd command:

Determine the default firewall zone and configuration:

firewall-cmd --get-default-zone

The default zone on my system displays as public.

Display all the rules assigned to the default zone:

sudo firewall-cmd --list-all

Working with Ports:

Determine if any ports are allowed through the default firewall zone:

If you intend to make changes to, or view information on the default zone, then you can omit the --zone=<zone> argument in most cases.

sudo firewall-cmd --list-ports --zone=public

In my case the output returns blank as no ports are open.

Allow http port 80 through the firewall for the runtime configuration:

sudo firewall-cmd --add-port=80/tcp --zone=public

Make the runtime configuration permanent:

sudo firewall-cmd --runtime-to-permanent

Reload the firewall to ensure the firewall configuration is now permanent:

sudo firewall-cmd --reload

Confirm if the port is now assigned:

sudo firewall-cmd --list-ports --zone=public

The output should return: 80/tcp

Now remove port 80 from the permanent configuration as we want to allow this port through a firewall service instead.

sudo firewall-cmd --remove-port=80/tcp --zone=public --permanent

Reload the firewall to ensure the firewall configuration is now permanent:

sudo firewall-cmd --reload

Confirm port 80 is no longer allowed:

sudo firewall-cmd --list-ports --zone=public

The output should return nothing.

Working with Services:

Services are predefined rules, and there happens to be one called http.

Determine if any services are allowed through the default firewall zone:

sudo firewall-cmd --list-services --zone=public

The output should be similar to:

cockpit dhcpv6-client ssh

Add the http service to the runtime configuration:

sudo firewall-cmd --add-service=http --zone=public

Confirm if the change is as expected:

sudo firewall-cmd --list-services --zone=public

http will now be present in the output:

cockpit dhcpv6-client http ssh

Make the runtime configuration permanent:

sudo firewall-cmd --runtime-to-permanent

Reload the firewall to ensure the firewall configuration is now permanent:

sudo firewall-cmd --reload

Confirm if the service is assigned:

sudo firewall-cmd --list-services --zone=public

http will be present in the output:

cockpit dhcpv6-client http ssh

Now remove the http service permanently:

sudo firewall-cmd --remove-service=http --zone=public --permanent

Reload the firewall to ensure the firewall configuration is now permanent:

sudo firewall-cmd --reload

Confirm if the service is assigned:

sudo firewall-cmd --list-services --zone=public

http will now be absent in the output:

cockpit dhcpv6-client ssh