Chapter 23. Configuring a Firewall
The following topics are covered in this chapter:
The following RHCSA exam objective is covered in this chapter:
Restrict network access using firewall-cmd/firewall
If a server is connected to the Internet, it needs to be protected against unauthorized access. SELinux is one part of this protection as discussed in Chapter 22, “Managing SELinux”), and a firewall is the second part. The Linux kernel implements firewalling via the netfilter framework. To configure which packets are allowed and which are not, Firewalld is the default solution in RHEL 8. In this chapter, you learn how a basic Firewalld configuration is created in an RHEL 8 environment.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 23-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and ‘Review Questions.’”
Table 23-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section |
Questions |
|---|---|
1–3, 7 |
|
4–6, 8–10 |
1. Which of the following is not a standard Firewalld zone?
a. untrusted
b. trusted
c. external
d. internal
2. Which of the following is the name of the firewalling service as implemented in the Linux kernel?
a. iptables
b. firewalld
c. netfilter
d. firewall-mod
3. Which of the following is not an advantage of Firewalld?
a. Rules can be modified through dbus.
b. It has an easy-to-use command-line interface.
c. It has an easy-to-use graphical interface.
d. It can be used to manage the iptables service.
4. Which command enables you to list all available Firewalld services?
a. firewall-cmd --list-services
b. firewall-cmd --list-all
c. firewall-cmd --get-services
d. firewall-cmd --show-services
5. What is the name of the GUI tool that enables you to easily manage Firewalld configurations?
a. system-config-firewall
b. firewall-gtk
c. firewall-config
d. firewall-gui
6. Which of the following shows the correct syntax for adding a port persistently to the current Firewalld configuration?
a. firewall-cmd --addport=2022/tcp --permanent
b. firewall-cmd --add-port=2022/tcp --permanent
c. firewall-cmd --addport=2022/tcp --persistent
d. firewall-cmd --add port=2022/tcp --persistent
7. Which zone should you use for an interface that is on a network where you need minimal firewall protection because every other computer on that same network is trusted?
a. Trusted
b. Home
c. Work
d. Private
8. Which of the following statements is true about the --permanent command-line option when used with firewall-cmd?
a. Configuration that is added using --permanent is activated immediately and will be activated automatically after (re)starting Firewalld.
b. Configuration that is added using --permanent is activated immediately.
c. Configuration that is added using --permanent is not activated immediately and can be activated only by using systemctl restart firewalld.
d. To activate configuration that has been added with the --permanent option, you need to reload the firewall configuration by using firewall-cmd --reload.
9. Which command enables you to get an overview of all the current firewall configurations for all zones?
a. firewall-cmd --show-current
b. firewall-cmd --list-all
c. firewall-cmd --list-current
d. firewall-cmd --show-all
10. Which of the following statements is not true about the firewall-config GUI tool?
a. All configuration that is created in firewall-config is automatically activated and stored permanently.
b. The firewall-config tool provides an easy-to-use interface to add ports to zones.
c. In its default screen, firewall-config shows all zones.
d. firewall-config connects to the Firewalld service. If this service is not running, you may have problems working with firewall-config.
Foundation Topics
Understanding Linux Firewalling
You can use a firewall to limit traffic coming in to a server or going out of the server. Firewalling is implemented in the Linux kernel by means of the netfilter subsystem. Netfilter allows kernel modules to inspect every incoming, outgoing, or forwarded packet and act upon such a packet by either allowing it or blocking it. So, the kernel firewall allows for inspection of incoming packets, outgoing packets, and packets that are traversing from one interface to another if the RHEL server is providing routing functionality.
Understanding Previous Solutions
To interact with netfilter, different solutions can be used. On earlier versions of Red Hat Enterprise Linux, iptables was the default solution to configure netfilter packet filtering. This solution worked with the command-line utility iptables, which provided a sophisticated and detailed way of defining firewall rules, but that also was challenging to use for the occasional administrator because of the complicated syntax of iptables commands and because the ordering rules could become relatively complex.
The iptables service is no longer offered in Red Hat Enterprise Linux 8. It has been replaced with nftables, a newer solution with more advanced options than the ones offered by iptables. The nftables command-line tool offers an advanced interface to write rules directly to nftables.
Understanding Firewalld
In Red Hat Enterprise Linux 7 a new firewall solution was introduced: Firewalld is a system service that can configure firewall rules by using different interfaces. Administrators can manage rules in a Firewalld environment, but even more important is that applications can request ports to be opened using the DBus messaging system, which means that rules can be added or removed without any direct action required of the system administrator, which allows applications to address the firewall from user space.
Firewalld was developed as a completely new solution for managing Linux firewalls. It uses the Firewalld service to manage the netfilter firewall configuration.
Understanding Firewalld Zones
Firewalld makes firewall management easier by working with zones. A zone is a collection of rules that are applied to incoming packets matching a specific source address or network interface. Firewalld applies to incoming packets only by default, and no filtering happens on outgoing packets.
The use of zones is particularly important on servers that have multiple interfaces. On such servers, zones allow administrators to easily assign a specific set of rules. On servers that have just one network interface, you might very well do with just one zone, which is the default zone. Every packet that comes into a system is analyzed for its source address, and based on that source address, Firewalld analyzes whether or not the packet belongs to a specific zone. If not, the zone for the incoming network interface is used. If no specific zone is available, the packet is handled by the settings in the default zone.
Firewalld works with some default zones. Table 23-2 describes these default zones.
Table 23-2 Firewalld Default Zones
Zone Name |
Default Settings |
|---|---|
block |
Incoming network connections are rejected with an “icmp-host-prohibited” message. Only network connections that were initiated on this system are allowed. |
dmz |
For use on computers in the demilitarized zone. Only selected incoming connections are accepted, and limited access to the internal network is allowed. |
drop |
Any incoming packets are dropped and there is no reply. |
external |
For use on external networks with masquerading (Network Address Translation [NAT]) enabled, used especially on routers. Only selected incoming connections are accepted. |
home |
For use with home networks. Most computers on the same network are trusted, and only selected incoming connections are accepted. |
internal |
For use in internal networks. Most computers on the same network are trusted, and only selected incoming connections are accepted. |
public |
For use in public areas. Other computers in the same network are not trusted, and limited connections are accepted. This is the default zone for all newly created network interfaces. |
trusted |
All network connections are accepted. |
work |
For use in work areas. Most computers on the same network are trusted, and only selected incoming connections are accepted. |
Understanding Firewalld Services
The second key element while working with Firewalld is the service. Note that a service in Firewalld is not the same as a service in systemd; a Firewalld service specifies what exactly should be accepted as incoming and outgoing traffic in the firewall. It typically includes ports to be opened, as well as supporting kernel modules that should be loaded. In Firewalld, some default services are defined, which allows administrators to easily allow or deny access to specific ports on a server.
Behind each service is a configuration file that explains which UDP or TCP ports are involved and, if so required, which kernel modules must be loaded. To get a list of all services available on your computer, you can use the command firewall-cmd --get-services (see Example 23-1).
Example 23-1 Use firewall-cmd --get-services for a List of All Available Services
[root@server1 ~]# firewall-cmd --get-services RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker- swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt- storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp- client tinc tor-socks transmission-client upnp-client vdsm vnc- server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
In essence, what it comes down to when working with Firewalld is that the right services need to be added to the right zones. In special cases, the configuration may be enhanced with more specific settings. In the next section, you learn which tools you can use for that purpose.
Behind each service is an XML configuration file. Changes are easily made to these XML files. Default (RPM installed) XML files are stored in /usr/lib/firewalld/ services. Custom XML files can be added to the /etc/firewalld/services directory and will automatically be picked up after restarting the Firewalld service.
Example 23-2 shows what the contents of a service file looks like.
Example 23-2 Contents of the ftp.xml Service File
[root@server1 services]# cat ftp.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>FTP</short> <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description> <port protocol="tcp" port="21"/> <module name="nf_conntrack_ftp"/> </service>
Working with Firewalld
In this section, you learn how to configure a firewall with the Firewalld command-line interface tool, firewall-cmd. The Firewalld service also offers a GUI version of this tool, firewall-config, but the RHCSA exam objectives list only firewall-cmd, so this section focuses on working from the command line. This easily accessible tool enables uncomplicated configuration.
When working with either of these tools, be aware of where exactly modifications are made. Both tools work with an in-memory state of the configuration in addition to an on-disk state (permanent state) of the configuration. While using either of these tools, make sure to commit changes to disk before proceeding.
The firewall-cmd tool is an easily accessible tool that enables administrators to change the runtime configuration of the firewall and to write this configuration to disk. Before learning all the options available with this versatile command, in Exercise 23-1 you work with some of the most important options firewall-cmd offers.
Exercise 23-1 Managing the Firewall with firewall-cmd
Open a root shell. Type firewall-cmd --get-default-zone. This shows the current default zone. You’ll see the current default zone, which is by default set to public.
To see which zones are available, type firewall-cmd --get-zones.
Show the services that are available on your server by typing firewall-cmd --get-services. Notice that the firewall-cmd --get options show what is available on your server, so basically you can use firewall-cmd --get-<item> to request information about a specific item.
To see which services are available in the current zone, type firewall-cmd --list-services. You’ll see a short list containing a Dynamic Host Configuration Protocol (DHCP) client as well as Secure Shell (SSH) and the cockpit web-based management interface.
Type firewall-cmd --list-all. Look at the output and compare the output to the result of firewall-cmd --list-all --zone=public. Both commands show a complete overview of the current firewall configuration, as shown in Example 23-3. Notice that you see much more than just the zone and the services that are configured in that zone; you also see information about the interfaces and more advanced items.
Example 23-3 Showing Current Firewall Configuration
[root@server1 ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Type firewall-cmd --add-service=vnc-server to add the VNC server to the configuration of the firewall. Verify using firewall-cmd --list-all.
Type systemctl restart firewalld and repeat firewall-cmd --list-all. Notice that the vnc-server service is no longer listed; this is because the previous command has added the service to the runtime configuration but not to the persistent configuration.
Add the vnc-server service again, but make it permanent this time, using firewall-cmd --add-service vnc-server --permanent.
Type firewall-cmd --list-all again to verify. You’ll see that VNC server service is not listed. Services that have been added to the on-disk configuration are not added automatically to the runtime configuration. Type firewall-cmd --reload to reload the on-disk configuration into the runtime configuration.
Type firewall-cmd --add-port=2022/tcp --permanent, followed by firewall-cmd --reload. Verify using firewall-cmd --list-all. You’ll see that a port has now been added to the Firewalld configuration.
Tip
On the exam, work with services as much as possible. Only use specific ports if no services contain the ports that you want to open.
In the preceding exercise, you worked with zones and services and you learned how to add services and ports to the default zone. You should work with services as much as possible; adding individual ports is not recommended practice. The firewall-cmd interface offers many more options. Table 23-3 describes some of the most important command-line options.
Table 23-3 Common firewall-cmd Options
firewall-cmd Options |
Explanation |
|---|---|
--get-zones |
Lists all available zones |
--get-default-zone |
Shows the zone currently set as the default zone |
--set-default-zone=<ZONE> |
Changes the default zone |
--get-services |
Shows all available services |
--list-services |
Shows services currently in use |
--add-service=<service-name> [--zone=<ZONE>] |
Adds a service to the current default zone or the zone that is specified |
--remove-service=<service-name> |
Removes a service from the configuration |
--list-all [--zone=<ZONE>] |
Lists all configurations in a zone |
--add-port=<port/protocol> [--zone=<ZONE>] |
Adds a port and protocol |
--remove-port=<port/protocol> [--zone=<ZONE>] |
Removes a port from the configuration |
Adds an interface to the default zone or a specific zone that is specified |
|
Removes an interface from a specific zone |
|
--add-source=<ipaddress/netmask> [--zone=<ZONE>] |
Adds a specific IP address |
--remove-source=<ipaddress/netmask> [--zone=<ZONE>] |
Removes an IP address from the configuration |
--permanent |
Writes configuration to disk and not to runtime |
--reload |
Reloads the on-disk configuration |
Summary
In this chapter, you learned how to set up a basic firewall environment, where Firewalld services are added to Firewalld zones to allow access to specific services on your computer. You also learned how to set up a base firewall by using the firewall-cmd command-line tool.
Exam Preparation Tasks
As mentioned in the section “How to Use This Book” in the Introduction, you have several choices for exam preparation: the end-of-chapter labs; the memory tables in Appendix B; Chapter 26, “Final Preparation”; and the practice exams.
Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 23-4 lists a reference of these key topics and the page number on which each is found.
Table 23-4 Key Topics for Chapter 23
Key Topic Element |
Description |
Page |
|---|---|---|
Paragraph |
Introduces firewalling in the Linux kernel |
|
Paragraph |
Introduces netfilter as opposed to other firewalling tools |
|
Paragraph |
Introduces how Firewalld zones are used |
|
Firewalld default zones |
||
Section |
Introduces the concept of a Firewalld service |
|
Common firewall-cmd options |
Define Key Terms
Define the following key terms from this chapter and check your answers in the glossary:
Complete Tables and Lists from Memory
Print a copy of Appendix B, “Memory Tables” (found on the companion website), or at least the section for this chapter, and complete the tables and lists from memory. Appendix C, “Memory Tables Answer Key,” includes completed tables and lists to check your work.
Review Questions
The questions that follow are meant to help you test your knowledge of concepts and terminology and the breadth of your knowledge. You can find the answers to these questions in Appendix A.
1. Which service should be running before you try to create a firewall configuration with firewall-config?
2. Which command adds UDP port 2345 to the firewall configuration in the default zone?
3. Which command enables you to list all firewall configuration in all zones?
4. Which command enables you to remove the vnc-server service from the current firewall configuration?
5. Which firewall-cmd command enables you to activate a new configuration that has been added with the --permanent option?
6. Which firewall-cmd option enables you to verify that a new configuration has been added to the current zone and is now active?
7. Which command enables you to add the interface eno1 to the public zone?
8. If you add a new interface to the firewall configuration while no zone is specified, which zone will it be added to?
9. Which command enables you to add the source IP address 192.168.0.0/24 to the default zone?
10. Which command enables you to list all services that are currently available in Firewalld?
End-of-Chapter Lab
You have now learned how to work with Firewalld on a Red Hat Enterprise Linux 8 server. Make sure to master these skills by working through this end-of-chapter lab.
Lab 23.1
1. Create a firewall configuration that allows access to the following services that may be running on your server:
web
ftp
ssh
2. Make sure the configuration is persistent and will be activated after a restart of your server.