RHEL 9 Firewall

Firewall

A firewall is a way to protect machines from any unwanted traffic from outside.

Firewalld is a firewall service daemon that provides a dynamic customizable host-based firewall.

It enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed.

firewalld uses the concepts of zones and s

ervices, that simplify the traffic management.

Zones are predefined sets of rules

Network interfaces and sources can be assigned to a zone.

Firewalls filter communication based on ports.

To allow network traffic for a service, its ports must be open.

firewalld blocks all traffic on ports that are not explicitly set as open

When to use firewalld, nftables, or iptables

--------------------------------------------

firewalld: Use the firewalld utility for simple firewall use cases.

nftables: Use the nftables utility to set up c

omplex and performance critical firewalls, such as for a whole network.

iptables: The iptables utility on Red Hat Enterprise Linux uses the nf_tables kernel API instead of the legacy back end.

Zones:

------

Firewalld can be used to separate networks into different zones according to the level of trust that the user has decided to place o

n the interfaces and traffic within that network.

Three can only edit the appropriate NetworkManager configuration files.

If you change the zone of the interface

using the web console, firewall-cmd or firewall-config, the request is forwarded to NetworkManager and is not handled by ⁠firewalld.

The predefined zones are stored in the /usr/lib/firewalld/zones/ directory

These files are copied to the /etc/firewalld/zones/ directory only after they are modified.

Default Settings:

-----------------

block:

------

Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6

dmz:

----

For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.

drop:

-----

Any incoming network packets are dropped without any notification. Only outgoing network connections are possible.

external:

--------

For use on external networks with masquerading enabled, especially for routers.

Only selected incoming connections are accepted.

home:

-----

Only selected incoming connections are accepted.

internal:

---------

For use on internal networks when you mostly trust the other computers on the network.

Only selected incoming connections are accepted

public:

-------

For use in public areas where you do no

t trust other computers on the network.

Only selected incoming connections are accepted.

trusted:

-------

All network connections are accepted.

work:

-----

For use at work where you mostly trust th

e other computers on the network.

Only selected incoming connections are accepted.

Note:

The default zone in firewalld is set to be the public zone.

Predefined services:

--------------------

A service can be a list of local ports,

protocols, source ports, and destinations, as well as a list of firewall helper modules automatically loaded if a service is enabled

Using services saves users time because they can achieve several tasks, such as opening ports, defining protocols, enabling packet forwarding and more, in a single step

Service configuration options and generic file information are described in the firewalld.service

Alternatively, you can edit the XML files in the /etc/firewalld/services/ directory.

If a service is not added or changed by the user, then no corresponding XML file is found in /etc/firewalld/services/

The files in the /usr/lib/firewalld/services/ directory can be used as templates if you want to add or change a service

Commands:

---------

To start firewalld

# systemctl unmask firewalld

# systemctl start firewalld

To ensure firewalld starts automatically at system start

#systemctl enable firewalld

To stop firewalld

# systemctl stop firewalld

To prevent firewalld

# systemctl disable firewalld

To make sure firewalld is not started by accessing the firewalld D-Bus interface and also if other services require firewalld

#systemctl mask firewalld

Verifying the permanent firewalld configuration:

------------------------------------------------

For example after manually editing firewalld configuration files, administrators want to verify that the changes are correct.

# firewall-cmd --check-config

Viewing the current status of firewalld:

# firewall-cmd --state

# systemctl status firewalld

Viewing firewalld settings using CLI:

# firewall-cmd --list-all

# firewall-cmd --list-all --zone=home

To see which services are allowed in the current zone:

# firewall-cmd --list-services

Controlling network traffic using firewalld:

Disabling all traffic in case of emerge

ncy using CLI:-

# firewall-cmd --panic-on

Note:- Enabling panic mode stops all networking traffic.

Switching off panic mode reverts the firewall to its permanent settings.

# firewall-cmd --panic-off

To see whether panic mode is switched on or off

Controlling traffic with predefine

d services using CLI

Procedure:

----------

Check that the service is not already allowed:

# firewall-cmd --list-services

List all predefined services:

# firewall-cmd --get-services

Add the service to the allowed services:

# firewall-cmd --add-service=<service-name>

Make the new settings persistent:

# firewall-cmd --runtime-to-permanent

Adding new services:-

Procedure:

Enter the following command to add a new and empty service:

$ firewall-cmd --new-service=service-name --permanent

To add a new service using a local file, use the following command:

$ firewall-cmd --new-service-from-file=service-name.xml --permanent

As soon as service settings are changed

, an updated copy of the service is placed into /etc/firewalld/services/

# cp /usr/lib/firewalld/services/service-name.xml /etc/firewalld/services/service-name.xml

Controlling ports using CLI:-

Opening a port:-

Procedure:

List all allowed ports:

# firewall-cmd --list-ports

Add a port to the allowed ports to open it for incoming traffic:

# firewall-cmd --add-port=port-number/port-type

Make the new settings persistent:

# firewall-cmd --runtime-to-permanent

Closing a port:-

--------------

Procedure:

----------

# firewall-cmd --list-ports

Remove the port from the allowed ports to close it for the incoming traffic:

# firewall-cmd --remove-port=port-number/port-type

Make the new settings persistent

# firewall-cmd --runtime-to-permanent

Configuring ports using System Roles:

-------------------------------------

Run this procedure on the Ansible control node.

Prerequisites:

--------------

Access and permissions to one or more managed nodes, which are systems you want to configure with the firewalld System Role.

Access and permissions to a control node, which is a system from which Red Hat Ansible Engine configures other systems.

The ansible and rhel-system-roles packages ar

e installed on the control node.

If you use a different remote user than root when you run the playbook, this user has appropriate sudo permissions on the managed node.

Create the ~/adding-and-removing-ports.yml playbook with the following content:

---

- name: Allow incoming HTTPS traffic to the local host

hosts: node.example.com

become: true

tasks:

- include_role:

name: linux-system-roles.firewall

vars:

firewall:

- port: 443/tcp

service: http

state: enabled

runtime: true

permanent: true

:wq

Verification

............

Connect to the managed node:

$ ssh user_name@node.example.com

Verify that the 443/tcp port associated with the HTTPS service is open:

$sudo firewall-cmd --list-ports

Working with firewalld zones:

-----------------------------

Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses.

Listing zones:

To see which zones are available on your system:

# firewall-cmd --get-zones

To see detailed information for all zones:

# firewall-cmd --list-all-zones

To see detailed information for a specific zone:

# firewall-cmd --zone=zone-name --list-all

Modifying firewalld settings for a certain zone

# firewall-cmd --add-service=ssh --zone=public

Changing the default zone:

--------------------------

Display the current default zone:

# firewall-cmd --get-default-zone

Set the new default zone:

# firewall-cmd --set-default-zone zon

e-name

assigning a network interface to a zone:

----------------------------------------

List the active zones and the interfaces assigned to them:

# firewall-cmd --get-active-zones

Assign the interface to a different zone:

# firewall-cmd --zone=zone_name --change-interface=interface_name --permanent

Assigning a zone to a connection using nmcli:

---------------------------------------------

# nmcli connection modify profile connection.zone zone_name

# nmcli connection up profile

Creating a new zone:

--------------------

Create a new zone:

# firewall-cmd --permanent --new-zo

ne=zone-name

Check if the new zone is added to your permanent settings:

# firewall-cmd --get-zones

Make the new settings persistent:

# firewall-cmd --runtime-to-permanent

Zone configuration files:

-------------------------

A firewalld zone configuration file contains the information for a zone.

The zone configuration files are located in the /usr/lib/firewalld/zones/ and /etc/firewalld/zones/ directories.

Using zone targets to set default behavior for incoming traffic:

----------------------------------------------------------------

Procedure:

---------

List the information for the specific zone to see the default target:

# firewall-cmd --zone=zone-name --list-all

Set a new target in the zone:

# firewall-cmd --permanent --zone=zone-name --set-target=<default|ACCEPT|REJECT|DROP>

Using zones to manage inc

oming traffic depending on a source:

-------------------------------------------------------------

Adding a source:

----------------

To set the source in the current zone:

# firewall-cmd --add-source=<source>

To set the source IP address for a specific zone:

# firewall-cmd --zone=zone-name --add-source=<source>

Procedure:

----------

List all available zones:

# firewall-cmd --get-zones

Add the source IP to the trusted zo

ne in the permanent mode:

# firewall-cmd --zone=trusted --add-source=192.168.2.15

Make the new settings persistent:

# firewall-cmd --runtime-to-permanent

Removing a source:

-----------------

List allowed sources for the required

zone:

# firewall-cmd --zone=zone-name --list-sources

Remove the source from the zone permanently:

# firewall-cmd --zone=zone-name --remove-source=<source>

Make the new settings persistent:

# firewall-cmd --runtime-to-permanent

Adding a source port:

---------------------

Procedure:

---------

To add a source port:

# firewall-cmd --zone=zone-name --

add-source-port=<port-name>/<tcp|udp|sctp|dccp>

Removing a source port:

-----------------------

To remove a source port:

# firewall-cmd --zone=zone-name --remove-source-port=<port-name>/<tcp|udp|sctp|dccp>

Managing ICMP requests:

-----------------------

Listing and blocking ICMP requests

:

/usr/lib/firewalld/icmptypes/

To list all available ICMP types:

# firewall-cmd --get-icmptypes

The ICMP request can be used by IPv4, IPv6, or by both protocols. To see for which protocol the ICMP request has used:

# firewall-cmd --info-icmptype=<icmptype>

The status of an ICMP request shows yes if the request is currently blocked or no if it is not. To see if an ICMP request is currently blocked:

# firewall-cmd --query-icmp-block=<icmptype>

Blocking or unblocking ICMP requests:

------------------------------------

To see if an ICMP request is currently blocked:

# firewall-cmd --query-icmp-block=<icmptype>

To block an ICMP request:

# firewall-cmd --add-icmp-block=<icmptype>

To remove the block for an ICMP request:

# firewall-cmd --remove-icmp-block=<icmptype>

subscription-manager list

subscription-manager register --auto-attach

note:

It asks the username and password