Changes

Jump to: navigation, search

Basic RHEL Firewall Configuration with firewalld

120 bytes removed, 17:26, 10 June 2019
no edit summary
While the subject of firewall configuration can be complex, fortunately RHEL 8 provides command-line, web-based and graphical tools that ease the firewall configuration process. This chapter will introduce the basic concepts of firewalld and cover the steps necessary to configure a firewall using the tools provided with the operating system.
 
== An Introduction to firewalld ==
{| class="wikitable"The firewalld service uses a set a rules to control incoming network traffic and define which traffic is to be blocked and which is to be allowed to pass through to the system and is built on top of a more complex firewall tool named ''iptables''. |- ! Header text !! Header text !! Header textThe firewalld system provides a flexible way to manage incoming traffic. The firewall could, for example, be configured to block traffic arriving from a specific external IP address, or to prevent all traffic arriving on a particular TCP/IP port. Rules may also be defined to forward incoming traffic to different systems or to act as an internet gateway to protect other computers on a network.|- | Example || Example || ExampleIn keeping with common security practices, a default firewalld installation is configured to block all access with the exception of SSH remote login and the DHCP service used by the system to obtain a dynamic IP address (both of which are essential if the system administrator is to be able to gain access to the system after completing the installation).|} The key elements of firewall configuration on RHEL 8 are ''zones'', ''interfaces'', ''services'' and ''ports''. === Zones === By default, firewalld is installed with a range of pre-configured ''zones. ''A zone is a preconfigured set of rules which can be applied to the system at any time to quickly implement firewall configurations for specific scenarios. The ''block'' zone, for example, blocks all incoming traffic, while the ''home'' zone imposes less strict rules on the assumption that the system is running in a safer environment where a greater level of trust is expected. New zones may be added to the system, and existing zones modified to add or remove rules. Zones may also be deleted entirely from the system. Table 13-1 lists the set of zones available by default on a RHEL 8 system:
{| class="wikitable"
|}
== An Introduction to firewalld ==
The firewalld service uses a set a rules to control incoming network traffic and define which traffic is to be blocked and which is to be allowed to pass through to the system and is built on top of a more complex firewall tool named ''iptables''.
The firewalld system provides a flexible way to manage incoming traffic. The firewall could, for example, be configured to block traffic arriving from a specific external IP address, or to prevent all traffic arriving on a particular TCP/IP port. Rules may also be defined to forward incoming traffic to different systems or to act as an internet gateway to protect other computers on a network.
In keeping with common security practices, a default firewalld installation is configured to block all access with the exception of SSH remote login and the DHCP service used by the system to obtain a dynamic IP address (both of which are essential if the system administrator is to be able to gain access to the system after completing the installation).
The key elements of firewall configuration on RHEL 8 are ''zones'', ''interfaces'', ''services'' and ''ports''.
=== Zones ===
By default, firewalld is installed with a range of pre-configured ''zones. ''A zone is a preconfigured set of rules which can be applied to the system at any time to quickly implement firewall configurations for specific scenarios. The ''block'' zone, for example, blocks all incoming traffic, while the ''home'' zone imposes less strict rules on the assumption that the system is running in a safer environment where a greater level of trust is expected. New zones may be added to the system, and existing zones modified to add or remove rules. Zones may also be deleted entirely from the system. Table 13-1 lists the set of zones available by default on a RHEL 8 system:
=== Interfaces ===
=== Services ===
 
TCP/IP defines a set of services that communicate on standard ports. Secure HTTPS web connections, for example, use port 443, while the SMTP email service uses port 25. To selectively enable incoming traffic for specific services, firewalld rules can be added to zones. The ''home'' zone, for example, does not permit incoming HTTPS connections by default. This traffic can be enabled by adding rules to a zone to allow incoming HTTPS connections without having to reference the specific port number.
=== Ports ===
Although common TCP/IP services can be referenced when adding firewalld rules, situations will arise where incoming connections need to be allowed on a specific port that is not allocated to a service. This can be achieved by adding rules that reference specific ports instead of services. This technique was used in the chapter entitled [[An Overview of the RHEL Cockpit Web Interface|An Overview of the RHEL 8 Cockpit Web Interface]] when port 9090 was opened to allow access to the Cockpit web interface.

Navigation menu