Tech Tutorial: Manage Security with firewalld on RHEL #
Introduction #
In this tutorial, we will cover how to manage firewall settings using firewall-cmd
, the command-line interface for firewalld
, which is the default firewall management tool on Red Hat Enterprise Linux (RHEL). Understanding and configuring firewall settings is a critical skill for system administrators to ensure the security and proper networking of Linux systems.
firewalld
provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It uses the concepts of zones and services, which simplifies the management of firewall rules.
Step-by-Step Guide #
Prerequisites #
- A RHEL system (version 7 or later)
- Sudo or root access on the system
Step 1: Checking the Status of firewalld #
Before making any changes, it’s important to check whether the firewalld
service is running. Use the following command:
sudo firewall-cmd --state
If firewalld
is not running, you can start it with:
sudo systemctl start firewalld
To enable firewalld
to start at boot:
sudo systemctl enable firewalld
Step 2: Understanding Zones #
Firewalld uses zones to manage different levels of trust for network connections. To list all available zones and see which one is active, use:
sudo firewall-cmd --get-active-zones
This will show you the active zones and the interfaces that are part of these zones.
Step 3: Adding and Removing Services #
To allow specific services through the firewall, you first need to understand what services are currently allowed by your active zone. To list all services that are allowed:
sudo firewall-cmd --list-services --zone=public
To add a service to the zone, use:
sudo firewall-cmd --zone=public --add-service=http --permanent
This command allows HTTP traffic in the public zone. The --permanent
flag saves the change across system reboots.
To remove a service:
sudo firewall-cmd --zone=public --remove-service=http --permanent
Step 4: Managing Ports #
If a specific application uses custom ports, you can open these ports in the firewall:
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
This command opens TCP port 8080. To close the port again:
sudo firewall-cmd --zone=public --remove-port=8080/tcp --permanent
Step 5: Applying Changes #
After making changes with the --permanent
flag, you must reload firewalld
to apply them:
sudo firewall-cmd --reload
Step 6: Rich Rules #
For more complex rules, firewalld
supports “rich rules” which allow more detailed control. For example, to allow connections from a specific IP address to a particular service:
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.101" service name="http" accept' --permanent
Detailed Code Examples #
Let’s consider a scenario where you need to configure a web server with both HTTP and HTTPS services, allowing access only from a specific network.
Add HTTP and HTTPS services:
sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --add-service=https --permanent
Allow access from a specific network:
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" accept' --permanent
Reload to apply changes:
sudo firewall-cmd --reload
Conclusion #
In this tutorial, we have explored how to manage firewall settings using firewall-cmd
in RHEL. We’ve covered checking the status of firewalld
, managing zones, services, ports, and using rich rules for more complex scenarios. Proper management of firewall settings is crucial for securing your systems and ensuring that only authorized traffic is allowed. By mastering these commands, you will enhance your system’s security and meet critical administrative requirements.