Scribd
Upload
174 views

Chapter14 Limiting Network Communication With Firewalld

Netfilter allows kernel modules to inspect network packets. Tools like iptables and firewalld manage netfilter by setting firewall rules. Firewalld classifies networks into zones like public and private, and assigns interfaces to zones. By default, the public zone and lo interface are used if no changes are made. Firewalld can be configured from the command line to add or remove services and ports based on network zones.

Uploaded by

Brent Michel Farmer
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
174 views

Chapter14 Limiting Network Communication With Firewalld

Netfilter allows kernel modules to inspect network packets. Tools like iptables and firewalld manage netfilter by setting firewall rules. Firewalld classifies networks into zones like public and private, and assigns interfaces to zones. By default, the public zone and lo interface are used if no changes are made. Firewalld can be configured from the command line to add or remove services and ports based on network zones.

Uploaded by

Brent Michel Farmer
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

Netfilter and firewalld concepts:

- The Linux kernel includes netfilter, which allows kernel modules to inspect every
packet traversing the system.
- Tools like iptables, ip6tables, ebtables and firewalld are used to manage
netfilter.
- Firewalld both covers IPv4 and IPv6 settings (new in RHEL7).
- Firewalld classfies the network into zones (private, public, DMZ) and each zone
includes interfaces.
- The default zone is set to public and interfaces are assigned to public if no
changes are made. The lo interface is treated as if it were in the trusted zone.
==============================================
firewalld config:
[root@master ~]# yum install firewall-config
Or)
Applications> sundry> firewall
[root@master ~]# systemctl status firewalld
[root@master ~]# firewall-config (GUI tool to manage firewalld)
[root@master ~]# firewall-cmd --get-zones (list all zones)
[root@master ~]# firewall-cmd --get-services (list all services)
[root@master ~]# firewall-cmd --get-default-zone
[root@master ~]# firewall-cmd --set-default-zone=home
[root@master ~]# ls /usr/lib/firewalld/services/ (default system services)
[root@master ~]# firewall-cmd --zone=public --add-service=high-availability
(volatile)
[root@master ~]# firewall-cmd --permanent --zone=public --add-service=high-
availability (permanent)
[root@master ~]# firewall-cmd --list-all (to verify)

- If not configured, the default zone will be used.


==============================================
Examples:
- zone:DMZ , allow SSH, NTP, FTP, VNC, apache and DNS

[root@master ~]# firewall-cmd --get-default-zone


[root@master ~]# firewall-cmd --set-default-zone=dmz
[root@master ~]# firewall-cmd --get-services
[root@master ~]# firewall-cmd --permanent --add-service=ssh
[root@master ~]# firewall-cmd --permanent --add-service=ntp
[root@master ~]# firewall-cmd --permanent --add-service=ftp
[root@master ~]# firewall-cmd --permanent --add-service=vnc-server
[root@master ~]# firewall-cmd --permanent --add-service=http
[root@master ~]# firewall-cmd --permanent --add-service=dns

Or:
[root@master ~]# firewall-cmd --permanent --add-port=ssh/tcp
[root@master ~]# firewall-cmd --list-all
- Any changes made in the Permanent configuration will not become active until the
next time that the firewalld service unit is restarted or rloaded. Likewise, any
changes made in the Runtime configuration will not survive a reload or restart of
the firewalld service.
[root@master ~]# systemctl restart firewalld
Or)
[root@master ~]# firewall-cmd --reload
==============================================
Remove a service or a port:
[root@master ~]# firewall-cmd --remove-service=dns
[root@master ~]# firewall-cmd --permanent --remove-service=dns
[root@master ~]# firewall-cmd --remove-port=22/tcp
[root@master ~]# firewall-cmd --permanent --remove-port=22/tcp
==============================================

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy