from Michael Reber

Firewalld: Dynamic firewall management under Rocky Linux

IT security, Engineering, Linux, Network

Firewalld is a firewall service that is used on modern Linux distributions such as Rocky Linux or Red Hat Enterprise. Firewalld offers flexible management via zones and service definitions, without the need for traditional and manual creation of long iptable rules. Firewalld automatically abstracts the necessary iptable rules and sets them conveniently via Firewalld service on the respective system (netfilter kernel module). The focus here is on simple administration and rapid adaptability.

Basic knowledge and concept of firewalld

  • Zones: zones define the trust level of the network connections / interfaces connected to the server. They enable differentiated handling of incoming and outgoing traffic based on the assigned security level.
    The public zone is considered to be particularly restrictive and is intended for untrusted networks.
  • Services: The services in Firewalld represent predefined rule sets to control access to certain network services / ports in a standardised way. This includes frequently used protocols and application ports such as HTTP, SSHetc.
General use of the public zone for increased security
As already mentioned, the Public Zone for the Intended for use in insecure or public networks and offers the most restrictive configuration. This minimises the risk of unwanted access and is particularly important for interfaces that are directly connected to the Internet. The assignment of an interface to the public zone and the subsequent careful configuration of the permitted services and ports is generally recommended - even in apparently secure, internal server networks (Zero trust approach).

Zone management

  • List active zones: # firewall-cmd --list-all-zones shows all configured zones and their settings.
  • Change the zone for an interface: With # firewall-cmd --zone=public --change-interface=eth0 the network interface can be eth0 the Public Zone can be assigned.

Managing services

  • Add a service (service): # firewall-cmd --zone=public --add-service=http allows HTTP traffic (Port 80/TCP) in the Public Zone. For persistent changes is additionally assigned to the command "--permanent" attached.
  • Remove service: # firewall-cmd --zone=public --remove-service=http removes the release again. Persistent changes also require the "--permanent" Flag.
  • Display of all currently authorised services: # firewall-cmd --list-services

Adding and removing new ports

  • Add custom port: # firewall-cmd --zone=public --add-port=5000/tcp opens TCP port 5000 in the public zone.
    For a permanent change also here "--permanent" do not forget.
  • Close custom port: # firewall-cmd --zone=public --remove-port=5000/tcp closes the port again.
  • Display all authorised ports: # firewall-cmd --list-ports
Pro tip: To keep all current allowed services or ports is the easiest way to display # firewall-cmd --list-all used.
# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: bridge0_to_LAN bridge1_to_RP enp1s0f0 enp1s0f1 enp1s0f2 enp1s0f3 storage-bond0
  sources:
  services: cockpit dhcpv6-client http https plex ssh
  ports: 6060/tcp 6062/tcp 6063/tcp 6064/tcp 6065/tcp 8080/tcp 6061/tcp 7020/tcp 7015/tcp 7030/tcp 7040/tcp 6066/tcp 5601/tcp 9200/tcp 19999/tcp 32401/tcp 5044/tcp 7041/tcp 3000/tcp 6067/tcp 81/tcp 6070/tcp 8443/tcp 9300/tcp 6071/tcp 6622/tcp 2342/tcp 6072/tcp 7031/tcp 7042/tcp 3005/tcp 7043/tcp 7029/tcp 9003/tcp 8000/tcp
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Create customised services

If, for example, you deploy your own software that requires several ports via different protocols such as TCP or UDP, it makes sense that all ports belonging to the service in question can also be defined and maintained uniformly on the Linux system. The procedure is quite simple:

  • Define new service: Under "/etc/firewalld/services/" a new XML file for the service to be defined.

An example of such a definition could look like this:

plex
  Needed Ports for Plex Server

After creating a new service definition, in our case "plex", under the specified path, Firewalld must be reloaded before the newly defined service can then be started with
# firewall-cmd --zone=public --add-service=plex can be activated.

  • Re-read service files: With # firewall-cmd --reload all changes are read in again by Firewalld and the new services can then be added to the zone.

Important details about the persistent rules

Persistent rules are used when defining from Firewalld exclusively in the configurationin the example of the public zone under "/etc/firewalld/zones/public.xml«, written. This allows them to be loaded automatically when the system is restarted. ImportantBut that means, that newly defined persistent rules are not applied immediately. Therefore, the definition in the Runtime, i.e. either again without "--persistant" necessary, or the simpler variantby reloading the firewall configuration with # firewall-cmd --reload.
This ensures that all changes to the persistant configuration are active (reloaded) and can also be used as a test to see whether all connections still work as they should after a reboot.

Summary

Firewalld provides an advanced and scalable solution for firewall management on Rocky Linux or Red Hat based systems. By using zones and services, administrators can effectively plan and control network traffic and generally increase transparency and security. Observing best practices, such as using the public zone not only for insecure networks, as well as testing persistent changes or restrictive rules, are important first steps towards a secure IT landscape in your organisation.

Photo of author

Michael Reber

Years of experience in Linux, security, SIEM and private cloud

Hinterlassen Sie einen Kommentar

five × four =

en_GB
de_CH en_GB