Configuring a Firewall

• Wikipedia - Unix Domain Socket
• Wikipedia - Network Socket
• Red Hat - Configuring Firewalls and Packet Filters

Analyzing Service Configuration with ss

• ss is the standard tool to show socket information
  • ss will show all connections (network and Unix sockets)
  • ss -tu shows connected TCP and UDP sockets
  • ss -tua adds sockets that are in listening state
  • ss -tln shows TCP sockets that are in listening state only, without resolving host names
  • ss -tulpn shows TCP and UDP sockets in listening state and process name or PID to the output
• nmap can be used to analyze ports that are open on remote hosts
• nmap -sn will scan a network for available hosts
• nmap -sV will scan for services

RHEL Firewalling

• nftables is the framework that applies firewalling
• firewald is a service which RHEL uses as the front end to manage nftables firewalls

Allowing Service Access

• This is the main task for the RHCSA exam
• firewall-cmd is used to write firewall configuration
  • Without --permanent the rule is written to runtime
  • With --permanent the rule is persistent, but not active at runtime
• firewall-cmd --list-all
• firewall-cmd --get-services
• firewall-cmd --add-service
• firewall-cmd --reload

Allowing Port Access

• firewall-cmd --add-port PORT/tcp
• firewall-cmd --reload

If this is needed, you might as well just write a service for better portability.

• Copy an example from /usr/lib/firewalld/services to /etc/firewalld/services and modify to meet your needs
• Run firewall-cmd --reload
• Run firewall-cmd --get-services and the new service should be listed

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>My Port</short>
  <description>My Port Service</description>
  <port protocol="tcp" port="83"/>
  <port protocol="udp" port="83"/>
</service>

Advanced Firewalld Usage

Note: this is not needed for the RHCSA exam.

man firewalld.richlanguage

Lab Exercise

1. Configure firewalld such that remote access to ssh over is allowed only on port 2022
2. Configure firewalld such that remote access to http is allowed only on port 82

Ensure changes are applied immediately as well as persistently

firewall-cmd --add-service ssh --permanent
firewall-cmd --add-service http --permanent
firewall-cmd --service ssh --get-ports --permanent
firewall-cmd --service http --get-ports --permanent
firewall-cmd --service ssh --add-port 2022/tcp --permanent
firewall-cmd --service http --add-port 82/tcp --permanent
firewall-cmd --service ssh --remove-port 22/tcp --permanent
firewall-cmd --service http --remove-port 80/tcp --permanent
firewall-cmd --reload
firewall-cmd --service ssh --get-ports --permanent
firewall-cmd --service http --get-ports --permanent