From time to time you will need to configure ports using the firewall. The firewall on RH7 is quite complicated, but the parts you need to know about are fairly limited, so we will simplify it somewhat.

The firewall can be configured using a GUI tool - firewall-config. We will learn how to configure it using the commandline tool - firewall-cmd. This will enable us to configure it via ssh.

Zones

The firewall operates using various zones. For our purposes, we are interested in the public zone, which is the default zone.

You can check the current default zone using firewall-cmd --get-default-zone

Configuration

The firewall has two configurations: runtime and permanent. When you make a modification, it is by default to the runtime configuration. This means it affects the firewall now, but will not affect it when it is reloaded. The easiest way to make a permanent configuration change is to change the permanent configuration, then reload the firewall, which sets the runtime configuration to match the permanent one.

You alter the permanent configuration by including the --permanent option on the firewall-cmd command.

To reload the firewall (reconcile the running configuration to the permanent one), use
firewall-cmd --reload

Services

Configuring the firewall to support a service is not as simple as just opening a port. Many services require particular SELinux context to be applied to the port, and some services require a kernel module to be loaded (e.g., ftp). Because of this, the correct way to configure standard services is to enable the service in the firewall. This will ask the firewall to load the various pieces (ports, helper modules, etc) to make the service work. We will learn how to configure the firewall for various services, query which services are supported, and which services are configured.

Unfortunately, it is not easy to mix services and ports. If you configure the firewall for a packaged service and inquire about the firewall status, it will report the service, but not report the port that was opened for the service. If you want to know what ports are configured for a services you can check the firewalld configuration for that service in /usr/lib/firewalld/services.

These are the firewall-cmd commands to manage services:

firewall-cmd [--permanent] --get-services  shows all the preconfigured services

firewall-cmd [--permanent] --list-services shows the services currently active in the default zone

firewall-cmd [--permanent] --add-service=name  adds service name to the currently active services

firewall-cmd [--permanent] --remove-service=name  removes service name from the currently active services

Ports

If the port you are interested in is not part of a service listed in --list-services, you can open the port individually:

firewall-cmd [--permanent] --add-port=ports/proto  where ports is a port number or range and proto is tcp or udp

You can close a port using the same syntax substituting --remove-port for --add-port

You can list the current firewall configuration, including active ports and services using
firewall-cmd [--permanent] --list-all

Examples:

Allow connections via sshd:

firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload

Disable the ftp service

firewall-cmd --permanent --remove-service=ftp
firewall-cmd --reload

Open port 514 with tcp protocol

firewall-cmd --permanent --add-port=514/tcp
firewall-cmd --reload

The firewall on RH6 is not as complicated as RH7, and it cannot be customized easily from the command-line. The commands to configure it are system-config-firewall (GUI) and system-config-firewall-tui (curses). There is no command-line tool. After experiencing RH7's firewall, configuring RH6's firewall should be pretty straightforward.

Copyright 2015 Greg Boyd - All Rights Reserved.