sections in this module | City College of San Francisco - CS260A Unix/Linux System Administration Module: rsyslog |
module list |
From time to time you will need to configure ports using the firewall. The firewall on RH7 is quite complicated, but the parts you need to know about are fairly limited, so we will simplify it somewhat.
The firewall can be configured using a GUI tool - firewall-config.
We will learn how to configure it using the commandline tool -
firewall-cmd. This will enable us to configure it via ssh.
Zones
The firewall operates using various zones. For our purposes, we are interested in the public zone, which is the default zone.
You can check the current default zone using firewall-cmd --get-default-zone
Configuration
The firewall has two configurations: runtime and permanent. When you make a modification, it is by default to the runtime configuration. This means it affects the firewall now, but will not affect it when it is reloaded. The easiest way to make a permanent configuration change is to change the permanent configuration, then reload the firewall, which sets the runtime configuration to match the permanent one.
You alter the permanent configuration by including the --permanent option on the firewall-cmd command.
To reload the firewall (reconcile the running configuration to the permanent one), use
firewall-cmd --reload
Services
Configuring the firewall to support a service is not as simple as just opening a port. Many services require particular SELinux context to be applied to the port, and some services require a kernel module to be loaded (e.g., ftp). Because of this, the correct way to configure standard services is to enable the service in the firewall. This will ask the firewall to load the various pieces (ports, helper modules, etc) to make the service work. We will learn how to configure the firewall for various services, query which services are supported, and which services are configured.
Unfortunately, it is not easy to mix services and ports. If you configure the firewall for a packaged service and inquire about the firewall status, it will report the service, but not report the port that was opened for the service. If you want to know what ports are configured for a services you can check the firewalld configuration for that service in /usr/lib/firewalld/services.
These are the firewall-cmd commands to manage services:
firewall-cmd [--permanent] --get-services shows all the preconfigured services
firewall-cmd [--permanent] --list-services shows the services currently active in the default zone
firewall-cmd [--permanent] --add-service=name adds service name to the currently active services
firewall-cmd [--permanent] --remove-service=name removes service name from the currently active services
Ports
If the port you are interested in is not part of a service listed in --list-services, you can open the port individually:
firewall-cmd [--permanent] --add-port=ports/proto where ports is a port number or range and proto is tcp or udp
You can close a port using the same syntax substituting --remove-port for --add-port
You can list the current firewall configuration, including active ports and services using
firewall-cmd [--permanent] --list-all
Examples:
Allow connections via sshd:
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload
Disable the ftp service
firewall-cmd --permanent --remove-service=ftp
firewall-cmd --reload
Open port 514 with tcp protocol
firewall-cmd --permanent --add-port=514/tcp
firewall-cmd --reload
The firewall on RH6
The firewall on RH6 is not as complicated as RH7, and it cannot be
customized easily from the command-line. The commands to configure it
are system-config-firewall (GUI) and system-config-firewall-tui (curses).
There is no command-line tool. After experiencing RH7's firewall,
configuring RH6's firewall should be pretty straightforward.
Prev | This page was made entirely with free software on linux: Kompozer and Openoffice.org |
Next |