Understanding RHEL 8 Firewalling

Firewalling begins with the kernel, which inspects incoming, outgoing, and forwarded packets.

The kernel achieves this by using a net filter

An interface called nftables sits on top of the kernel to inform the net filter of what is allowed and disallowed

firewalld is used to write nftables rules

Understanding firewalld Components

firewalld uses different components for easy firewall rule creation:

Additional components are available as well, but not frequently used

firewall-cmd --list-all: Lists all current firewall rules:

firewall-cmd —list-all
	target: default
	icmp-block-inversion: no
	services: cockpit dhcpv6-client ssh
	masquerade: no
	rich rules:

Configuring a Firewall with firewall-cmd

firewall-cmd is used to write firewall configurations

--permanent: Sets persistent changes, but does not change current runtime configurations

A reboot is necessary

Without —permanent, the changes are written to runtime

--get-services: Lists all available services

To open the firewall to ftp connections:

firewall-cmd --add-service ftp

To make this change persisitent:

firewall-cmd --add-service ftp --permanent

--reload: Reloads the firewalld configuraiton

--list-all: Lists all current firewall rules:

firewall-cmd --list-all
	libvirt (active)
		target: ACCEPT
		icmp-block-inversion: no
		interfaces: virbr0
		services: dhcp dhcpv6 dns ssh tftp
		protocols: icmp ipv6-icmp
		masquerade: no
		rich rules:
				rule priority="32767" reject

When using a virtual machine, the default zone should be set to libvirt: firewall-cmd --set-default-zone=libvirt

Using firewall-config

To install firewall-config:

yum install -y firewall-config

Running the command will invoke a GUI to appear:

1: Sets the changes made to be either Permanent or only apply to the current Runtime

2: The available Zones changes are being made to

3: The available services that can be set on zones

Leave a Reply

Your email address will not be published.