RHCSA RHEL 8 – Restrict network access using firewall-cmd/firewall

Posted byColin EnglandPosted inManage basic networkingTags:, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Your support on Ko-Fi is much appreciated:

👉 https://ko-fi.com/csg_yt

Recommended RHCSA book:

📔 Amazon AU: https://amzn.to/2X5FL98

Buy CSG Merchandise:

👉 http://tee.pub/lic/csg

More information on Sophos Home Antivirus:

👉 http://bit.ly/SophosHP

More information about Hostinger VPS:

👉 http://bit.ly/H-VPS

Join our new discord channel:

👉 https://discord.gg/kBQ6Jry

This video is based on RHEL 8. Video to cover the section ‘Restrict network access using firewall-cmd/firewall’ for the RHCSA (Red Hat Certified System Administrator).

More information on the required learning: http://bit.ly/rhcsa8

Notes from the video:

The local firewall on the server is managed by the firewall-cmd command line, the first area to learn is about zoning on the firewall. To list all of the zones run:

# firewall-cmd --get-zones

To see what is configured in a particular zone:

# firewall-cmd --zone work --list-all

To create a new zone use the following:

# firewall-cmd --new-zone servers

This new zone would be non-persistant, this is good practice incase you misconfigure something, you can reboot the server to clear the setting. Use –permanent to make rules persist e.g.:

# firewall-cmd --new-zone servers --permanent

Note any changes on the firewall will not have affect until you ask the service to reload:

# firewall-cmd --reload

Before assigning the network interface into a new zone, you should add any required services in to the zone to ensure they aren’t suddenly blocked, a good example would be SSH.

# firewall-cmd --zone servers --add-service ssh --permanent

The zone is now ready to have the network card added to it:

# firewall-cmd --change-interface eth0 --zone servers --permanent


Finally, if you are happy with the configuration of the servers zone and wish to make that the default (use –permanent to make this persist):

# firewall-cmd --set-default servers

To view the zones currently assigned to each interface, use the –get-active-zones option:

# firewall-cmd --get-active-zones

If there are any additional services you would like to add to the firewall whitelist you can check the predefined services on the firewall:

# firewall-cmd --get-services

If you would like to add a pariticular service you can use the add-service option:

# firewall-cmd --add-service http --permanent

To remove a service:

# firewall-cmd --remove-service http --permanent

If there isn’t a pre-defined service you can also just add a individual port to the whitelist as follows:

# firewall-cmd --add-port 8080/tcp --permanent

To remove that port:

# firewall-cmd --remove-port 8080/tcp --permanent

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Design a site like this with WordPress.com
Get started