Manage Firewalld

TIPS & TRICKS

To search the contents of the man pages

# man -k searchterm 
# man -K searchterm 

Manage Firewall

Maybe very hard to memorize, so, if needed :

# firewall-cmd -h | grep <pattern>
# firewall-cmd --<TAB>

Then ALREADY RELOAD THE CONFIG for APPLY CHANGES:

# firewall-cmd --reload

Manage Firewall Example 1

| Refuse domain 172.25.0.0/16 to access the server.

# firewall-cmd --zone=block --add-source=172.25.0.0/16 --permanent
# firewall-cmd --reload

Manage Firewall Example 2

| Remove the sshd service rule from the runtime configuration on server and try to access the server from the client using the ssh command

On the server

# firewall-cmd --remove-service=ssh 
# firewall-cmd --reload 
# ssh server1
no route to host 

Manage Firewall Example 3

| Determine the current active zone.
| Activate a permanent rule to allow HTTP traffic on port 80
| Then add a runtime rule for traffic intended for TCP port 443.
| Add a permanent rule to the internal zone for TCP port range 5901 to 5910.
| Confirm the changes and display the contents of the affected zone files.
| Switch the default zone to the internal zone and activate it

# firewall-cmd --get-default-zone
# firewall-cmd --add-service=http --permanent		// by default http listen on : 80 
# firewall-cmd --add-port=443/tcp		
# firewall-cmd --add-port=5901-5910/tcp --zone=internal --permanent 
# firewall-cmd --reload
# firewall-cmd --list-all --zone=internal	      // zone=public
# vim /etc/firewalld/zones/name_zone.xml	      // name_zone=public|internal
# firewall-cmd --set-default-zone=internal 
# firewall-cmd --reload 
# firewall-cmd --get-active-zones

Manage Firewall Example 4

| Remove the 2 permanent rules added above.
| Switch back to the public zone as the default zone, and confirm the changes

# firewall-cmd --remove-service=http --zone=public --permanent 
# firewall-cmd --remove-port=5901-5910 --zone=internal --permanent
# firewall-cmd --set-default-zone=public --permanent
# firewall-cmd --list-all
# firewall-cmd --reload

Manage Firewall Example 5

| Configurez firewalld pour autoriser uniquement les connexions SSH et HTTP
| Bloquez tout autre trafic entrant

firewall-cmd --add-service=ssh  --zone=public --permanent 
firewall-cmd --add-service=http --zone=public --permanent
firewall-cmd --reload

Manage Firewall Example 6

| Create a directory called /common and export it to server in read/write mode.
| Ensure that NFS traffic is allowed through the firewall.
| Confirm the export

In server1:

# mkdir /common 
# dnf -y install nfs-utils  
# systemctl enable --now nfs-server.service 
# firewall-cmd --add-service=nfs --permanent
# firewall-cmd --add-service=rpc-bind --permanent 
# firewall-cmd --add-service=mountd --permanent 
# firewall-cmd --reload 
# echo "/common  *(rw)" >> /etc/exports
# exportfs -av		=> to confirm the export 

Manage Firewall Example 7

| Download and Configure Apache to Serve index.html from /var/web and access it from the Host Machine

# yum -y install httpd
# systemctl enable --now httpd
# vi /etc/httpd/conf/httpd.conf #change DocumentRoot to /var/www and relax access to it  
# systemctl restart httpd
# systemctl status firewalld.service # check if firewall is up  
# firewall-cmd --add-service=http --permanent 
# firewall-cmd --reload 
# firewall-cmd --list-all #to check if http is enabled through the firewall  
# echo "this index page is coming from /var/www folder" >> /var/www/index.html  
# curl 10.110.xxx.xx # check if your index page is there 

Manage Firewall Example 8

| Determine the current active zone.
| Add and activate a permanent rule to allow HTTP traffic on port 80, and then add a runtime rule for traffic intended for TCP port 443.
| Add a permanent rule to the internal zone for TCP port range 5901 to 5910.
| Confirm the changes and display the contents of the affected zone files.
| Switch the default zone to the internal zone and activate it.

# firewall-cmd --get-default-zone
# firewall-cmd --add-service=http --permanent		// by default http listen on : 80 
# firewall-cmd --add-port=443/tcp		
# firewall-cmd --add-port=5901-5910/tcp --zone=internal --permanent 
# firewall-cmd --reload
# firewall-cmd --list-all --zone=internal	      // zone=public
# vim /etc/firewalld/zones/name_zone.xml	      // name_zone=public|internal
# firewall-cmd --set-default-zone=internal 
# firewall-cmd --reload 
# firewall-cmd --get-active-zones

Documentations

Internet
Git
ChatGPT