Bookmark this page

Chapter 11. Managing Network Security

SectionManaging Server Firewalls
Guided Exercise: Managing Server Firewalls
Controlling SELinux Port Labeling
Guided Exercise: Controlling SELinux Port Labeling
Lab: Managing Network Security
Summary

Abstract

Goal	Control network connections to services using the system firewall and SELinux rules.
Objectives	Accept or reject network connections to system services using firewalld rules. Control whether network services can use specific networking ports by managing SELinux port labels.
Sections	Managing Server Firewalls (and Guided Exercise) Controlling SELinux Port Labeling (and Guided Exercise)
Lab	Managing Server Firewalls

Managing Server Firewalls

Objectives

After completing this section, you should be able to accept or reject network connections to system services using firewalld rules.

Firewall Architecture Concepts

The Linux kernel includes netfilter, a framework for network traffic operations such as packet filtering, network address translation and port translation. By implementing handlers in the kernel that intercept function calls and messages, netfilter allows other kernel modules to interface directly with the kernel's networking stack. Firewall software uses these hooks to register filter rules and packet-modifying functions, allowing every packet going through the network stack to be processed. Any incoming, outgoing, or forwarded network packet can be inspected, modified, dropped, or routed programmatically before reaching user space components or applications. Netfilter is the primary component in Red Hat Enterprise Linux 8 firewalls.

Nftables enhances netfilter

The Linux kernel also includes nftables, a new filter and packet classification subsystem that has enhanced portions of netfilter's code, but retaining the netfilter architecture such as networking stack hooks, connection tracking system, and the logging facility. The advantages of the nftables update is faster packet processing, faster ruleset updates, and simultaneous IPv4 and IPv6 processing from the same rules. Another major difference between nftables and the original netfilter are their interfaces. Netfilter is configured through multiple utility frameworks, including iptables, ip6tables, arptables, and ebtables, which are now deprecated. Nftables uses the single nft user-space utility, allowing all protocol management to occur through a single interface, eliminating historical contention caused by diverse front ends and multiple netfilter interfaces.

Introducing firewalld

Firewalld is a dynamic firewall manager, a front end to the nftables framework using the nft command. Until the introduction of nftables, firewalld used the iptables command to configure netfilter directly, as an improved alternative to the iptables service. In RHEL 8, firewalld remains the recommended front end, managing firewall rulesets using nft. Firewalld remains capable of reading and managing iptables configuration files and rulesets, using xtables-nft-multi to translate iptables objects directly into nftables rules and objects. Although strongly discouraged, firewalld can be configured to revert to the iptables back-end for complex use cases where existing iptables rulesets cannot be properly processed by nft translations.

Applications query the subsystem using the D-Bus interface. The firewalld subsystem, available from the firewalld RPM package, is not included in a minimal install, but is included in a base installation. With firewalld, firewall management is simplified by classifying all network traffic into zones. Based on criteria such as the source IP address of a packet or the incoming network interface, traffic is diverted into the firewall rules for the appropriate zone. Each zone has its own list of ports and services that are either open or closed.

Note

For laptops or other machines that regularly change networks, NetworkManager can be used to automatically set the firewall zone for a connection. The zones are customized with rules appropriate for particular connections.

This is especially useful when traveling between home, work, and public wireless networks. A user might want their system's sshd service to be reachable when connected to their home and corporate networks, but not when connected to the public wireless network in the local coffee shop.

Firewalld checks the source address for every packet coming into the system. If that source address is assigned to a specific zone, the rules for that zone apply. If the source address is not assigned to a zone, firewalld associates the packet with the zone for the incoming network interface and the rules for that zone apply. If the network interface is not associated with a zone for some reason, then firewalld associates the packet with the default zone.

The default zone is not a separate zone, but is a designation for an existing zone. Initially, firewalld designates the public zone as default, and maps the lo loopback interface to the trusted zone.

Most zones allow traffic through the firewall, which matches a list of particular ports and protocols, such as 631/udp, or pre-defined services, such as ssh. If the traffic does not match a permitted port and protocol or service, it is generally rejected. (The trusted zone, which permits all traffic by default, is one exception to this.)

Pre-defined Zones

Firewalld has pre-defined zones, each of which you can customize. By default, all zones permit any incoming traffic which is part of a communication initiated by the system, and all outgoing traffic. The following table details these initial zone configuration.

Table 11.1. Default Configuration of Firewalld Zones

Zone name	Default configuration
`trusted`	Allow all incoming traffic.
`home`	Reject incoming traffic unless related to outgoing traffic or matching the `ssh`, `mdns`, `ipp-client`, `samba-client`, or `dhcpv6-client` pre-defined services.
`internal`	Reject incoming traffic unless related to outgoing traffic or matching the `ssh`, `mdns`, `ipp-client`, `samba-client`, or `dhcpv6-client` pre-defined services (same as the `home` zone to start with).
`work`	Reject incoming traffic unless related to outgoing traffic or matching the `ssh`, `ipp-client`, or `dhcpv6-client` pre-defined services.
`public`	Reject incoming traffic unless related to outgoing traffic or matching the `ssh` or `dhcpv6-client` pre-defined services. The default zone for newly added network interfaces.
`external`	Reject incoming traffic unless related to outgoing traffic or matching the `ssh` pre-defined service. Outgoing IPv4 traffic forwarded through this zone is masqueraded to look like it originated from the IPv4 address of the outgoing network interface.
`dmz`	Reject incoming traffic unless related to outgoing traffic or matching the `ssh` pre-defined service.
`block`	Reject all incoming traffic unless related to outgoing traffic.
`drop`	Drop all incoming traffic unless related to outgoing traffic (do not even respond with ICMP errors).

For a list of available pre-defined zones and intended use, see firewalld.zones(5).

Pre-defined Services

Firewalld has a number of pre-defined services. These service definitions help you identify particular network services to configure. Instead of having to research relevant ports for the samba-client service, for example, specify the pre-built samba-client service to configure the correct ports and protocols. The following table lists the pre-defined services used in the initial firewall zones configuration.

Table 11.2. Selected Pre-defined Firewalld Services

Service name	Configuration
`ssh`	Local SSH server. Traffic to 22/tcp
`dhcpv6-client`	Local DHCPv6 client. Traffic to 546/udp on the fe80::/64 IPv6 network
`ipp-client`	Local IPP printing. Traffic to 631/udp.
`samba-client`	Local Windows file and print sharing client. Traffic to 137/udp and 138/udp.
`mdns`	Multicast DNS (mDNS) local-link name resolution. Traffic to 5353/udp to the 224.0.0.251 (IPv4) or ff02::fb (IPv6) multicast addresses.

Note

Many pre-defined services are included in the firewalld package. Use firewall-cmd --get-services to list them. Configuration files for pre-defined services are found in /usr/lib/firewalld/services, in a format defined by firewalld.zone(5).

Either use the pre-defined services or directly specify the port and protocol required. The Web Console graphical interface is used to review pre-defined services and to define additional services.

Configuring the firewall

System administrators interact with firewalld in three ways:

Directly edit configuration files in /etc/firewalld/ (not discussed in this chapter)
The Web Console graphical interface
The firewall-cmd command-line tool

Configuring Firewall Services Using the Web Console

To configure firewall services with Web Console, log in with privileged access by clicking the Reuse my password for privileged tasks option. This permits the user to execute commands with sudo privileges to modify firewall services.

Figure 11.1: The Web Console privileged login

Click the Networking option in the left navigation menu to display the Firewall section in the main networking page. Click the Firewall link to access the allowed services list.

Figure 11.2: The Web Console networking

The allowed services listed are those that are currently permitted by the firewall. Click the arrow (>) to the left of the service name to view service details. To add a service, click the Add Services... button in the upper right corner of the Firewall Allowed Services page.

Figure 11.3: The Web Console firewall allowed services list

The Add Services page displays the available pre-defined services.

Figure 11.4: The Web Console add firewall services interface

To select a service, scroll through the list or enter a selection in the Filter Services text box. In the following example, the string http is entered into the search text box to find services containing that string; that is, web related services. Select the check box to the left of the services to allow through the firewall. Click the Add Services button to complete the process.

Figure 11.5: The Web Console firewall services filter search

The interface returns to the Firewall Allowed Services page, where you can review the updated allowed services list.

Figure 11.6: The Web Console firewall allowed services list

Configuring the Firewall from the Command Line

The firewall-cmd command interacts with the firewalld dynamic firewall manager. It is installed as part of the main firewalld package and is available for administrators who prefer to work on the command line, for working on systems without a graphical environment, or for scripting a firewall setup.

The following table lists a number of frequently used firewall-cmd commands, along with an explanation. Note that unless otherwise specified, almost all commands will work on the runtime configuration, unless the --permanent option is specified. If the --permanent option is specified, you must activate the setting by also running the firewall-cmd --reload command, which reads the current permanent configuration and applies it as the new runtime configuration. Many of the commands listed take the --zone=ZONE option to determine which zone they affect. Where a netmask is required, use CIDR notation, such as 192.168.1/24.

firewall-cmd commands	Explanation
--get-default-zone	Query the current default zone.
--set-default-zone=`ZONE`	Set the default zone. This changes both the runtime and the permanent configuration.
--get-zones	List all available zones.
--get-active-zones	List all zones currently in use (have an interface or source tied to them), along with their interface and source information.
*--add-source=`CIDR`* [--zone=`ZONE`]**	Route all traffic coming from the IP address or network/netmask to the specified zone. If no `--zone=` option is provided, the default zone is used.
*--remove-source=`CIDR`* [--zone=`ZONE`]**	Remove the rule routing all traffic from the zone coming from the IP address or network/netmask network. If no `--zone=` option is provided, the default zone is used.
*--add-interface=`INTERFACE`* [--zone=`ZONE`]**	Route all traffic coming from `INTERFACE` to the specified zone. If no `--zone=` option is provided, the default zone is used.
*--change-interface=`INTERFACE`* [--zone=`ZONE`]**	Associate the interface with `ZONE` instead of its current zone. If no `--zone=` option is provided, the default zone is used.
*--list-all [--zone=`ZONE`]*	List all configured interfaces, sources, services, and ports for `ZONE`. If no `--zone=` option is provided, the default zone is used.
--list-all-zones	Retrieve all information for all zones (interfaces, sources, ports, services).
*--add-service=`SERVICE`* [--zone=`ZONE`]**	Allow traffic to `SERVICE`. If no `--zone=` option is provided, the default zone is used.
*--add-port=`PORT/PROTOCOL`* [--zone=`ZONE`]**	Allow traffic to the `PORT/PROTOCOL` port(s). If no `--zone=` option is provided, the default zone is used.
*--remove-service=`SERVICE`* [--zone=`ZONE`]**	Remove `SERVICE` from the allowed list for the zone. If no `--zone=` option is provided, the default zone is used.
*--remove-port=`PORT/PROTOCOL`* [--zone=`ZONE`]**	Remove the `PORT/PROTOCOL` port(s) from the allowed list for the zone. If no `--zone=` option is provided, the default zone is used.
--reload	Drop the runtime configuration and apply the persistent configuration.

The example commands below set the default zone to dmz, assign all traffic coming from the 192.168.0.0/24 network to the internal zone, and open the network ports for the mysql service on the internal zone.

[root@host ~]# firewall-cmd --set-default-zone=dmz
[root@host ~]# firewall-cmd --permanent --zone=internal \
--add-source=192.168.0.0/24
[root@host ~]# firewall-cmd --permanent --zone=internal --add-service=mysql
[root@host ~]# firewall-cmd --reload

Note

For situations where the basic syntax of firewalld is not enough, you can also add rich-rules, a more expressive syntax, to write complex rules. If even the rich-rules syntax is not enough, you can also use Direct Configuration rules, raw nft syntax mixed in with firewalld rules.

These advanced modes are beyond the scope of this chapter.

References

firewall-cmd(1), firewalld(1), firewalld.zone(5), firewalld.zones(5), and nft(8) man pages

Discuss Red Hat System Administration II

Go to community

Is It possible to reset root password when the system is on multi-user.target?

jennifer1987

27 lip 2023

Hi thereWell, i have a question, Is It possible to reset root password when the system is on multi-user.target? I was not be able to found a foro o some information related with this and another question that I have, If the grub menu dont show up, is it posible to reset the root password?

991

Red Hat System Administration II (RH134)

Haley_Ruccio

21 lip 2023

Build the skills to perform the key tasks needed to become a full-time Linux administratorRed Hat System Administration II (RH134) is the second part of the RHCSA training track for IT professionals who have already attended Red Hat System Administration I. The course goes deeper into core Linux system administration skills in storage configuration and management, installation and deployment of Red Hat Enterprise Linux, management of security features such as SELinux, control of recurring system tasks, management of the boot process and troubleshooting, basic system tuning, and command-line automation and productivity. This course assumes that students have attended Red Hat System Administration I (RH124).Experienced Linux administrators who seek rapid preparation for the RHCSA certification should instead start with RHCSA Rapid Track (RH199).This course is based on Red Hat Enterprise Linux 9.0.Course summaryInstall Red Hat Enterprise Linux using scalable methodsAccess security files, file systems, and networksExecute shell scripting and automation techniquesManage storage devices, logical volumes, and file systemsManage security and system accessControl the boot process and system servicesRun containersAudience for this courseThis course is geared toward Windows system administrators, network administrators, and other system administrators who are interested in supplementing current skills or backstopping other team members, in addition to Linux system administrators who are responsible for these tasks:Configuring, installing, upgrading, and maintaining Linux systems using established standards and proceduresProviding operational supportManaging systems for monitoring system performance and availabilityWriting and deploying scripts for task automation and system administrationRecommended trainingSuccessful completion of Red Hat System Administration I (RH124) is recommended.Experienced Linux administrators seeking to accelerate their path toward becoming a Red Hat Certified System Administrator should start with the RHCSA Rapid Track course (RH199).Take our free assessment to gauge whether this offering is the best fit for your skills.Technology considerationsThere are no special technology requirements.This course is not designed for bring your own device (BYOD).Internet access is not required, but is recommended to allow students to research and access Red Hat online resources.

Welcome to the Red Hat System Administration II (RH134) group in the Red Hat Learning Community!

Deanna

18 lip 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat System Administration II! To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH134.Read more about Red Hat System Administration II here.

417

Revision: rh134-8.2-f0a9756