34_1: Overview

In this lab, we will demonstrate the usage of firewalld for managing server-level firewall rules. You will learn how to install and enable firewalld, open specific ports for network traffic, and later restrict access by removing a port.

We will use tools like telnet to verify connectivity, highlighting how firewalld rules impact server accessibility. By the end of the lab, you will have hands-on experience with configuring firewalld to control incoming connections effectively.

34_2: Description of Firewall at Server Level

A server-level firewall is a security mechanism that controls incoming and outgoing network traffic based on predefined rules. It operates directly on the server to allow, block, or restrict access to specific ports and services.

By using tools like firewalld, administrators can define fine-grained rules to enhance server security, ensuring only authorized traffic reaches critical applications while preventing unauthorized access. This adds an essential layer of protection against potential threats and vulnerabilities.

We have so many servers running in application and the client is asking for a firewall only at one server.

34_3: Prescenario

Check the ip of the server.

hostname -i

Telnet to ip and its connected.

telnet <ip> 22

The port 22 is also allowed in Ingress Rule.

34_4: Installion of Firewalld

We have to install firewall at this server. This can be achieved by using this utility called firewalld.

yum install firewalld

Type y to continue

Firewalld installation is completed.

34_5: Status of Firewalld

systemctl status firewalld

Firewalld is installed and loaded but not active.

We need to manually start this firewalld.

systemctl start firewalld

We will check again the status and now its active.

34_6: Adding port to firewalld

For permanent:

firewall-cmd --permanent --zone=public --add-port=22/tcp

For current session:

firewall-cmd --zone=public --add-port=22/tcp

We will both comands one for current session and another one for adding it to permanent registry.

This is the command to add port to the server firewall and this port is allowed to pass the server.

34_7: Understanding the command

Command Breakdown

• firewall-cmd: The primary command-line utility for managing firewalld. It allows you to configure zones, add or remove services/ports, and control network traffic.

• --permanent: Specifies that the changes made using this command will persist across system reboots.

  Permanent rules are stored in configuration files and require a reload (firewall-cmd --reload) to take effect. If this option is not used, the changes will only apply to the current runtime and will be lost after a reboot.

• --zone=public: Indicates that the configuration changes are applied to the public zone. Zones in firewalld represent different levels of trust for network connections. The public zone is the default zone on most systems and is typically configured to allow only specific, explicitly permitted services or ports.

34_8 : Granting access to another port.

We can see the list of the ports by executing below command.

firewall-cmd --list-all

We can see the port 22 is enabled.

Adding one another port and lsiting it all.

We can see the port list also by this command.

firewall-cmd --list-ports

34_9: Other Firewalld commands

• To Stop the firewalld

systemctl stop firewalld

• To Remove the port

firewall-cmd --permanent --zone=public --remove-port=22/tcp

firewall-cmd --zone=public --remove-port=22/tcp

Need to remove both the current and permanent.

34_10: Conclusion

In a server environment, even if the port is allowed for the entire network in the ingress rules of the security policy, connectivity issues may still occur on specific servers. This often points to server-specific firewall settings. To resolve such issues:

• Validate the Server Firewall Settings: Check if there are any port-specific configurations in the server's firewall (e.g., firewalld).

• Resolve the Issue:

If the port is blocked, either allow it in the server firewall or, if appropriate, disable the firewall temporarily for testing purposes. By addressing both the network-level and server-level configurations, you can ensure seamless connectivity to the required ports.