8. Manage Basic Networking
πRed Hat Certified System Administrator (RHCSA β EX200)
1. What is firewalld?
firewalldis the default firewall service in RHEL 8 / CentOS 8.- It controls incoming and outgoing network traffic based on rules.
- It is zone-based, meaning you can define rules for different types of networks (e.g., internal office network vs public Wi-Fi).
- It is dynamic, so you can apply rules without restarting the service or interrupting connections.
Key commands to check status:
# Check if firewalld is running
systemctl status firewalld# Start firewalld if not running
systemctl start firewalld# Enable firewalld to start at boot
systemctl enable firewalld
2. Understanding Zones
- Zones are predefined sets of rules that define how trusted a network is.
- Each network interface is assigned a zone.
- Common zones:
| Zone | Purpose |
|---|---|
| public | Default, for untrusted networks |
| internal | For internal networks |
| dmz | For servers accessible from outside (public) |
| work | For a controlled work network |
| trusted | All traffic is allowed |
| drop | All incoming connections are dropped |
Check active zones and interfaces:
# Show active zones
firewall-cmd --get-active-zones# Check interfaces assigned to zones
firewall-cmd --list-all
Example: If your server is in a public network, eth0 might be assigned to the public zone.
3. Services vs. Ports
- Firewalld allows traffic based on services or ports.
- Service-based rules are easier because common services (HTTP, SSH, DNS) are pre-defined.
- Port-based rules are more manual; you open/close TCP or UDP ports.
List all services:
firewall-cmd --get-services
Check which services are allowed in your current zone:
firewall-cmd --list-services
4. Adding and Removing Services
- To allow a service, you use
--add-service. - To remove a service, you use
--remove-service.
Examples:
# Allow SSH for the current session
firewall-cmd --zone=public --add-service=ssh# Make the rule permanent
firewall-cmd --zone=public --add-service=ssh --permanent# Remove HTTP permanently
firewall-cmd --zone=public --remove-service=http --permanent
Note: If you use the --permanent flag, you must reload firewalld for changes to take effect:
firewall-cmd --reload
5. Opening and Closing Ports
Sometimes you want to open specific ports instead of a whole service.
# Open TCP port 8080 temporarily
firewall-cmd --zone=public --add-port=8080/tcp# Make it permanent
firewall-cmd --zone=public --add-port=8080/tcp --permanent# Remove a port
firewall-cmd --zone=public --remove-port=8080/tcp --permanent
6. Rich Rules for Advanced Access Control
- Rich rules are more advanced rules to control traffic based on:
- Source IP address
- Destination port
- Protocol
- Action (accept, reject, drop)
Example: Allow SSH only from a specific IP:
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" service name="ssh" accept' --permanent
firewall-cmd --reload
Explanation: Only the IP 192.168.1.100 can connect via SSH.
7. Blocking and Rejecting Traffic
- Reject: Sends a response to the sender saying βNo, you cannot connect.β
- Drop: Silently drops the traffic (sender sees no response).
Example: Block an IP:
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.50" drop'
firewall-cmd --reload
8. Checking Firewall Configuration
Always verify your rules after changes:
# Show all rules for a zone
firewall-cmd --zone=public --list-all# Show all permanent rules
firewall-cmd --permanent --list-all
9. Exam Tips for RHCSA
- Remember the difference: temporary vs permanent rules (
--permanentflag). - Be comfortable using zones β check active zones and assign interfaces.
- Know how to allow/deny services and ports.
- Understand rich rules for IP-based restrictions.
- Always reload firewalld after making permanent changes.
- The exam may ask you to allow a service only from certain IPs or block a port entirely.
10. Quick Command Reference
| Task | Command Example |
|---|---|
| Check firewalld status | systemctl status firewalld |
| Start & enable firewalld | systemctl start firewalld && systemctl enable firewalld |
| Check active zones | firewall-cmd --get-active-zones |
| List services in zone | firewall-cmd --zone=public --list-services |
| Add a service temporarily | firewall-cmd --zone=public --add-service=http |
| Add a service permanently | firewall-cmd --zone=public --add-service=http --permanent |
| Open a port temporarily | firewall-cmd --zone=public --add-port=8080/tcp |
| Open a port permanently | firewall-cmd --zone=public --add-port=8080/tcp --permanent |
| Block an IP permanently | firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="IP" drop' |
| Reload firewall | firewall-cmd --reload |
π‘ Summary:
firewalld + firewall-cmd are used to control who can connect to your server and which services are allowed. Understanding zones, services, ports, and rich rules is key to passing the RHCSA exam. Practice creating, modifying, and checking rules, and make sure you know temporary vs permanent changes.
