10. Manage Security
πRed Hat Certified System Administrator (RHCSA β EX200)
1. What is a Firewall?
A firewall is a security system that controls incoming and outgoing network traffic based on rules.
In an IT environment:
- It protects servers from unauthorized access
- Allows only required services (e.g., SSH, HTTP)
- Blocks unused or risky ports
2. What is firewalld?
firewalld is the default firewall management tool in Red Hat Enterprise Linux.
Key features:
- Dynamic rule changes (no need to restart firewall)
- Uses zones to manage trust levels
- Supports services, ports, protocols, and rich rules
3. Important Components of firewalld
3.1 Zones
A zone defines how much trust is given to a network connection.
Common zones:
- public β Default, least trusted
- internal β Trusted internal network
- trusted β All traffic allowed
- dmz β Public-facing servers
- block/drop β Highly restrictive
Check default zone:
firewall-cmd --get-default-zone
Set default zone:
firewall-cmd --set-default-zone=public
3.2 Services
Services are predefined rules for common applications.
Examples:
- ssh
- http
- https
- ftp
View available services:
firewall-cmd --get-services
3.3 Ports
Ports can be opened manually if a service is not predefined.
Example:
- TCP port 8080 for a custom web app
3.4 Runtime vs Permanent Configuration
| Type | Description |
|---|---|
| Runtime | Temporary (lost after reboot) |
| Permanent | Saved permanently |
To make changes permanent:
--permanent
To apply permanent changes:
firewall-cmd --reload
4. Managing firewalld Service
Start firewalld:
systemctl start firewalld
Enable at boot:
systemctl enable firewalld
Check status:
systemctl status firewalld
5. Viewing Firewall Configuration
List active zones:
firewall-cmd --get-active-zones
View current settings:
firewall-cmd --list-all
View specific zone:
firewall-cmd --zone=public --list-all
6. Adding and Removing Services
Add a service (runtime):
firewall-cmd --add-service=http
Add permanently:
firewall-cmd --add-service=http --permanent
firewall-cmd --reload
Remove a service:
firewall-cmd --remove-service=http
7. Adding and Removing Ports
Add a port:
firewall-cmd --add-port=8080/tcp
Add permanently:
firewall-cmd --add-port=8080/tcp --permanent
firewall-cmd --reload
Remove a port:
firewall-cmd --remove-port=8080/tcp
8. Assigning Interfaces to Zones
View interfaces:
firewall-cmd --get-active-zones
Assign interface:
firewall-cmd --zone=internal --change-interface=eth0
Permanent assignment:
firewall-cmd --zone=internal --change-interface=eth0 --permanent
9. Rich Rules (Advanced)
Rich rules allow more detailed control.
Example:
Allow SSH from a specific IP:
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.10" service name="ssh" accept'
10. Blocking Traffic
Block a service:
firewall-cmd --remove-service=ssh
Block an IP:
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.10" drop'
11. Masquerading (NAT)
Used when a system acts as a gateway.
Enable masquerading:
firewall-cmd --add-masquerade
Permanent:
firewall-cmd --add-masquerade --permanent
firewall-cmd --reload
12. Port Forwarding
Redirect traffic from one port to another.
Example:
Forward port 80 to 8080:
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080
13. Reloading and Resetting Firewall
Reload firewall:
firewall-cmd --reload
Complete reset:
firewall-cmd --complete-reload
14. Configuration Files
Important directories:
/etc/firewalld/β user-defined configurations/usr/lib/firewalld/β default configurations
15. Common RHCSA Exam Tasks
You may be required to:
β Start and enable firewalld
β Add/remove services (http, ssh)
β Open/close ports
β Set default zone
β Assign interface to zone
β Make rules permanent
β Reload firewall
β Verify configuration
16. Example Exam Scenario
Task:
Allow HTTP service permanently.
Steps:
systemctl start firewalld
systemctl enable firewalldfirewall-cmd --add-service=http --permanent
firewall-cmd --reloadfirewall-cmd --list-all
17. Important Tips for Exam
- Always use
--permanentif persistence is required - Always run
firewall-cmd --reloadafter permanent changes - Use
--list-allto verify - Know difference between service vs port
- Do not forget to start and enable firewalld
18. Quick Command Summary
| Task | Command |
|---|---|
| Start firewall | systemctl start firewalld |
| Enable firewall | systemctl enable firewalld |
| Add service | firewall-cmd --add-service=http |
| Add port | firewall-cmd --add-port=8080/tcp |
| Permanent rule | --permanent |
| Reload | firewall-cmd --reload |
| View rules | firewall-cmd --list-all |
Final Notes
- firewalld is zone-based and dynamic
- Focus on commands and verification
- Practice adding/removing services and ports
- Understand runtime vs permanent changes
