Package: firewalld
Service Name: firewalld
Command Line tool: firewall-cmd
Service Name: firewalld
Command Line tool: firewall-cmd
[root@sysadmin ~]# rpm -qa | grep firewalld
firewalld-filesystem-0.6.3-13.0.1.el7_9.noarch
firewalld-0.6.3-13.0.1.el7_9.noarch
[root@sysadmin ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2024-10-07 19:27:27 +06; 5s ago
Docs: man:firewalld(1)
Main PID: 18545 (firewalld)
Tasks: 2
CGroup: /system.slice/firewalld.service
└─18545 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Oct 07 19:27:27 a systemd[1]: Starting firewalld -
dynamic firewall daemon...
Oct 07 19:27:27 a systemd[1]: Started firewalld - dynamic firewall daemon.
Oct 07 19:27:28 a firewalld[18545]: WARNING: AllowZoneDrifting is enabled. ...w.
Hint: Some lines were ellipsized, use -l to show in full.
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2024-10-07 19:27:27 +06; 5s ago
Docs: man:firewalld(1)
Main PID: 18545 (firewalld)
Tasks: 2
CGroup: /system.slice/firewalld.service
└─18545 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Oct 07 19:27:27 a systemd[1]: Started firewalld - dynamic firewall daemon.
Oct 07 19:27:28 a firewalld[18545]: WARNING: AllowZoneDrifting is enabled. ...w.
Hint: Some lines were ellipsized, use -l to show in full.
[root@sysadmin ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8 enp0s9
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8 enp0s9
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@a ~]# firewall-cmd --list-all-zones
Block dmz drop external home internal public (active) trusted
work
Ü
[Add permanently into the file]
[root@sysadmin
~]# firewall-cmd --add-service=http --permanent
success
Ü
[Run time remove or remove from memory]
[root@sysadmin
~]# firewall-cmd --remove-service=ssh
success
Ü
[Restart the firewall]
[root@sysadmin
~]# firewall-cmd --reload
success
Ü
[All services port are there]
[root@sysadmin
~]# vi /etc/services
Ü
Zone - Level of trust [Rules]
§ ACCEPT
§ DROP
§ REJECT
§ DROP
§ REJECT
[root@sysadmin
~]# cd /etc/firewalld/zones/
[root@sysadmin
~]# cd /usr/lib/firewalld/services/
Ü
Text mode browser
·
elinks
· links
· lynx
· crul
· links
· lynx
· crul
[root@sysadmin ~]# curl localhost [work as browser]
Ü
Configure
webserver [httpd]
·
Package: httpd
· Port: http(80/tcp) | https(443/tcp)
· ConfigFile: /etc/httpd/conf/httpd.conf
· Service: httpd
· Port: http(80/tcp) | https(443/tcp)
· ConfigFile: /etc/httpd/conf/httpd.conf
· Service: httpd
Ü
I-Install > S-Start > E-Enable > T-Test
·
Listen 80
· DocumentRoot /var/www/html
· DirectoryIndex index.html
· User: apache
· Group: apache
#yum install httpd -y
#systemctl start httpd
#systemctl enable httpd
#firewall-cmd --permanent --add-service=http
#firewall-cmd --reload
· DocumentRoot /var/www/html
· DirectoryIndex index.html
· User: apache
· Group: apache
#systemctl start httpd
#systemctl enable httpd
#firewall-cmd --permanent --add-service=http
#firewall-cmd --reload
Ü
Selinux
·
Additional layer security.
· In which port service will be run in our system that will be configure to selinux
· Level/Tag
Configure your webserver in NodeA.
WebServer should run in port 81/tcp.
We
need to change in 3 places...
#Config
file (listen 81)
#SeLinux >> port-manage
#Firewall-cmd
Web server should be accessible from anywhere
Web server will provide the default page from http://demo.abc.com/content/abc.html
[root@B ~]# cd /etc/httpd/conf
[root@B conf]# cp httpd.conf httpd.conf.default
[root@B conf]# vi httpd.conf
-- Listen 81
[root@B conf]# systemctl restart httpd
[root@B conf]# firewall-cmd --permanent --add-port=81/tcp
success
[root@B conf]# firewall-cmd --reload
success
#getenforce
disabled --To see the current state
vi /etc/selinux/config
--Enforcing
#Selinux State:
Enforcing [Go with Law Maintain] >> Permissive [If
any service not maintain rules, it will allow but will generate warning message
- Use for debugging/trableshooting ] >> Disabled [Selinux completly
disable]
[root@B ~]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
#Tag - http_port_t
web > port > 85 > selinux > http_port_t
#From enforcing to permissive
[root@B ~]# setenforce 0
[root@B ~]# getenforce
Permissive
[root@B ~]# systemctl restart httpd.service
[root@B ~]# curl 192.168.56.72:85
Welcome to Bangladesh !
---------------------------------
[root@B ~]# setenforce 1
[root@B ~]# getenforce
Enforcing
[root@B ~]# systemctl restart httpd.service
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.
[root@B ~]# curl 192.168.56.72:85
curl: (7) Failed to connect to 192.168.56.72 port 85: Connection refused
--------------------------------
#Append port into selinux
[root@B ~]# semanage port -a -t http_port_t -p tcp 85
#Delete port from selinux
[root@B ~]# semanage port -d -t http_port_t -p tcp 85
[root@B ~]# semanage port -a -t http_port_t -p tcp 85
[root@B ~]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 85, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@B ~]# systemctl restart httpd.service
[root@B ~]# curl 192.168.56.72:85
Welcome to Bangladesh !
[root@B ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8
sources:
services: cockpit dhcpv6-client http ssh
ports: 81/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@B ~]# firewall-cmd --permanent --add-port=85/tcp
success
[root@B ~]# firewall-cmd --reload
success
==========================
#Selinux Level | httpd_sys_content_t
[root@B ~]# touch hello.html
[root@B ~]# mv hello.html /var/www/html/
[root@B ~]# cd /var/www/html/
[root@B html]# ls -lZ
total 4
-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 0 Oct 10 19:55 hello.html
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 24 Oct 9 15:42 index.html
--------------------
[root@B ~]# vi index.html
[root@B ~]# mv index.html /var/www/html/
[root@B ~]# cd /var/www/html/
[root@B html]# ls -lZ
total 4
-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 15 Oct 10 20:04 index.html
[root@B html]# restorecon index.html -v | [root@B html]#
restorecon -Rv /var/www/html/
[root@B html]# ls -lZ
total 4
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 15 Oct 10 20:04 index.html
=================================
# if change the document root directory for httpd
[root@B ~]# semanage fcontext -a -t httpd_sys_content_t
"/webhost(/.*)?"
File context for /webhost(/.*)? already defined, modifying instead
[root@B ~]# ls -lZ /webhost
ls: cannot access '/webhost': No such file or directory
[root@B ~]# restorecon /webhost/ -v
restorecon: lstat(/webhost) failed: No such file or directory
· In which port service will be run in our system that will be configure to selinux
· Level/Tag
WebServer should run in port 81/tcp.
#SeLinux >> port-manage
#Firewall-cmd
Web server will provide the default page from http://demo.abc.com/content/abc.html
[root@B conf]# cp httpd.conf httpd.conf.default
[root@B conf]# vi httpd.conf
-- Listen 81
[root@B conf]# systemctl restart httpd
[root@B conf]# firewall-cmd --permanent --add-port=81/tcp
success
[root@B conf]# firewall-cmd --reload
success
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
web > port > 85 > selinux > http_port_t
[root@B ~]# setenforce 0
[root@B ~]# getenforce
Permissive
[root@B ~]# curl 192.168.56.72:85
Welcome to Bangladesh !
[root@B ~]# getenforce
Enforcing
[root@B ~]# systemctl restart httpd.service
Job for httpd.service failed because the control process exited with error code.
See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for details.
[root@B ~]# curl 192.168.56.72:85
curl: (7) Failed to connect to 192.168.56.72 port 85: Connection refused
[root@B ~]# semanage port -a -t http_port_t -p tcp 85
[root@B ~]# semanage port -d -t http_port_t -p tcp 85
[root@B ~]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 85, 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989
[root@B ~]# curl 192.168.56.72:85
Welcome to Bangladesh !
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8
sources:
services: cockpit dhcpv6-client http ssh
ports: 81/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
success
[root@B ~]# firewall-cmd --reload
success
[root@B ~]# mv hello.html /var/www/html/
[root@B ~]# cd /var/www/html/
[root@B html]# ls -lZ
total 4
-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 0 Oct 10 19:55 hello.html
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 24 Oct 9 15:42 index.html
[root@B ~]# mv index.html /var/www/html/
[root@B ~]# cd /var/www/html/
[root@B html]# ls -lZ
total 4
-rw-r--r--. 1 root root unconfined_u:object_r:admin_home_t:s0 15 Oct 10 20:04 index.html
[root@B html]# ls -lZ
total 4
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 15 Oct 10 20:04 index.html
File context for /webhost(/.*)? already defined, modifying instead
[root@B ~]# ls -lZ /webhost
ls: cannot access '/webhost': No such file or directory
[root@B ~]# restorecon /webhost/ -v
restorecon: lstat(/webhost) failed: No such file or directory
Tags
RHCSA