Storage Essentials Practitioners Forum
cancel

(SOM) Support Tip: How to work with RHEL 7.x and Firewalls

Highlighted
Mark_Butler
HPE Expert

(SOM) Support Tip: How to work with RHEL 7.x and Firewalls

Hello SOM/SE Community,

As I mentioned last week when discussing RHEL 6.x and Firewalls, today I am providing similar information for RHEL 7.x and firewalls.  The official RHEL 7.x Security Guide can be found at the following URL:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/index.html

Some of the information below is taken directly from the RHEL 7.x Security Guide (Section 4.5).

RHEL 7.x introduces a dynamic firewall daemon called firewalld.  A graphical configuration tool, firewall-config, is used to configure firewalld, which in turn uses iptables tool.

While this is nice to know, many RHEL servers do not install graphics, so it is necessary to use CLI commands. 

A command line client, firewall-cmd, is provided.  It can be used to make permanent and non-permanent runtime changes as is explained in man firewall-cmd(1)

Note that the firewall-cmd command can be run by the root user and also by an administrative user, in other words, a member of the wheel group (Ex. sudo).

The essential differences between firewalld and the iptables service are:

  • The iptables service stores configuration in /etc/sysconfig/iptables while firewalld stores it in various XML files in /usr/lib/firewalld/ and /etc/firewalld/. Note that the /etc/sysconfig/iptables file does not exist as firewalld is installed by default on Red Hat Enterprise Linux.

  • With the iptables service, every single change means flushing all the old rules and reading all the new rules  from /etc/sysconfig/iptables while with firewalld there is no re-creating of all the rules; only the differences are applied. Consequently, firewalld can change the settings during runtime without existing connections being
    lost.

Both use iptables tool to talk to the kernel packet filter.

Firewalls can be used to separate networks into different zones based on the level of trust the user has decided to place on the devices and traffic within that network.

With that information, let me provide you with the different command syntax to do what you would like to do.

To find the current state of the Firewall:
# firewall-cmd --state

To list the current services configured to pass through the public zone of the firewall:
# firewall-cmd --zone=public --list-services

To list the current ports configured to pass through the public zone of the firewall:
# firewall-cmd --zone=public --list-ports

To reload the firewall configuration:
# firewall-cmd --reload

To add a service or port temporarily through the public zone of the firewall:
# firewall-cmd --zone=public --add-service=http
# firewall-cmd --zone=public --add-port=5432/tcp

To add a service or port permanently through the public zone of the firewall:
# firewall-cmd --zone=public --permanent --add-service=http
# firewall-cmd --zone=public --permanent --add-port=5432/tcp

To remove a service or port temporarily from the public zone of the firewall:
# firewall-cmd --zone=public --remove-service=http

 You can still use the iptables commands that were used in RHEL 6.x to display and configure firewall information.  However, with the introduction of zones, the list can appear more complicated and difficult to read.

Good Luck with your environments.  Another Support Tip will be provided next week.

Regards,

Mark

---
Mark Butler
HPE SW Support Engineer
https://softwaresupport.hpe.com/