# Firewall We use `firewalld` to configure firewalls. It uses so called "zones" to define the rules. In the [Setup](setup.md) guide we have installed and set up `firewalld`, left `ssh` open and closing all other traffic by setting the default zone to "drop". Check [Offish guide](https://www.redhat.com/en/blog/firewalld-rules-and-scenarios) for more details. ### Zones Drop: Connections are dropped without any notifications. Outgoing connections are possible. Public: This zone is used for devices on the untrusted public network. We are gonna be using Public zone to serve content over the internet. ### Services and ports With firewalld ## Checking status To see all info for active zones ```sh sudo firewall-cmd --list-all ``` If you wanna check a specific zone (aka public), just add `--zone=public` for example Most often you will be interested in the public zone. To see all open ports in a zone such as "public" ```sh sudo firewall-cmd --zone=public --list-ports ``` ## Preparing to serve over http/https or any other port ### Changing default zone Change the default zone to `public` with ```sh sudo firewall-cmd --permanent --zone=public ``` Then open the relevant ports and reload the firewall ```sh sudo firewall-cmd --permanent --zone=public --add-port=80/tcp sudo firewall-cmd --permanent --zone=public --add-port=443/tcp sudo firewall-cmd --reload ``` OR You can also open "services", these are just aliases for port/protocol pairing (aka service=http is equal to port 80/tcp) ```sh sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=https sudo firewall-cmd --reload ``` Note: use `--permanent` flag to add stuff to firewall config permanently. Otherwise it will reset when you do `--reload`. If you need to open just a specific port, you can do it as above example: ```sh sudo firewall-cmd --permanent --zone=public --add-port=$PORT_NUMBER/$PROTOCOL # where $PROTOCOL is one of `tcp , udp , sctp or dccp` # For example # sudo firewall-cmd --permanent --zone=public --add-port=1234/tcp sudo firewall-cmd --reload ``` ## TODO: How to only allow specific IPs to access your service