2.1 KiB
Firewall
We use firewalld to configure firewalls. It uses so called "zones" to define the rules.
In the Setup guide we have installed and set up firewalld, left ssh open and closing all other traffic by setting the default zone to "drop".
Check Offish guide for more details.
Zones
Drop: Connections are dropped without any notifications. Outgoing connections are possible. Public: This zone is used for devices on the untrusted public network.
We are gonna be using Public zone to serve content over the internet.
Services and ports
With firewalld
Checking status
To see all info for active zones
sudo firewall-cmd --list-all
If you wanna check a specific zone (aka public), just add --zone=public for example
Most often you will be interested in the public zone.
To see all open ports in a zone such as "public"
sudo firewall-cmd --zone=public --list-ports
Preparing to serve over http/https or any other port
Changing default zone
Change the default zone to public with
sudo firewall-cmd --set-default-zone=public
Then open the relevant ports and reload the firewall
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --reload
OR
You can also open "services", these are just aliases for port/protocol pairing (aka service=http is equal to port 80/tcp)
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
Note: use --permanent flag to add stuff to firewall config permanently. Otherwise it will reset when you do --reload.
If you need to open just a specific port, you can do it as above example:
sudo firewall-cmd --permanent --zone=public --add-port=$PORT_NUMBER/$PROTOCOL
# where $PROTOCOL is one of `tcp , udp , sctp or dccp`
# For example
# sudo firewall-cmd --permanent --zone=public --add-port=1234/tcp
sudo firewall-cmd --reload