mico/systems-guide
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
87a55044e0
systems-guide/firewall.md
mic0 621e43ab57
Some fixes and additions
2025-11-18 15:07:21 +01:00

79 lines
2.1 KiB
Markdown
Raw Blame History

# Firewall
We use `firewalld` to configure firewalls. It uses so called "zones" to define the rules.
In the [Setup](setup.md) guide we have installed and set up `firewalld`, left `ssh` open and closing all other traffic by setting the default zone to "drop".
Check [Offish guide](https://www.redhat.com/en/blog/firewalld-rules-and-scenarios) for more details.
### Zones
Drop: Connections are dropped without any notifications. Outgoing connections are possible.
Public: This zone is used for devices on the untrusted public network.
We are gonna be using Public zone to serve content over the internet.
### Services and ports
With firewalld
## Checking status
To see all info for active zones
```sh
sudo firewall-cmd --list-all
```
If you wanna check a specific zone (aka public), just add `--zone=public` for example
Most often you will be interested in the public zone.
To see all open ports in a zone such as "public"
```sh
sudo firewall-cmd --zone=public --list-ports
```
## Preparing to serve over http/https or any other port
### Changing default zone
Change the default zone to `public` with
```sh
sudo firewall-cmd --set-default-zone=public
```
Then open the relevant ports and reload the firewall
```sh
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --reload
```
OR
You can also open "services", these are just aliases for port/protocol pairing (aka service=http is equal to port 80/tcp)
```sh
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
```
Note: use `--permanent` flag to add stuff to firewall config permanently. Otherwise it will reset when you do `--reload`.
If you need to open just a specific port, you can do it as above example:
```sh
sudo firewall-cmd --permanent --zone=public --add-port=$PORT_NUMBER/$PROTOCOL
# where $PROTOCOL is one of `tcp , udp , sctp or dccp`
# For example
# sudo firewall-cmd --permanent --zone=public --add-port=1234/tcp
sudo firewall-cmd --reload
```
## TODO: How to only allow specific IPs to access your service
Reference in New Issue View Git Blame Copy Permalink