mico/systems-guide
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ba46a5e80f
systems-guide/02_firewall.md
mico ba46a5e80f
Updates on setup & firewall
2025-11-26 18:00:37 +01:00

2.3 KiB
Raw Blame History

Firewall

We use firewalld to configure firewalls. It uses so called "zones" to define the rules.

In the Setup guide we have installed and set up firewalld, left ssh open and closing all other traffic by setting the default zone to "drop".

Check Offish guide for more details.

Zones

Drop: Connections are dropped without any notifications. Outgoing connections are possible. Public: This zone is used for devices on the untrusted public network.

We are gonna be using Public zone to serve content over the internet.

Services and ports

With firewalld

Checking status

To see all info for active zones

sudo firewall-cmd --list-all

If you wanna check a specific zone (aka public), just add --zone=public for example Most often you will be interested in the public zone.

To see all open ports in a zone such as "public"

sudo firewall-cmd --zone=public --list-ports

Preparing to serve over http/https or any other port

Changing default zone

Change the default zone to public with

sudo firewall-cmd --set-default-zone=public

Then open the relevant ports and reload the firewall

sudo firewall-cmd --permanent --zone=public --add-port=22/tcp # SSH
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp # HTTP
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp # HTTPS
sudo firewall-cmd --reload

OR

You can also open "services", these are just aliases for port/protocol pairing (aka service=http is equal to port 80/tcp)

sudo firewall-cmd --permanent --zone=public --add-service=ssh
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

Note: use --permanent flag to add stuff to firewall config permanently. Otherwise it will reset when you do --reload.

If you need to open just a specific port, you can do it as above example:

sudo firewall-cmd --permanent --zone=public --add-port=$PORT_NUMBER/$PROTOCOL
# where $PROTOCOL is one of `tcp , udp , sctp or dccp`
# For example
# sudo firewall-cmd --permanent --zone=public --add-port=1234/tcp
sudo firewall-cmd --reload

TODO: How to only allow specific IPs to access your service