Discover three effective methods to create a Linux firewall service with our detailed guide. Learn how to configure firewall rules using firewalld
, to secure your Linux server. #centlinux #linux #firewall
Table of Contents
What is Firewalld?
Firewalld is a firewall management tool for Linux operating systems licensed under GNU General Public License 2.
Firewalld is the default firewall management tool in RHEL based Linux distros from version 7 onwards, where it replaces the legacy firewall management tool i.e. iptables. Firewalld is a dynamically managed firewall with support for network zones, IPv4, IPv6, ethernet bridges and IP sets.
Firewalld is a dynamic firewall management tool for Linux systems that provides a flexible and user-friendly way to configure firewall rules and manage network traffic. It is designed to be more intuitive and versatile than older firewall management tools like iptables
.
Here’s a detailed overview of Firewalld, including its features, components, and how to use it:
Key Features of Firewalld
- Dynamic Firewall Management:
- Real-Time Changes: Firewalld allows you to apply changes to firewall rules without restarting the firewall service. This means you can modify rules on-the-fly, which is useful for maintaining active services without downtime.
- Zone-Based Configuration:
- Predefined Zones: Firewalld uses zones to apply different sets of rules based on network connections. Each zone defines a security level and specifies which services and ports are allowed or denied.
- Common Zones: Includes predefined zones like public, private, internal, and dmz for different security requirements.
- Rich Language for Rules:
- Simplified Syntax: Firewalld provides a user-friendly interface for defining rules. You can specify services, ports, and IP addresses in a straightforward manner.
- Service Management:
- Service Definitions: Firewalld supports service management, allowing you to enable or disable predefined services (like HTTP, SSH) with simple commands.
- Firewall Backends:
- Backend Options: Firewalld supports multiple backend firewall technologies, including
iptables
,ip6tables
, andnftables
, allowing you to choose the best backend for your needs.
- Backend Options: Firewalld supports multiple backend firewall technologies, including
- Support for IPv4, IPv6, and Network Zones:
- Comprehensive Support: Manages rules for both IPv4 and IPv6 traffic, and organizes network traffic based on different zones.
- Logging and Monitoring:
- Traffic Logging: Firewalld can log traffic that matches specific rules, helping you monitor and analyze network activity.
Components of Firewalld
Zones:
- Definition: Zones represent different levels of trust for network connections.
- Examples:
- Public: For public networks where you don’t trust other computers.
- Home: For home networks where you trust the other devices.
- Work: For work networks where you trust the other devices but require higher security.
- Internal: For internal networks with moderate trust.
- Trusted: All traffic is allowed.
Services:
- Definition: Predefined configurations for common network services.
- Examples:
- http: Web server
- ssh: Remote server access
Rich Rules:
- Definition: Advanced rules for complex configurations.
- Examples: Allowing traffic from a specific IP address or network.
Direct Rules:
- Definition: Low-level rules that interact directly with the backend firewall technologies.
- Examples: Custom
iptables
rules for advanced configurations.
Use Cases for Firewalld
- Network Security:
- Protect Services: Secure services and applications from unauthorized access.
- Traffic Control: Manage inbound and outbound traffic to protect your system.
- System Administration:
- Configuration Management: Apply firewall rules and manage network traffic.
- Service Management: Enable or disable services based on network security requirements.
- Multi-Zone Environments:
- Segregation: Use different zones for various network interfaces and security levels.
Recommended Online Training: Learn Bash Shell in Linux for Beginners
Linux Server Specification
Consider a scenario where we are running an Oracle Database 19c instance on CentOS 8 server.
Default Oracle Listener uses the service port 1521/tcp. We have also configured another Oracle Listener service that is using port 1522/tcp.
In short, we have two Oracle listeners running on ports 1521/tcp and 1522/tcp simultaneously.
Our objective is to create a custom Linux firewall service to control access to our Oracle Listener ports.
Recommended Online Training: Learn Bash Shell in Linux for Beginners
1. Create a Linux Firewall Service using CLI
In this method, we will create a Linux firewall service using firewall-cmd command.
Create a new service for Oracle Listener ports.
# firewall-cmd --permanent --new-service=oranet success
Add long description of the service.
# firewall-cmd --permanent --service=oranet > --set-description="Oracle Listener Service" success
Add short description of the service.
# firewall-cmd --permanent --service=oranet > --set-short=oranet success
Add Oracle Listener service ports.
# firewall-cmd --permanent --service=oranet --add-port=1521/tcp success
# firewall-cmd --permanent --service=oranet --add-port=1522/tcp success
Reload firewalld configurations.
# firewall-cmd --reload success
Display configurations of CentOS firewall.
# firewall-cmd --info-service=oranet oranet ports: 1521/tcp 1522/tcp protocols: source-ports: modules: destination:
We can add more settings to our service in similar way. You can refer to Firewalld Documentation for more details.
2. Create a Linux Firewall Service from XML file
In this method, we will define the firewalld service settings in an XML file and then use firewall-cmd command to create a custom service in our Linux firewall.
# vi ~/oranet.xml
and add following XML code therein.
<?xml version="1.0" encoding="utf-8"?> <service> <short>oranet</short> <description>Oracle Listener Service</description> <port protocol="tcp" port="1521" /> <port protocol="tcp" port="1522" /> </service>
Now use firewall-cmd command to create Linux firewall service.
# firewall-cmd --permanent --new-service-from-file=oranet.xml success
Reload firewalld configurations and check oranet service.
# firewall-cmd --reload success
# firewall-cmd --info-service=oranet oranet ports: 1521/tcp 1522/tcp protocols: source-ports: modules: destination:
3. Create a Linux Firewall Service from Definition File
This method is normally used by software packages during installation to create their respective firewalld services.
In this method, we create a custom service definition file in firewalld configuration directory.
# vi /etc/firewalld/services/oranet.xml
Add following XML code therein.
<?xml version="1.0" encoding="utf-8"?> <service> <short>oranet</short> <description>Oracle Listener Service</description> <port protocol="tcp" port="1521" /> <port protocol="tcp" port="1522" /> </service>
Reload firewalld configurations and check service oranet service.
# firewall-cmd --reload success
# firewall-cmd --info-service=oranet oranet ports: 1521/tcp 1522/tcp protocols: source-ports: modules: destination:
We have explored all 3 ways to create a custom service in CentOS firewall.
If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.
Final Thoughts
Creating a robust Linux firewall service is essential for securing your server and network. This guide has explored three effective methods to help you choose the best approach for your needs.
If you’d prefer professional assistance or need help with configuring your Linux firewall, I offer expert services to set up and manage your firewall rules effectively. Visit my Fiverr profile for more details and to get started: Linux Cloud Engineer
Secure your Linux server with tailored firewall solutions from a trusted expert today!