If you are unable to finish the lab in the ProLUG lab environment we ask you
rebootthe machine from the command line so that other students will have the intended environment.
Resources / Important Links
Required Materials
- Rocky 9.4+ - ProLUG Lab
- Or comparable Linux box
- root or sudo command access
Downloads
The lab has been provided for convenience below:
Pre-Lab Warm-Up
Exercises (Warmup to quickly run through your system and practice commands)
cd~pwd (should be /home/<yourusername>)cd /tmppwd (should be /tmp)cdpwd (should be /home/<yourusername>)mkdir lab_firewalldcd lab_firewalldtouch testfile1lstouch testfile{2..10}lsseq 10seq 1 10seq 1 2 10- man seq and see what each of those values mean. It’s important to know the behavior if you intend to ever use the command, as we often do with counting (for) loops.
No worries, there are two ways to fix the mess you've made.
Nothing you've done is permanent, so logging out and reloading a shell (logging back in) would fix this.
We just put the aliases back.
for i inseq 1 10; do touch file$i; done;ls- Think about some of those commands and when you might use them. Try to change command #15 to remove all of those files (rm -rf file$i)
Lab 🧪
This lab is designed to help you get familiar with the basics of the systems you will be working on.
Some of you will find that you know the basic material but the techniques here allow you to put it together in a more complex fashion.
It is recommended that you type these commands and do not copy and paste them. Browsers sometimes like to format characters in a way that doesn't always play nice with Linux.
Check Firewall Status and settings:
A very important thing to note before starting this lab. You’re connected into that server on ssh via port 22. If you do anything to lockout port 22 in this lab, you will be blocked from that connection and we’ll have to reset it.
-
Check firewall status
[root@schampine ~]# systemctl status firewalldExample Output:
firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: inactive (dead) since Sat 2017-01-21 19:27:10 MST; 2 weeks 6 days ago Main PID: 722 (code=exited, status=0/SUCCESS) Jan 21 19:18:11 schampine firewalld[722]: 2017-01-21 19:18:11 ERROR: COMMAND.... Jan 21 19:18:13 schampine firewalld[722]: 2017-01-21 19:18:13 ERROR: COMMAND.... Jan 21 19:18:13 schampine firewalld[722]: 2017-01-21 19:18:13 ERROR: COMMAND.... Jan 21 19:18:13 schampine firewalld[722]: 2017-01-21 19:18:13 ERROR: COMMAND.... Jan 21 19:18:13 schampine firewalld[722]: 2017-01-21 19:18:13 ERROR: COMMAND.... Jan 21 19:18:14 schampine firewalld[722]: 2017-01-21 19:18:14 ERROR: COMMAND.... Jan 21 19:18:14 schampine firewalld[722]: 2017-01-21 19:18:14 ERROR: COMMAND.... Jan 21 19:18:14 schampine firewalld[722]: 2017-01-21 19:18:14 ERROR: COMMAND.... Jan 21 19:27:08 schampine systemd[1]: Stopping firewalld - dynamic firewall..... Jan 21 19:27:10 schampine systemd[1]: Stopped firewalld - dynamic firewall ...n.Hint: Some lines were ellipsized, use -l to show in full.
If necessary start the firewalld daemon:
systemctl start firewalld
Set the firewalld daemon to be persistent through reboots:
systemctl enable firewalld
Verify with systemctl status firewalld again from step 1
Check which zones exist:
firewall-cmd --get-zones
Checking the values within each zone:
firewall-cmd --list-all --zone=public
General Output
public (default, active)
interfaces: wlp4s0
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Checking the active and default zones:
firewall-cmd --get-default
Example Output:
public
Next Command
firewall-cmd --get-active
Example Output:
public
interfaces: wlp4s0
Note: this also shows which interface the zone is applied to. Multiple interfaces and zones can be applied
So now you know how to see the values in your firewall. Use steps 4 and 5 to check all the values of the different zones to see how they differ.
Set the firewall active and default zones:
We know the zones from above, set your firewall to the different active or default zones. Default zones are the ones that will come up when the firewall is restarted.
Note: It may be useful to perform an ifconfig -a and note your interfaces for the next part
ifconfig -a | grep -i flags
Example Output:
[root@rocky ~]# ifconfig -a | grep -i flags
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
- Changing the default zones (This is permanent over a reboot, other commands require --permanent switch)
firewall-cmd --set-default-zone=work
Example Output:
success
Next Command:
firewall-cmd --get-active-zones
Example Output:
work
interfaces: wlp4s0
Attempt to set it back to the original public zone and verify. Set it to one other zone, verify, then set it back to public.
Changing interfaces and assigning different zones (use another interface from your earlier ifconfig -a
firewall-cmd --change-interface=virbr0 --zone dmz
Example Output:
success
Next Command:
firewall-cmd --add-source 192.168.11.0/24 --zone=public
Example Output:
success
Next Command:
firewall-cmd --get-active-zones
Example Output:
dmz
interfaces: virbr0
work
interfaces: wlp4s0
public
sources: 192.168.200.0/24
Working with ports and services:
We can be even more granular with our ports and services. We can block or allow services by port number, or we can assign port numbers to a service name and then block or allow those service names.
-
List all services assigned in firewalld
firewall-cmd --get-servicesExample Output:
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-httpsThis next part is just to show you where the service definitions exist. They are simple xml format and can easily be manipulated or changed to make new services. This would require a restart of the firewalld service to re-read this directory.
Next Command:
ls /usr/lib/firewalld/services/Example Output:
amanda-client.xml iscsi-target.xml pop3s.xml bacula-client.xml kerberos.xml postgresql.xml bacula.xml kpasswd.xml proxy-dhcp.xml dhcpv6-client.xml ldaps.xml radius.xml dhcpv6.xml ldap.xml RH-Satellite-6.xml dhcp.xml libvirt-tls.xml rpc-bind.xml dns.xml libvirt.xml rsyncd.xml freeipa-ldaps.xml mdns.xml samba-client.xml freeipa-ldap.xml mountd.xml samba.xml freeipa-replication.xml ms-wbt.xml smtp.xml ftp.xml mysql.xml ssh.xml high-availability.xml nfs.xml telnet.xml https.xml ntp.xml tftp-client.xml http.xml openvpn.xml tftp.xml imaps.xml pmcd.xml transmission-client.xml ipp-client.xml pmproxy.xml vdsm.xml ipp.xml pmwebapis.xml vnc-server.xml ipsec.xml pmwebapi.xml wbem-https.xmlNext Command:
cat /usr/lib/firewalld/services/http.xmlExample Output:
<?xml version="1.0" encoding="utf-8"?> <service> <short>WWW (HTTP)</short> <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description> <port protocol="tcp" port="80"/> </service> -
Adding a service or port to a zone
Ensuring we are working on a public zone
firewall-cmd --set-default-zone=publicExample Output:
successListing Services
firewall-cmd --list-servicesExample Ouput:
dhcpv6-client sshNote: We have 2 services
Permanently adding a service with the
--permanentswitchfirewall-cmd --permanent --add-service ftpExample Output:
successReloading
firewall-cmd --reloadExample Output:
successVerifying we are in the correct Zone
firewall-cmd --get-default-zoneExample Output:
publicVerifying that we have successfully added the FTP service
firewall-cmd --list-servicesExample Output:
dhcpv6-client ftp sshAlternatively, we can do almost the same thing but not use a defined service name. If I just want to allow port 1147 through for TCP traffic, it is very simple as well.
firewall-cmd --permanent --add-port=1147/tcpExample Output:
successReloading once again
firewall-cmd --reloadExample Output:
successListing open ports now
[root@schampine services]# firewall-cmd --list-portsExample Output:
1147/tcp -
Removing unwanted services or ports
To remove those values and permanently fix the configuration back we simply use remove.
Firstly, we will permanently remove ftp service
firewall-cmd --permanent --remove-service=ftpExample Output:
successThen we will permanently remove the ports
firewall-cmd --permanent --remove-port=1147/tcpExample Output:
successNow lets do a reload
firewall-cmd --reloadExample Output:
successNow we can list services again to confirm our work
firewall-cmd --list-servicesExample Output:
dhcpv6-client sshNow we can list ports
firewall-cmd --list-portsExample Output:
NothingBefore making any more changes I recommend running the
listcommands above with>> /tmp/firewall.origon them so you have all your original values saved somewhere in case you need them.
So now take this and set up some firewalls on the interfaces of your system.
Change the default ports and services assigned to your different zones (at least 3 zones)
Read the man firewall-cmd command or firewall-cmd -help to see if there are any other userful things you should know.
Be sure to
rebootthe lab machine from the command line when you are done.