Chapter 8. Using the web console for managing firewall

A firewall is a way to protect machines from any unwanted traffic from outside. It enables users to control incoming network traffic on host machines by defining a set of firewall rules. These rules are used to sort the incoming traffic and either block it or allow through.

Prerequisites

8.1. Using the web console to run the firewall

This section describes where and how to run the RHEL 8 system firewall in the web console.

Note

The RHEL 8 web console configures the firewalld service.

Procedure

  1. Log in to the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Open the Networking section.
  3. In the Firewall section, click ON to run the firewall.

    cockpit fw

    If you do not see the Firewall box, log in to the web console with the administration privileges.

At this stage, your firewall is running.

To configure firewall rules, see Adding rules in the web console using the web console.

8.2. Using the web console to stop the firewall

This section describes where and how to stop the RHEL 8 system firewall in the web console.

Note

The RHEL 8 web console configures the firewalld service.

Procedure

  1. Log in to the RHEL 8 web console.

    For details, see Logging in to the web console.

  2. Open the Networking section.
  3. In the Firewall section, click OFF to stop it.

    cockpit fw

    If you do not see the Firewall box, log in to the web console with the administration privileges.

At this stage, the firewall has been stopped and does not secure your system.

8.3. firewalld

firewalld is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed.

firewalld uses the concepts of zones and services, that simplify the traffic management. Zones are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone.

Services use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. firewalld blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default.

Additional resources

  • firewalld(1) man page

8.4. Zones

firewalld can be used to separate networks into different zones according to the level of trust that the user has decided to place on the interfaces and traffic within that network. A connection can only be part of one zone, but a zone can be used for many network connections.

NetworkManager notifies firewalld of the zone of an interface. You can assign zones to interfaces with:

  • NetworkManager
  • firewall-config tool
  • firewall-cmd command-line tool
  • The RHEL web console

The latter three can only edit the appropriate NetworkManager configuration files. If you change the zone of the interface using the web console, firewall-cmd or firewall-config, the request is forwarded to NetworkManager and is not handled by ⁠firewalld.

The predefined zones are stored in the /usr/lib/firewalld/zones/ directory and can be instantly applied to any available network interface. These files are copied to the /etc/firewalld/zones/ directory only after they are modified. The default settings of the predefined zones are as follows:

block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
drop
Any incoming network packets are dropped without any notification. Only outgoing network connections are possible.
external
For use on external networks with masquerading enabled, especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
home
For use at home when you mostly trust the other computers on the network. Only selected incoming connections are accepted.
internal
For use on internal networks when you mostly trust the other computers on the network. Only selected incoming connections are accepted.
public
For use in public areas where you do not trust other computers on the network. Only selected incoming connections are accepted.
trusted
All network connections are accepted.
work
For use at work where you mostly trust the other computers on the network. Only selected incoming connections are accepted.

One of these zones is set as the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone. The default zone can be changed.

Note

The network zone names have been chosen to be self-explanatory and to allow users to quickly make a reasonable decision. To avoid any security problems, review the default zone configuration and disable any unnecessary services according to your needs and risk assessments.

Additional resources

` firewalld.zone(5) man page

8.5. Zones in the web console

Important

Firewall zones are new in the RHEL 8.1.0 Beta.

The Red Hat Enterprise Linux web console implements major features of the firewalld service and enables you to:

  • Add predefined firewall zones to a particular interface or range of IP addresses
  • Configure zones with selecting services into the list of enabled services
  • Disable a service by removing this service from the list of enabled service
  • Remove a zone from an interface

8.6. Enabling zones using the web console

The web console enables you to apply predefined and existing firewall zones on a particular interface or a range of IP addresses. This section describes how to enable a zone on an interface.

Prerequisites

Procedure

  1. Log in to the RHEL web console with administration privileges.

    For details, see Logging in to the web console.

  2. Click Networking.
  3. Click on the Firewall box title.

    cockpit fw

    If you do not see the Firewall box, log in to the web console with the administrator privileges.

  4. In the Firewall section, click Add Services.
  5. Click on the Add Zone button.
  6. In the Add Zone dialog box, select a zone from the Trust level scale.

    You can see here all zones predefined in the firewalld service.

  7. In the Interfaces part, select an interface or interfaces on which the selected zone is applied.
  8. In the Allowed Addresses part, you can select whether the zone is applied on:

    • the whole subnet
    • or a range of IP addresses in the following format:

      • 192.168.1.0
      • 192.168.1.0/24
      • 192.168.1.0/24, 192.168.1.0
  9. Click on the Add zone button.

    cockpit fw zones add

Verify the configuration in Active zones.

cockpit fw zones active

8.7. Enabling services on the firewall using the web console

By default, services are added to the default firewall zone. If you use more firewall zones on more network interfaces, you must select a zone first and then add the service with port.

The RHEL 8 web console displays predefined firewalld services and you can add them to active firewall zones.

Important

The RHEL 8 web console configures the firewalld service.

The web console does not allow generic firewalld rules which are not listed in the web console.

Prerequisites

Procedure

  1. Log in to the RHEL web console with administrator privileges.

    For details, see Logging in to the web console.

  2. Click Networking.
  3. Click on the Firewall box title.

    cockpit fw

    If you do not see the Firewall box, log in to the web console with the administrator privileges.

  4. In the Firewall section, click Add Services.

    cockpit add service

  5. In the Add Services dialog box, select a zone for which you want to add the service.

    The Add Services dialog box includes a list of active firewall zones only if the system includes multiple active zones.

    If the system uses just one (the default) zone, the dialog does not include zone settings.

  6. In the Add Services dialog box, find the service you want to enable on the firewall.
  7. Enable desired services.

    cockpit fw add jabber

  8. Click Add Services.

At this point, the RHEL 8 web console displays the service in the list of Allowed Services.

8.8. Configuring custom ports using the web console

The web console allows you to add:

This section describes how to add services with custom ports configured.

Prerequisites

Procedure

  1. Log in to the RHEL web console with administrator privileges.

    For details, see Logging in to the web console.

  2. Click Networking.
  3. Click on the Firewall box title.

    cockpit fw

    If you do not see the Firewall box, log in to the web console with the administration privileges.

  4. In the Firewall section, click Add Services.

    cockpit add service

  5. In the Add Services dialog box, select a zone for which you want to add the service.

    The Add Services dialog box includes a list of active firewall zones only if the system includes multiple active zones.

    If the system uses just one (the default) zone, the dialog does not include zone settings.

  6. In the Add Ports dialog box, click on the Custom Ports radio button.
  7. In the TCP and UDP fields, add ports according to examples. You can add ports in the following formats:

    • Port numbers such as 22
    • Range of port numbers such as 5900-5910
    • Aliases such as nfs, rsync
    Note

    You can add multiple values into each field. Values must be separated with the comma and without the space, for example: 8080,8081,http

  8. After adding the port number in the TCP and/or UDP fields, verify the service name in the Name field.

    The Name field displays the name of the service for which is this port reserved. You can rewrite the name if you are sure that this port is free to use and no server needs to communicate on this port.

  9. In the Name field, add a name for the service including defined ports.
  10. Click on the Add Ports button.

    cockpit ports define

To verify the settings, go to the Firewall page and find the service in the list of Allowed Services.

cockpit ports http

8.9. Disabling zones using the web console

This section describes how to disable a firewall zone in your firewall configuration using the web console.

Prerequisites

Procedure

  1. Log in to the RHEL web console with administrator privileges.

    For details, see Logging in to the web console.

  2. Click Networking.
  3. Click on the Firewall box title.

    cockpit fw

    If you do not see the Firewall box, log in to the web console with the administrator privileges.

  4. On the Active zones table, click on the Delete icon at the zone you want to remove.

    cockpit fw zones remove

The zone is now disabled and the interface does not include opened services and ports which were configured in the zone.