Chapter 14. Managing firewall using the web console

A firewall is a way to protect machines from any unwanted traffic from outside. It enables users to control incoming network traffic on host machines by defining a set of firewall rules. These rules are used to sort the incoming traffic and either block it or allow it through. In RHEL, the firewalld service with the nftables back end functions as a default firewall. Through the RHEL web console, you can configure firewalld.

For details about the firewalld service, see Getting started with firewalld.

14.1. Running firewall using the web console

The following steps show where and how to run the RHEL 9 system firewall in the web console.

Note

The RHEL 9 web console configures the firewalld service.

Procedure

  1. Log in to the RHEL 9 web console. For details, see Logging in to the web console.
  2. Open the Networking section.
  3. In the Firewall section, click the slider to run the firewall.

    cockpit turn firewall on

    If you do not see the Firewall slider, log in to the web console with the administrative privileges.

At this stage, your firewall is running.

To configure firewall rules, see Enabling services on the firewall using the web console

14.2. Stopping firewall using the web console

The following steps show where and how to stop the RHEL 9 system firewall in the web console.

Note

The RHEL 9 web console configures the firewalld service.

Procedure

  1. Log in to the RHEL 9 web console. For details, see Logging in to the web console.
  2. Open the Networking section.
  3. In the Firewall section, click the slider to stop the firewall.

    cockpit turn firewall off

    If you do not see the Firewall slider, log in to the web console with the administrative privileges.

At this stage, the firewall has been stopped and does not secure your system.

14.3. Firewall zones

You can use the ⁠firewalld utility to separate networks into different zones according to the level of trust that you have with the interfaces and traffic within that network. A connection can only be part of one zone, but you can use that zone for many network connections.

firewalld follows strict principles in regards to zones:

  1. Traffic ingresses only one zone.
  2. Traffic egresses only one zone.
  3. A zone defines a level of trust.
  4. Intrazone traffic (within the same zone) is allowed by default.
  5. Interzone traffic (from zone to zone) is denied by default.

Principles 4 and 5 are a consequence of principle 3.

Principle 4 is configurable through the zone option --remove-forward. Principle 5 is configurable by adding new policies.

NetworkManager notifies firewalld of the zone of an interface. You can assign zones to interfaces with the following utilities:

  • NetworkManager
  • firewall-config utility
  • firewall-cmd utility
  • The RHEL web console

The RHEL web console, firewall-config, and firewall-cmd can only edit the appropriate NetworkManager configuration files. If you change the zone of the interface using the web console, firewall-cmd, or firewall-config, the request is forwarded to NetworkManager and is not handled by ⁠firewalld.

The /usr/lib/firewalld/zones/ directory stores the predefined zones, and you can instantly apply them to any available network interface. These files are copied to the /etc/firewalld/zones/ directory only after they are modified. The default settings of the predefined zones are as follows:

block
  • Suitable for: Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6.
  • Accepts: Only network connections initiated from within the system.
dmz
  • Suitable for: Computers in your DMZ that are publicly-accessible with limited access to your internal network.
  • Accepts: Only selected incoming connections.
drop

Suitable for: Any incoming network packets are dropped without any notification.

  • Accepts: Only outgoing network connections.
external
  • Suitable for: External networks with masquerading enabled, especially for routers. Situations when you do not trust the other computers on the network.
  • Accepts: Only selected incoming connections.
home
  • Suitable for: Home environment where you mostly trust the other computers on the network.
  • Accepts: Only selected incoming connections.
internal
  • Suitable for: Internal networks where you mostly trust the other computers on the network.
  • Accepts: Only selected incoming connections.
public
  • Suitable for: Public areas where you do not trust other computers on the network.
  • Accepts: Only selected incoming connections.
trusted
  • Accepts: All network connections.
work

Suitable for: Work environment where you mostly trust the other computers on the network.

  • Accepts: Only selected incoming connections.

One of these zones is set as the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is the public zone. You can change the default zone.

Note

Make network zone names self-explanatory to help users understand them quickly.

To avoid any security problems, review the default zone configuration and disable any unnecessary services according to your needs and risk assessments.

Additional resources

  • firewalld.zone(5) man page

14.4. Zones in the web console

The Red Hat Enterprise Linux web console implements major features of the firewalld service and enables you to:

  • Add predefined firewall zones to a particular interface or range of IP addresses
  • Configure zones with selecting services into the list of enabled services
  • Disable a service by removing this service from the list of enabled service
  • Remove a zone from an interface

14.5. Enabling zones using the web console

You can apply predefined and existing firewall zones on a particular interface or a range of IP addresses through the RHEL web console.

Prerequisites

Procedure

  1. Log in to the RHEL web console with administrative privileges. For details, see Logging in to the web console.
  2. Click Networking.
  3. Click on the Edit rules and zones button.

    Edit firewall rules and zones in the web console

    If you do not see the Edit rules and zones button, log in to the web console with the administrator privileges.

  4. In the Firewall section, click Add new zone.
  5. In the Add zone dialog box, select a zone from the Trust level options.

    The web console displays all zones predefined in the firewalld service.

  6. In the Interfaces part, select an interface or interfaces on which the selected zone is applied.
  7. In the Allowed Addresses part, you can select whether the zone is applied on:

    • the whole subnet
    • or a range of IP addresses in the following format:

      • 192.168.1.0
      • 192.168.1.0/24
      • 192.168.1.0/24, 192.168.1.0
  8. Click on the Add zone button.

    Add a firewall zone

Verification

  • Check the configuration in the Firewall section:

    Active zones

14.6. Enabling services on the firewall using the web console

By default, services are added to the default firewall zone. If you use more firewall zones on more network interfaces, you must select a zone first and then add the service with port.

The RHEL 9 web console displays predefined firewalld services and you can add them to active firewall zones.

Important

The RHEL 9 web console configures the firewalld service.

The web console does not allow generic firewalld rules which are not listed in the web console.

Prerequisites

Procedure

  1. Log in to the RHEL web console with administrator privileges. For details, see Logging in to the web console.
  2. Click Networking.
  3. Click on the Edit rules and zones button.

    cockpit edit rules and zones

    If you do not see the Edit rules and zones button, log in to the web console with the administrator privileges.

  4. In the Firewall section, select a zone for which you want to add the service and click Add Services.

    cockpit add services

  5. In the Add Services dialog box, find the service you want to enable on the firewall.
  6. Enable services according to your scenario:

    cockpit add service

  7. Click Add Services.

At this point, the RHEL 9 web console displays the service in the zone’s list of Services.

14.7. Configuring custom ports using the web console

The web console allows you to add:

You can add services by configuring custom ports as described.

Prerequisites

Procedure

  1. Log in to the RHEL web console with administrator privileges. For details, see Logging in to the web console.
  2. Click Networking.
  3. Click on the Edit rules and zones button.

    cockpit edit rules and zones

    If you do not see the Edit rules and zones button, log in to the web console with the administrative privileges.

  4. In the Firewall section, select a zone for which you want to configure a custom port and click Add Services.

    cockpit add services

  5. In the Add services dialog box, click on the Custom Ports radio button.
  6. In the TCP and UDP fields, add ports according to examples. You can add ports in the following formats:

    • Port numbers such as 22
    • Range of port numbers such as 5900-5910
    • Aliases such as nfs, rsync
    Note

    You can add multiple values into each field. Values must be separated with the comma and without the space, for example: 8080,8081,http

  7. After adding the port number in the TCP filed, the UDP filed, or both, verify the service name in the Name field.

    The Name field displays the name of the service for which is this port reserved. You can rewrite the name if you are sure that this port is free to use and no server needs to communicate on this port.

  8. In the Name field, add a name for the service including defined ports.
  9. Click on the Add Ports button.

    cockpit add ports

To verify the settings, go to the Firewall page and find the service in the list of zone’s Services.

cockpit active zones

14.8. Disabling zones using the web console

You can disable a firewall zone in your firewall configuration using the web console.

Prerequisites

Procedure

  1. Log in to the RHEL web console with administrator privileges. For details, see Logging in to the web console.
  2. Click Networking.
  3. Click on the Edit rules and zones button.

    cockpit edit rules and zones

    If you do not see the Edit rules and zones button, log in to the web console with the administrator privileges.

  4. Click on the Options icon at the zone you want to remove.

    cockpit delete zone

  5. Click Delete.

The zone is now disabled and the interface does not include opened services and ports which were configured in the zone.