Chapter 5. Using the web console for managing firewall
A firewall is a way to protect machines from any unwanted traffic from outside. It enables users to control incoming network traffic on host machines by defining a set of firewall rules. These rules are used to sort the incoming traffic and either block it or allow through.
5.1. Prerequisites
The RHEL 7 web console configures the firewalld service.
For details about the firewalld service, see firewalld.
5.2. Using the web console to run the firewall
This section describes where and how to run the RHEL 7 system firewall in the web console.
The web console configures the firewalld service.
Procedure
Log in to the web console.
For details, see Logging in to the web console.
- Open the Networking section.
In the Firewall section, click ON to run the firewall.
If you do not see the Firewall box, log in to the web console with the administration privileges.
At this stage, your firewall is running.
To configure firewall rules, see Adding rules in the web console using the web console.
5.3. Using the web console to stop the firewall
This section describes where and how to stop the RHEL 7 system firewall in the web console.
The web console configures the firewalld service.
Procedure
Log in to the web console.
For details, see Logging in to the web console.
- Open the Networking section.
In the Firewall section, click OFF to stop it.
If you do not see the Firewall box, log in to the web console with the administration privileges.
At this stage, the firewall has been stopped and does not secure your system.
5.4. firewalld
firewalld is a firewall service daemon that provides a dynamic customizable host-based firewall with a D-Bus interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed.
firewalld uses the concepts of zones and services, that simplify the traffic management. Zones are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone.
Services use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. firewalld blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default.
Additional resources
-
firewalld(1)man page
5.5. Zones
firewalld can be used to separate networks into different zones according to the level of trust that the user has decided to place on the interfaces and traffic within that network. A connection can only be part of one zone, but a zone can be used for many network connections.
NetworkManager notifies firewalld of the zone of an interface. You can assign zones to interfaces with:
-
NetworkManager -
firewall-configtool -
firewall-cmdcommand-line tool - The RHEL web console
The latter three can only edit the appropriate NetworkManager configuration files. If you change the zone of the interface using the web console, firewall-cmd or firewall-config, the request is forwarded to NetworkManager and is not handled by firewalld.
The predefined zones are stored in the /usr/lib/firewalld/zones/ directory and can be instantly applied to any available network interface. These files are copied to the /etc/firewalld/zones/ directory only after they are modified. The default settings of the predefined zones are as follows:
block-
Any incoming network connections are rejected with an icmp-host-prohibited message for
IPv4and icmp6-adm-prohibited forIPv6. Only network connections initiated from within the system are possible. dmz- For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
drop- Any incoming network packets are dropped without any notification. Only outgoing network connections are possible.
external- For use on external networks with masquerading enabled, especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
home- For use at home when you mostly trust the other computers on the network. Only selected incoming connections are accepted.
internal- For use on internal networks when you mostly trust the other computers on the network. Only selected incoming connections are accepted.
public- For use in public areas where you do not trust other computers on the network. Only selected incoming connections are accepted.
trusted- All network connections are accepted.
work- For use at work where you mostly trust the other computers on the network. Only selected incoming connections are accepted.
One of these zones is set as the default zone. When interface connections are added to NetworkManager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone. The default zone can be changed.
The network zone names have been chosen to be self-explanatory and to allow users to quickly make a reasonable decision. To avoid any security problems, review the default zone configuration and disable any unnecessary services according to your needs and risk assessments.
Additional resources
` firewalld.zone(5) man page
5.6. Zones in the web console
Firewall zones are new in RHEL 7.7.0.
The Red Hat Enterprise Linux web console implements major features of the firewalld service and enables you to:
- Add predefined firewall zones to a particular interface or range of IP addresses
- Configure zones with selecting services into the list of enabled services
- Disable a service by removing this service from the list of enabled service
- Remove a zone from an interface
5.7. Enabling zones using the web console
The web console enables you to apply predefined and existing firewall zones on a particular interface or a range of IP addresses. This section describes how to enable a zone on an interface.
Prerequisites
The web console has been installed.
For details, see Installing the web console.
The firewall must be enabled.
For details, see Running the firewall in the web console.
Procedure
Log in to the RHEL web console with administration privileges.
For details, see Logging in to the web console.
- Click Networking.
Click on the Firewall box title.
If you do not see the Firewall box, log in to the web console with the administrator privileges.
- In the Firewall section, click Add Services.
- Click on the Add Zone button.
In the Add Zone dialog box, select a zone from the Trust level scale.
You can see here all zones predefined in the
firewalldservice.- In the Interfaces part, select an interface or interfaces on which the selected zone is applied.
In the Allowed Addresses part, you can select whether the zone is applied on:
- the whole subnet
or a range of IP addresses in the following format:
- 192.168.1.0
- 192.168.1.0/24
- 192.168.1.0/24, 192.168.1.0
Click on the Add zone button.
Verify the configuration in Active zones.
5.8. Enabling services on the firewall using the web console
By default, services are added to the default firewall zone. If you use more firewall zones on more network interfaces, you must select a zone first and then add the service with port.
The web console displays predefined firewalld services and you can add them to active firewall zones.
The web console configures the firewalld service.
The web console does not allow generic firewalld rules which are not listed in the web console.
Prerequisites
The web console has been installed.
For details, see Installing the web console.
The firewall must be enabled.
For details, see Running the firewall in the web console.
Procedure
Log in to the RHEL web console with administrator privileges.
For details, see Logging in to the web console.
- Click Networking.
Click on the Firewall box title.
If you do not see the Firewall box, log in to the web console with the administrator privileges.
In the Firewall section, click Add Services.
In the Add Services dialog box, select a zone for which you want to add the service.
The Add Services dialog box includes a list of active firewall zones only if the system includes multiple active zones.
If the system uses just one (the default) zone, the dialog does not include zone settings.
- In the Add Services dialog box, find the service you want to enable on the firewall.
Enable desired services.
- Click Add Services.
At this point, the web console displays the service in the list of Allowed Services.
5.9. Configuring custom ports using the web console
The web console allows you to add:
- Services listening on standard ports: Section 5.8, “Enabling services on the firewall using the web console”
- Services listening on custom ports.
This section describes how to add services with custom ports configured.
Prerequisites
The web console has been installed.
For details, see Installing the web console.
The firewall must be enabled.
For details, see Running the firewall in the web console.
Procedure
Log in to the RHEL web console with administrator privileges.
For details, see Logging in to the web console.
- Click Networking.
Click on the Firewall box title.
If you do not see the Firewall box, log in to the web console with the administration privileges.
In the Firewall section, click Add Services.
In the Add Services dialog box, select a zone for which you want to add the service.
The Add Services dialog box includes a list of active firewall zones only if the system includes multiple active zones.
If the system uses just one (the default) zone, the dialog does not include zone settings.
- In the Add Ports dialog box, click on the Custom Ports radio button.
In the TCP and UDP fields, add ports according to examples. You can add ports in the following formats:
- Port numbers such as 22
- Range of port numbers such as 5900-5910
- Aliases such as nfs, rsync
NoteYou can add multiple values into each field. Values must be separated with the comma and without the space, for example: 8080,8081,http
After adding the port number in the TCP and/or UDP fields, verify the service name in the Name field.
The Name field displays the name of the service for which is this port reserved. You can rewrite the name if you are sure that this port is free to use and no server needs to communicate on this port.
- In the Name field, add a name for the service including defined ports.
Click on the Add Ports button.
To verify the settings, go to the Firewall page and find the service in the list of Allowed Services.
5.10. Disabling zones using the web console
This section describes how to disable a firewall zone in your firewall configuration using the web console.
Prerequisites
The web console has been installed.
For details, see Installing the web console.
Procedure
Log in to the RHEL web console with administrator privileges.
For details, see Logging in to the web console.
- Click Networking.
Click on the Firewall box title.
If you do not see the Firewall box, log in to the web console with the administrator privileges.
On the Active zones table, click on the Delete icon at the zone you want to remove.
The zone is now disabled and the interface does not include opened services and ports which were configured in the zone.
