Configuring the firewall

System administrators interact with firewalld in three ways:

 Directly edit configuration files in /etc/firewalld/ (not discussed in this chapter)
 The Web Console graphical interface
 The firewall-cmd command-line tool

Configuring Firewall Services Using the Web Console

Click the Networking option in the left navigation menu to display the Firewall section in the
main networking page. Click the Firewall link to access the allowed services list.

To add a service, click the Add Services... button in the upper right corner of the Firewall
Allowed Services page.

Configuring the Firewall from the Command Line

The example commands below set the default zone to dmz, assign all traffic coming from the
192.168.0.0/24 network to the internal zone, and open the network ports for the mysql
service on the internal zone.

[root@host ~]# firewall-cmd --set-default-zone=dmz

[root@host ~]# firewall-cmd --permanent --zone=internal \
--add-source=192.168.0.0/24
[root@host ~]# firewall-cmd --permanent --zone=internal --add-service=mysql
[root@host ~]# firewall-cmd --reload

Guided Exercise: Managing Server Firewalls

1. On the servera system, ensure that both httpd and mod_ssl packages are installed.
These packages provide the Apache web server you will protect with a firewall, and
the necessary extensions for the web server to serve content over SSL.

[student@servera ~]$ sudo yum install httpd mod_ssl

 [sudo] password for student: student
...output omitted...
Is this ok [y/N]: y
...output omitted...
Complete!

2. As the student user on servera, create the /var/www/html/index.html file. Add

one line of text that reads: I am servera.

[student@servera ~]$ sudo bash -c \

"echo 'I am servera.' > /var/www/html/index.html"

3. Start and enable the httpd service on your servera system.

[student@servera ~]$ sudo systemctl enable --now httpd

Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service →
/usr/lib/systemd/system/httpd.service

4. From workstation, attempt to access your web server on servera using both the
cleartext port 80/TCP and the SSL encapsulated port 443/TCP. Both attempts should fail.
This command should fail:

[student@workstation ~]$ curl -k http://servera.lab.example.com

curl: (7) Failed to connect to servera.lab.example.com port 80: No
route to host

This command should also fail:

[student@workstation ~]$ curl -k https://servera.lab.example.com

curl: (7) Failed to connect to servera.lab.example.com port 443: No
route to host

5. Log in to servera as the student user.

[student@workstation ~]$ ssh student@servera

...output omitted...
[student@servera ~]$

On servera, make sure that the nftables service is masked and the firewalld service is
enabled and running.
Determine whether the status of the nftables service is masked.
[student@servera ~]$ sudo systemctl status nftables
[sudo] password for student: student
● nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled;
vendor preset: disabled)
Active: inactive (dead)
Docs: man:nft(8)

The results show that nftables is disabled and inactive but not masked. Run the
following command to mask the service.

[student@servera ~]$ sudo systemctl mask nftables

Created symlink /etc/systemd/system/nftables.service → /dev/null.

Verify that the status of the nftables service is masked.

[student@servera ~]$ sudo systemctl status nftables

● nftables.service
Loaded: masked (Reason: Unit nftables.service is masked.)
Active: inactive (dead)

Verify that the status of the firewalld service is enabled and running.

[student@servera ~]$ sudo systemctl status firewalld

● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled;
vendor preset: enabled)
Active: active (running) since Wed 2019-05-22 15:36:02 CDT; 5min ago
Docs: man:firewalld(1)
Main PID: 703 (firewalld)
Tasks: 2 (limit: 11405)
Memory: 29.8M
CGroup: /system.slice/firewalld.service
└─703 /usr/libexec/platform-python -s /usr/sbin/firewalld
--nofork --nopid

May 22 15:36:01 jegui.ilt.example.com systemd[1]: Starting firewalld -

dynamic firewall daemon...
May 22 15:36:02 jegui.ilt.example.com systemd[1]: Started firewalld -
dynamic firewall daemon.

Exit from servera.

 [student@servera ~]$ exit
logout
Connection to servera closed.
[student@workstation ~]$

From workstation, open Firefox and log in to the Web Console running on servera to add
the httpd service to the public network zone.
Open Firefox and browse to https://servera.lab.example.com:9090 to
access the Web Console. Accept the self-signed certificate used by servera
by adding an exception.
Select the check box next to Reuse my password for privileged tasks to
ensure administrative privileges.
Log in as student user with student as the password.
Click Networking in the left navigation bar.
Click the Firewall link in main Networking page.
Click the Add Services... button located in the upper right side of the Firewall
page.
In the Add Services user interface, scroll down or use Filter Services to
locate and select the check box next to the Secure WWW (HTTPS) service.
Click the Add Services button located at the lower right side of the Add
Services user interface.
Return to a terminal on workstation and verify your work by attempting to view the
web server contents of servera.
This command should fail:

[student@workstation ~]$ curl -k http://servera.lab.example.com

curl: (7) Failed to connect to servera.lab.example.com port 80: No
route to host

This command should succeed:

[student@workstation ~]$ curl -k https://servera.lab.example.com

Managing SELinux Port Labeling

If you decide to run a service on a nonstandard port, SELinux almost certainly will block the
traffic. In this case, you must update SELinux port labels. In some cases, the targeted policy
has already labeled the port with a type that can be used; for example, since port 8008/TCP is
often used for web applications, that port is already labeled with http_port_t, the default
port type for the web server

To get an overview of all the current port label assignments, run the semanage port -l
command. The -l option lists all current assignments in this form:

[root@host ~]# semanage port -l

To refine the search, use the grep command:

[root@host ~]# semanage port -l | grep ftp

To add a port to an existing port label (type), use the following syntax. The -a adds a new
port label, the -t denotes the type, the -p denotes the protocol.

[root@host ~]# semanage port -a -t port_label -p tcp|udp PORTNUMBER

For example, to allow a gopher service to listen on port 71/TCP:

[root@host~]# semanage port -a -t gopher_port_t -p tcp 71

To view local changes to the default policy, administrators can add the -C option to the
semanage command.

[root@host~]# semanage port -l -C

SELinux Port Type Proto Port Number

gopher_port_t tcp 71
Removing Port Labels
The syntax for removing a custom port label is the same as the syntax for adding a port label,
but instead of using the -a option (for Add), use the -d option (for Delete).
For example, to remove the binding of port 71/TCP to gopher_port_t:

[root@host ~]# semanage port -d -t gopher_port_t -p tcp 71

Modifying Port Bindings

To change a port binding, perhaps because requirements changed, use the -m (Modify)
option. This is a more efficient process than removing the old binding and adding a new one.
For example, to modify port 71/TCP from gopher_port_t to http_port_t, an administrator
can use the following command:

[root@server ~]# semanage port -m -t http_port_t -p tcp 71

view the modification using the semanage command.

[root@server ~]# semanage port -l -C

SELinux Port Type Proto Port Number

http_port_t tcp 71
[root@server ~]# semanage port -l | grep http
http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 71, 80, 81, 443, 488, 8008, 8009, 8443,
9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

Guided Exercise: Controlling SELinux Port

Labeling
You will configure a web server running on servera successfully serving content using a
nonstandard port.

Attempt to fix the web content problem by restarting the httpd service.
1. Use the systemctl command to restart the httpd.service. This command is
expected to fail.
2. [root@servera ~]# systemctl restart httpd.service
3. Job for httpd.service failed because the control process exited with error
code.
4. See "systemctl status httpd.service" and "journalctl -xe" for details.

5. Use the systemctl status -l command to reveal the status of the httpd service. Note
the permission denied error.
6. [root@servera ~]# systemctl status -l httpd.service
7. ● httpd.service - The Apache HTTP Server
8. Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor
preset: disabled)
9. Active: failed (Result: exit-code) since Mon 2019-04-08 14:23:29 CEST;
3min 33s ago
10. Docs: man:httpd.service(8)
11. Process: 28078 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
(code=exited, status=1/FAILURE)
12. Main PID: 28078 (code=exited, status=1/FAILURE)
13. Status: "Reading configuration..."
14.
15. Apr 08 14:23:29 servera.lab.example.com systemd[1]: Starting The Apache
HTTP Server...
16. Apr 08 14:23:29 servera.lab.example.com httpd[28078]: (13)Permission
denied: AH00072: make_sock: could not bind to address [::]:82
17. Apr 08 14:23:29 servera.lab.example.com httpd[28078]: (13)Permission
denied: AH00072: make_sock: could not bind to address 0.0.0.0:82
18. Apr 08 14:23:29 servera.lab.example.com httpd[28078]: no listening sockets
available, shutting down
19. Apr 08 14:23:29 servera.lab.example.com httpd[28078]: AH00015: Unable to
open logs
20. Apr 08 14:23:29 servera.lab.example.com systemd[1]: httpd.service: Main
process exited, code=exited, status=1/FAILURE
21. Apr 08 14:23:29 servera.lab.example.com systemd[1]: httpd.service: Failed
with result 'exit-code'.

Apr 08 14:23:29 servera.lab.example.com systemd[1]: Failed to start The

Apache HTTP Server.
Use the sealert command to check if SELinux is blocking httpd from binding to port
82/TCP.

[root@servera ~]# sudo sealert -a /var/log/audit/audit.log

100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port

82.

Configure SELinux to allow httpd to bind to port 82/TCP, then restart the httpd.service
service.
Use the semanage command to find an appropriate port type for port 82/TCP.

[root@servera ~]# semanage port -l | grep http

http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443,
9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

http_port_t contains the default HTTP ports, 80/TCP and 443/TCP. This is the
correct port type for the web server.
Use the semanage command to assign port 82/TCP the http_port_t type.

[root@servera ~]# semanage port -a -t http_port_t -p tcp 82

Use the systemctl command to restart the httpd.service service. This command
should succeed.

[root@servera ~]# systemctl restart httpd.service

Check if you can now access the web server running on port 82/TCP. Use the curl command
to access the web service from servera.

[root@servera ~]# curl http://servera.lab.example.com:82

Hello
In a different terminal window, check whether you can access the new web service from
workstation. Use the curl command to access the web service from workstation.

[student@workstation ~]$ curl http://servera.lab.example.com:82

curl: (7) Failed to connect to servera.example.com:82; No route to host

On servera, open up port 82/TCP on the firewall.

1. Use the firewall-cmd command to open port 82/TCP in the permanent configuration
for the default zone on the firewall on servera.
2. [root@servera ~]# firewall-cmd --permanent --add-port=82/tcp

success

3. Activate your firewall changes on servera.

4. [root@servera ~]# firewall-cmd --reload

success

Use the curl command to access the web service from workstation.

[student@workstation ~]$ curl http://servera.lab.example.com:82

Hello

Lab: Managing Network Security

1. From workstation, test access to the default web server at
http://serverb.lab.example.com and to the virtual host at
http://serverb.lab.example.com:1001 .
Test access to the http://serverb.lab.example.com web server. The test currently
fails. Ultimately, the web server should return SERVER B.

[student@workstation ~]$ curl http://serverb.lab.example.com

 curl: (7) Failed to connect to serverb.lab.example.com port 80: Connection
refused

Test access to the http://serverb.lab.example.com:1001 virtual host. The test

currently fails. Ultimately, the virtual host should return VHOST 1.

[student@workstation ~]$ curl http://serverb.lab.example.com:1001

curl: (7) Failed to connect to serverb.lab.example.com port 1001: No route
to host

2. Log in to serverb to determine what is preventing access to the web servers.

From workstation, open an SSH session to serverb as student user. The systems
are configured to use SSH keys for authentication, so a password is not required.

[student@workstation ~]$ ssh student@serverb

...output omitted...
[student@serverb ~]$

Determine whether the httpd service is active.

[student@serverb ~]$ systemctl is-active httpd

inactive

Enable and start the httpd service. The httpd service fails to start.

[student@serverb ~]$ sudo systemctl enable --now httpd

[sudo] password for student: student
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service →
/usr/lib/systemd/system/httpd.service.
Job for httpd.service failed because the control process exited with error
code.
See "systemctl status httpd.service" and "journalctl -xe" for details.

Investigate the reasons why the httpd.service service failed to start.

● httpd.service - The Apache HTTP Server Loaded: loaded
(/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2019-04-11 19:25:36 CDT; 19s
ago Docs: man:httpd.service(8) Process: 9615 ExecStart=/usr/sbin/httpd
$OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE) Main PID: 9615
(code=exited, status=1/FAILURE) Status: "Reading configuration..." Apr 11
19:25:36 serverb.lab.example.com systemd[1]: Starting The Apache HTTP
Server... Apr 11 19:25:36 serverb.lab.example.com httpd[9615]:
(13)Permission denied: AH00072: make_sock: could not bind to address
[::]:1001 Apr 11 19:25:36 serverb.lab.example.com httpd[9615]:
(13)Permission denied: AH00072: make_sock: could not bind to address
 0.0.0.0:1001 Apr 11 19:25:36 serverb.lab.example.com httpd[9615]: no
listening sockets available, shutting down

Use the sealert command to check whether SELinux is blocking the httpd service from
binding to port 1001/TCP.

[student@serverb ~]$ sudo sealert -a /var/log/audit/audit.log

100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port

1001.

3. Configure SELinux to allow the httpd service to listen on port 1001/TCP.

Use the semanage command to find the correct port type.

[student@serverb ~]$ sudo semanage port -l | grep 'http'

http_cache_port_t tcp 8080, 8118, 8123, 10001-10010
http_cache_port_t udp 3130
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pegasus_http_port_t tcp 5988
pegasus_https_port_t tcp 5989

Use the semanage command to bind port 1001/TCP to the http_port_t type.

[student@serverb ~]$ sudo semanage port -a -t http_port_t -p tcp 1001

[student@serverb ~]$

Confirm that port 1001/TCP is bound to the http_port_t port type.

[student@serverb ~]$ sudo semanage port -l | grep '^http_port_t'

http_port_t tcp 1001, 80, 81, 443, 488, 8008, 8009, 8443, 9000

Enable and start the httpd service.

[student@serverb ~]$ sudo systemctl enable --now httpd

Verify the running state of the httpd service.

 [student@serverb ~]$ systemctl is-active httpd; systemctl is-enabled httpd
active
enabled

4. From workstation, test access to the default web server at

http://serverb.lab.example.com and to the virtual host at
http://serverb.lab.example.com:1001 .

Test access to the http://serverb.lab.example.com web server. The web server

should return SERVER B.

[student@workstation ~]$ curl http://serverb.lab.example.com

SERVER B

Test access to the http://serverb.lab.example.com:1001 virtual host. The test

continues to fail.

[student@workstation ~]$ curl http://serverb.lab.example.com:1001

curl: (7) Failed to connect to serverb.lab.example.com port 1001: No route
to host

5. Log in to serverb to determine whether the correct ports are assigned to the firewall.
From workstation, log in to serverb as the student user.

[student@workstation ~]$ ssh student@serverb

...output omitted...
[student@serverb ~]$

Verify that the default firewall zone is set to public.

[student@serverb ~]$ firewall-cmd --get-default-zone

public

If the previous step did not return public as the default zone, correct it with the
following command:

[student@serverb ~]$ sudo firewall-cmd --set-default-zone public

Determine the open ports listed in the public network zone.

 [student@serverb ~]$ sudo firewall-cmd --permanent --zone=public --list-all

6. Add port 1001/TCP to the permanent configuration for the public network zone. Confirm
your configuration.
Add port 1001/TCP to the public network zone.

[student@serverb ~]$ sudo firewall-cmd --permanent --zone=public \

--add-port=1001/tcp
success

Reload the firewall configuration.

[student@serverb ~]$ sudo firewall-cmd --reload

success

Confirm your configuration.

[student@serverb ~]$ sudo firewall-cmd --permanent --zone=public --list-all

public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client http ssh
ports: 1001/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Exit from serverb.

[student@serverb ~]$ exit

logout
Connection to serverb closed.
[student@workstation ~]$
7. From workstation, confirm that the default web server at serverb.lab.example.com
returns SERVER B and the virtual host at serverb.lab.example.com:1001 returns VHOST 1.
Test access to the http://serverb.lab.example.com web server.

[student@workstation ~]$ curl http://serverb.lab.example.com

SERVER B

Test access to the http://serverb.lab.example.com:1001 virtual host.

[student@workstation ~]$ curl http://serverb.lab.example.com:1001

VHOST 1