 |
| FirewallD |
Introduction
FirewallD is the default firewall manager on SUSE Linux Enterprise Server (SLES) 15, offering a dynamic and powerful solution to protect your servers. With its zone-based approach, FirewallD allows you to define trust levels for different networks and interfaces, controlling inbound and outbound traffic granularly. This comprehensive guide will show you how to configure FirewallD to allow specific traffic (by port or service), manage zones, and ensure your applications function correctly while maintaining the security of your SLES 15 environment.
Highlights
- Step-by-step guide: Learn how to configure FirewallD from verifying its status to creating rules and managing zones.
- Granular control: Master the concept of zones and learn how to bind interfaces to specific zones.
- Security and flexibility: Allow necessary traffic for your applications without compromising server security.
- Practical examples: See command examples with expected outputs for easy learning.
- Troubleshooting: Solve common problems with helpful tips.
- Focus on SLES 15: A guide specifically for SUSE Linux Enterprise Server 15.
Environment
- SUSE Linux Enterprise Server (SLES) 15.
- Root access or a user with sudo privileges.
- Basic knowledge of the Linux command line.
Prerequisites
- Identify the port or service you need to allow (e.g., port 8080 for a web application, or the HTTP/HTTPS service).
Step 1: Check FirewallD Status
Before configuring, verify that FirewallD is active:
sudo systemctl status firewalld
Expected Output (if FirewallD is active):
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2023-10-26 10:00:00 UTC; 1h ago
Docs: man:firewalld(1)
Main PID: 1234 (firewalld)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/firewalld.service
└─1234 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid
If it's inactive, start it:
sudo systemctl start firewalld
And enable it to start automatically:
sudo systemctl enable firewalld
Step 2: Managing Zones in FirewallD
2.1 Identify the Active Zone and Bound Interface
Find out which zone is active and which interface is bound to it:
sudo firewall-cmd --get-active-zones
Expected Output (example):
public
interfaces: eth0
2.2 List All Available Zones
View all available zones:
sudo firewall-cmd --get-zones
Expected Output (example):
block dmz drop external home internal my_zone public trusted work
2.3 Get Information About a Specific Zone
Get details about a zone (example: public):
sudo firewall-cmd --zone=public --list-all
Expected Output (example):
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh mdns dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
2.4 Create a New Zone
Create a custom zone (example: my_zone):
sudo firewall-cmd --new-zone=my_zone --permanent
Expected Output:
success
2.5 Check Which Zone an Interface is Bound To
Check the zone of an interface (example: eth0):
sudo firewall-cmd --get-zone-of-interface=eth0
Expected Output (example):
public
Get the default zone:
sudo firewall-cmd --get-default-zone
Expected Output (example):
public
2.6 Activate a Zone for an Interface
Assign an interface to a zone (example: eth0 to my_zone):
sudo firewall-cmd --zone=my_zone --change-interface=eth0 --permanent
Expected Output:
success
2.7 Multiple Zones for the Same Interface?
No, an interface can only be bound to a single active zone at a time.
Step 3: Allow Traffic by Port
Allow traffic on a specific port (example: port 8080, public zone):
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
Expected Output:
success
Step 4: Allow Traffic by Service
Allow a known service (example: HTTP, public zone):
sudo firewall-cmd --zone=public --add-service=http --permanent
Expected Output:
success
List known services:
sudo firewall-cmd --get-services
Output - list of services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssh steam-streaming stun syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
Step 5: Reload FirewallD
Reload FirewallD to apply changes:
sudo firewall-cmd --reload
Expected Output:
success
Step 6: Verify Applied Rules
Verify the rules for the active zone (example: public):
sudo firewall-cmd --zone=public --list-all
Output showing active rules
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh mdns dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Troubleshooting Tips
- Application inaccessible: Check if the application is listening on the correct port, if there are other firewalls blocking traffic, and if the correct zone is active.
- "UNKNOWN_ZONE" error: Check the zone name with firewall-cmd --get-active-zones.
- Rule not applied: Use sudo firewall-cmd --zone=<your_zone> --list-all to confirm.
Conclusion
With this guide, you've learned how to configure FirewallD on SLES 15 to allow specific traffic, manage zones, and ensure your server's security. FirewallD is a powerful tool, and mastering its basic concepts is essential for effectively administering SLES 15 systems.
Share this article with your colleagues and friends who work with SLES 15! Leave a comment below if you have any questions or suggestions.
#SLES #SLES15 #SUSE #Linux #FirewallD #Security #Networking #SystemAdministration #SysAdmin #DevOps #OpenSource #IT #Technology #Tutorial #HowTo #Guide #LinuxTips #Firewall #NetworkSecurity