Open and Close Ports with FirewallD on Rocky Linux 8

By Posted on

Open and Close Ports with FirewallD on Rocky Linux 8

Open and Close Ports with FirewallD on Rocky Linux 8

In this guide, we will explore how to open and close ports with FirewallD on Rocky Linux 8. FirewallD is a dynamic firewall management tool that provides a user-friendly interface for managing iptables rules on Linux systems. It protects your system from unwanted network traffic by controlling which services and ports are accessible. Opening a port allows specific applications or services to receive incoming connections, while closing a port blocks such connections, enhancing security.

To follow this guide, you’ll need a Rocky Linux 8 server and a user account with sudo privileges. If you haven’t already set this up, you can refer to a guide on initial server setup for Rocky Linux 8.

1. Check FirewallD Status on Rocky Linux 8

First, verify if the FirewallD service is running on your server. Use the following command:

sudo systemctl status firewalld

The output will indicate whether FirewallD is active or inactive. An example of an active FirewallD output:

● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-10-27 10:00:00 UTC; 1h ago
       Docs: man:firewalld(1)
   Main PID: 1234 (firewalld)
      Tasks: 2 (limit: 23633)
     Memory: 10.5M
        CPU: 1.234s
     CGroup: /system.slice/firewalld.service
             └─1234 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

If FirewallD isn’t running, start and enable it with these commands:

sudo systemctl start firewalld
sudo systemctl enable firewalld

If FirewallD is not installed, use the following commands to install FirewallD:

sudo dnf update -y
sudo dnf install firewalld -y

2. List Open Ports and Services With FirewallD

Next, determine which ports and services are currently allowed through the firewall. This helps avoid conflicts and ensures you don’t accidentally block necessary traffic. Use the following command:

sudo firewall-cmd --list-all

This command displays the active zone (usually public), allowed services, open ports, and other settings. The output will look similar to this:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

FirewallD comes with pre-configured services that define the ports and protocols needed for common applications. To see a list of these services, use:

sudo firewall-cmd --get-services

The output will be a list of service names like ssh, http, https, cockpit, etc. These service names can be used to easily open or close the corresponding ports.

RH-Satellite-6 RH-Satellite-6-capsule RH-Satellite-6-proxy amanda-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon ceph-osd cockpit condor-collector condor-master condor-startd ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch etcd-client etcd-server finger ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipps iscsi-target kadmin kerberos kibana ldap ldaps libvirt libvirt-tls managesieve mariadb mdns memcache mongodb mosh mountd ms-wbt-server ms-wins mysql nfs nfs3 nrpe ntp openvpn ovirt ovirt-imageio ovirt-maint ovirt-node ovirt-storageconsole plex pmcd pmproxy pop3 pop3s postgresql prometheus proxy-bacula ptp pulseaudio radvd rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtps snmp snmptrap spideroak-lansync squid ssh steamcmd svn syncthing syncthing-disco telnet tftp tftp-client tileproxy tinc tor-socks transmission-client vdsm vnc wbem-https xmpp-bosh xmpp-client xmpp-server

List Zones with FirewallD

FirewallD uses zones to manage different levels of trust for network connections. Each zone has its own set of rules. To see a list of available zones, use:

sudo firewall-cmd --get-zones

The output shows the available zones, such as block, dmz, drop, external, home, internal, nm-shared, public, trusted, and work. The public zone is typically used for external networks.

block dmz drop external home internal nm-shared public trusted work

3. How to Open a Port or Service on Rocky Linux 8?

To open a port or service, you’ll typically use the public zone. Remember that changes made without the --permanent option will be lost after a reboot.

  • To open a Service, run:

    sudo firewall-cmd --zone=public --permanent --add-service=<service-name>

    For example, to allow HTTP traffic (port 80):

    sudo firewall-cmd --zone=public --permanent --add-service=http

  • To open a Particular Port, run:

    sudo firewall-cmd --zone=public --permanent --add-port=<port-number>/<protocol>

    For example, to open port 1000 for TCP traffic:

    sudo firewall-cmd --zone=public --permanent --add-port=1000/tcp

    After making changes, reload FirewallD to apply them:

    sudo firewall-cmd --reload

4. How to Close a Port or Service on Rocky Linux 8?

Closing a port or service is similar to opening one, but you use the --remove option instead of --add.

  • To block a Service, run:

    sudo firewall-cmd --zone=public --permanent --remove-service=<service-name>

  • To block a particular port, run:

    sudo firewall-cmd --zone=public --permanent --remove-port=<port-number>/<protocol>

    Remember to reload FirewallD after your changes:

    sudo firewall-cmd --reload

For more detailed information, consult the FirewallD documentation.

Conclusion

You now understand Open and Close Ports with FirewallD on Rocky Linux 8. Managing ports with FirewallD is a crucial aspect of securing your Rocky Linux 8 server. By carefully controlling which ports are open, you can minimize the risk of unauthorized access and protect your system from potential threats.

Alternative Solutions to Managing Firewall Rules

While FirewallD provides a convenient and user-friendly way to manage firewall rules, other options exist, including directly using iptables or nftables. Here are two alternatives:

1. Using Iptables Directly

Iptables is the traditional command-line firewall utility in Linux. Although FirewallD provides an abstraction layer over iptables, you can still use iptables directly for more granular control. Note that using iptables directly might conflict with FirewallD, so it’s generally recommended to choose one method and stick with it. To use Iptables, you need to stop and disable firewalld.

  • Explanation: Iptables works by examining network packets and comparing them against a set of rules. If a packet matches a rule, the specified action (e.g., ACCEPT, DROP, REJECT) is taken. Iptables rules are organized into tables (e.g., filter, nat, mangle), each containing chains (e.g., INPUT, OUTPUT, FORWARD).

  • Example: To open port 80 (HTTP) for incoming traffic using iptables, you would use the following command:

    sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT

    To save the iptables rules so they persist after a reboot, you need to use a tool like iptables-save and iptables-restore:

    sudo apt install iptables-persistent #For Debian/Ubuntu
sudo yum install iptables-services #For CentOS/RHEL/Rocky Linux
sudo service iptables save

    To close port 80, you would delete the corresponding rule:

    sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -D OUTPUT -p tcp --sport 80 -j ACCEPT

    The main disadvantage of Iptables is its complexity and steep learning curve. FirewallD simplifies this by providing named services and zones, making rule management easier.

2. Using Nftables

Nftables is the successor to iptables, offering improved performance, simpler syntax, and better flexibility. It provides a unified framework for packet filtering, network address translation (NAT), and other packet manipulation tasks.

  • Explanation: Nftables uses a similar concept of tables, chains, and rules as iptables, but with a more modern and extensible architecture. It offers a more concise and readable syntax for defining firewall rules.

  • Example: To open port 80 (HTTP) for incoming traffic using nftables, you would use the following commands:

    sudo nft add table filter
sudo nft add chain filter input { type filter hook input priority 0 ; policy drop ; }
sudo nft add rule filter input tcp dport 80 accept

    These commands create a table named filter, an input chain within that table, and a rule that accepts TCP traffic on port 80.

    To make these rules persistent across reboots, you’ll need to save the nftables configuration and load it at startup:

    sudo nft list ruleset > /etc/nftables.conf

    And then create a systemd service to load it on boot

    To close port 80, you would delete the rule:

    sudo nft delete rule filter input tcp dport 80 accept

    Nftables offers a more efficient and flexible alternative to iptables, but it requires a good understanding of its syntax and concepts. It’s particularly useful for complex firewall configurations.

By understanding how to open and close ports with FirewallD on Rocky Linux 8, and exploring alternatives like iptables and nftables, you can choose the firewall management approach that best suits your needs and expertise.

FAQs

How do I permanently open a port with FirewallD?

You can use this command: firewall-cmd --permanent --add-port=PORT/protocol

What’s the difference between temporary and permanent rules in FirewallD?

Temporary rules are lost after a reboot, while permanent rules stay active across reboots.

Can I open a port for a specific zone only in FirewallD?

Yes, by specifying the zone with --zone=ZONE in your command, you can open the port. For example: firewall-cmd --zone=public --add-port=PORT/protocol

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *