Firewalld LAB
0 likes116 views
This document discusses configuring custom firewall zones and services using FirewallD on CentOS 8. It shows how to create a new "privatekaan" zone, add the DNS service to it, and assign network interfaces to that zone. It also demonstrates saving the runtime configuration permanently, reloading the firewall, and testing connectivity using tcpdump. The document provides examples for viewing active zones and services, setting a default zone, and allowing or blocking the SSH service as needed.
Firewalld LAB
- 1. 1 FIREWALL-CMD LAB CreatingYour OwnZones While the predefined zones will probably be more than enough for most users, it can be helpful to define your own zones that are more descriptive of their function. For instance, you might want to create a zone for your server, called “privatekaan”. When adding a zone, you must add it to the permanent firewall configuration. You can then reload to bring the configuration into your running session. For instance, we could create the two zones we discussed above by typing: sudo firewall-cmd --permanent --new-zone=privatekaan (Output Success) You can verify that these are present in your permanent configuration by typing: sudo firewall-cmd --permanent --get-zones (Output Zones | privatekaan ) As stated before, these won’t be available in the runtime firewall yet: firewall-cmd --get-zones (Output Zones without privatekaan) Reload the firewall to bring these new zones into the active runtime configuration: sudo firewall-cmd –reload firewall-cmd --get-zones
- 2. 2 We can add the DNS service to our privatekaan zone: sudo firewall-cmd --zone= privatekaan --add-service=dns sudo firewall-cmd --zone= privatekaan --list-all We could then change our interfaces over to these new zones to test them out: sudo firewall-cmd --zone=privatekaan --change-interface=ens160 At this point, you have the opportunity to test your configuration. If these values work for you, you will want to add these rules to the permanent configuration. You could do that by running all the commands again with the --permanent flag appended, but in this case we’ll use the -- runtime-to-permanent flag to save our entire runtime configuration permanently: sudo firewall-cmd --runtime-to-permanent (Output Success)
- 3. 3 After permanently applying these rules, reload the firewall to test that the changes remain: sudo firewall-cmd –reload (Output Success) Validate that the correct zones were assigned: firewall-cmd --get-active-zones (Output Success; Success) And validate that the appropriate services are available for both of the zones: sudo firewall-cmd --zone=privatekaan --list-services (Output dns) You have successfully set up your own zones! If you want to make one of these zones the default for other interfaces, remember to configure that behavior with the --set-default- zone= parameter: sudo firewall-cmd --set-default-zone=privatekaan (Output Success) TestConnection We configured “privatekaan” zone as our default active zone. And now it allows “DNS” traffic. We can analyze via “tcpdump” From F5 BIG IP Device. Wehave“10.30.30.50” SelfIP for internal network
- 4. 4 From Apache Server. WecanseetheDNStraffic coming from our F5BIGIP Syntax is tcpdump –i ens160 host 10.30.30.50 As we can see, we are able to analyze the TCP handshake between our F5 internal IP and CentOS 8 Apache Server. Note: We removed the “SSH Service” from our active zone “privatekaan” but the connection wasn’t dropped. It holds the previous sessions. If you try to reconnect again via SSH, you will not establish a successful connection.
- 5. 5 Now we will allow the SSH service. Syntax is shown below: sudo firewall-cmd –zone=privatekaan –add-service=ssh –permenant (Note: Since it is not our root user, it will ask for “sudo password”) We can see the services under our active zone on interface sudo firewall-cmd –zone=privatekaan –list-services –permenant Reload the firewall sudo firewall-cmd –reload Now we are able to connect to our Apache Server via SSH 1/18/2022 X Kaan Aslandag Signed by: www.kaan1.com