From 27fcfb052d5d183d7465b6dc99c35e8f6acf11f5 Mon Sep 17 00:00:00 2001 From: Peter Boy Date: Aug 23 2023 09:24:54 +0000 Subject: Added metadata, moved partials into text body, performed a review. --- diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index ac2d45e..ed028d9 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -32,6 +32,7 @@ ** xref:fonts.adoc[Adding new fonts] ** xref:packagekit-not-found.adoc[PackageKit Items Not Found] ** xref:securing-the-system-by-keeping-it-up-to-date.adoc[Securing the system by keeping it up-to-date] +** xref:switching-desktop-environments.adoc[Switching desktop environments] ** xref:autoupdates.adoc[AutoUpdates] ** xref:dnf-vs-apt.adoc[APT command equivalents on Fedora with DNF] ** xref:installing-java.adoc[Installing Java] @@ -45,9 +46,10 @@ * Usage and customisation ** xref:changing-hostname.adoc[Changing Hostname] -** xref:switching-desktop-environments.adoc[Switching desktop environments] ** xref:configuring-x-window-system-using-the-xorg-conf-file.adoc[Configuring X Window System using the xorg.conf file] ** xref:configuring-xorg-as-default-gnome-session.adoc[Configuring Xorg as the default GNOME session] +** xref:firewalld.adoc[Control of System Accessibility by firewalld] + ** xref:gnome-shell-extensions.adoc[Using GNOME Shell extensions] ** xref:wine.adoc[Running Windows applications with Wine] ** xref:create-gpg-keys.adoc[Creating GPG Keys] @@ -64,7 +66,6 @@ ** xref:performing-administration-tasks-using-sudo.adoc[Performing administration tasks using sudo] ** xref:understanding-and-administering-systemd.adoc[Understanding and administering systemd] ** xref:displaying_user_prompt_on_gnome_login_screen.adoc[Displaying a user prompt on the GNOME login screen] -** xref:firewalld.adoc[Controlling network traffic with firewalld] ** xref:managing-keyboard-shortcuts-for-running-app-in-gnome.adoc[Managing keyboard shortcuts for running an application in GNOME] ** xref:creating-a-disk-partition-in-linux.adoc[Creating disk partitions] ** xref:reset-root-password.adoc[Resetting a root password] diff --git a/modules/ROOT/pages/_partials/2delete-con_controlling_ports_firewalld.adoc b/modules/ROOT/pages/_partials/2delete-con_controlling_ports_firewalld.adoc new file mode 100644 index 0000000..9d9c009 --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-con_controlling_ports_firewalld.adoc @@ -0,0 +1,13 @@ +// Module included in the following assemblies: +// +// firewalld.adoc + + +[id='controlling-ports-firewalld-fedora'] + += Controlling ports using firewalld + +== What are ports? +Ports are logical devices that enable an operating system to receive and distinguish network traffic and forward it accordingly to system services. These are usually represented by a daemon that listens on the port, that is it waits for any traffic coming to this port. + +Normally, system services listen on standard ports that are reserved for them. The httpd daemon, for example, listens on port 80. However, system administrators may configure daemons to listen on different ports to enhance security. diff --git a/modules/ROOT/pages/_partials/2delete-con_firewalld.adoc b/modules/ROOT/pages/_partials/2delete-con_firewalld.adoc new file mode 100644 index 0000000..43faa31 --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-con_firewalld.adoc @@ -0,0 +1,22 @@ +// Module included in the following assemblies: +// +// firewalld.adoc + +[id='concept-firewalld-fedora'] += Using firewalld + +== What is firewalld? + +A _firewall_ is a way to protect machines from any unwanted traffic from outside. It enables users to control incoming network traffic on host machines by defining a set of _firewall rules_. These rules are used to sort the incoming traffic and either block it or allow through. + +`firewalld` is a firewall service daemon that provides a dynamic customizable host-based firewall with a `D-Bus` interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed. + +`firewalld` uses the concepts of _zones_ and _services_, that simplify the traffic management. + +`_Zones_` are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone. + +`_Services_` use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. `firewalld` blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default. + +.Additional resources + +For more information about using firewalld and configuring zones and services, see link:https://firewalld.org/documentation/[firewalld documentation] or link:https://fedoraproject.org/wiki/Firewalld[Fedora wiki:firewalld] diff --git a/modules/ROOT/pages/_partials/2delete-con_runtime_and_permanent_firewalld.adoc b/modules/ROOT/pages/_partials/2delete-con_runtime_and_permanent_firewalld.adoc new file mode 100644 index 0000000..8862a6c --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-con_runtime_and_permanent_firewalld.adoc @@ -0,0 +1,15 @@ +// Module included in the following assemblies: +// +// firewalld.adoc + +[id='concept-runtime-and-permanent-firewalld-fedora'] + += Runtime and permanent settings + +Any changes made while firewalld is running will be lost when firewalld is restarted. When firewalld is restarted, the settings revert to their permanent values. + +These changes are said to be made in _runtime mode_. + +To make the changes persistent across reboots, apply them again using the `--permanent` option. Alternatively, to make changes persistent while firewalld is running, use the `--runtime-to-permanent _firewall-cmd_` option. + +If you make changes while firewalld is running using only the `--permanent` option, they do not become effective until firewalld is restarted. However, restarting firewalld briefly stops the networking traffic, causing disruption to your system. diff --git a/modules/ROOT/pages/_partials/2delete-proc_changing_runtime_firewalld.adoc b/modules/ROOT/pages/_partials/2delete-proc_changing_runtime_firewalld.adoc new file mode 100644 index 0000000..52eb6b5 --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-proc_changing_runtime_firewalld.adoc @@ -0,0 +1,50 @@ +// Module included in the following assemblies: +// +// firewalld.adoc + +[id='changing_runtime_firewalld_fedora'] + += Changing settings in runtime and permanent configuration using CLI + +Using the CLI, you can only modify either runtime or permanent mode. To modify the firewall settings in permanent mode, use the `--permanent` option with the `firewall-cmd` command. + +---- +$ sudo firewall-cmd --permanent +---- + +Without this option, the command modifies runtime mode. +To change settings in both modes, you can use two methods: + +* Change runtime settings and then make them permanent as follows: + +. Change the runtime settings: ++ +`firewall-cmd ` ++ +. Use `--runtime-to-permanent` to make the changes permanent. ++ +`firewall-cmd --runtime-to-permanent` + +* Set permanent settings and reload the settings into runtime mode: + +. Make the changes in permanent mode: ++ +`firewall-cmd --permanent ` ++ +. Reload the settings: ++ +`firewall-cmd --reload` + +The first method allows you to test the settings before you apply them to permanent mode. + +[NOTE] +==== +It is possible that an incorrect setting will result in a user locking themselves out of a machine. To prevent this, use the `--timeout` option. Using this option means that after a specified amount of time, any change reverts to its previous state. +You can not use the `--permanent` option with the `--timeout` option. + +For example, to add the SSH service for 15 minutes use this command: +---- +$ sudo firewall-cmd --add-service=ssh --timeout 15m +---- +The SSH service will be available until access is removed after 15 minutes. +==== diff --git a/modules/ROOT/pages/_partials/2delete-proc_checking_firewalld.adoc b/modules/ROOT/pages/_partials/2delete-proc_checking_firewalld.adoc new file mode 100644 index 0000000..a31d331 --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-proc_checking_firewalld.adoc @@ -0,0 +1,130 @@ +// Module included in the following assemblies: +// +// firewalld.adoc + +// Base the file name and the ID on the module title. For example: +// * file name: doing-procedure-a.adoc +// * ID: [id='doing-procedure-a'] +// * Title: = Doing procedure A + +// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. +[id=checking-firewalld-fedora] +// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. += Checking the firewalld status + +== Viewing the current status of `firewalld` + +The firewall service, `firewalld`, is installed on the system by default. Use the `firewalld` CLI interface to check that the service is running. + +To see the status of the service: + +---- +$ sudo firewall-cmd --state +---- + +For more information about the service status, use the [command]`systemctl status` sub-command: + +---- +$ sudo systemctl status firewalld +firewalld.service - firewalld - dynamic firewall daemon + Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr + Active: active (running) since Mon 2017-12-18 16:05:15 CET; 50min ago + Docs: man:firewalld(1) + Main PID: 705 (firewalld) + Tasks: 2 (limit: 4915) + CGroup: /system.slice/firewalld.service + └─705 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid +---- + +Furthermore, it is important to know how `firewalld` is set up and which rules are in force before you try to edit the settings. To display the firewall settings, see <> + +[[sec-Viewing_Current_firewalld_Settings]] +== Viewing current firewalld settings + +[[sec-Viewing_Allowed_Services_Using_GUI]] +=== Viewing allowed services using GUI + +To view the list of services using the graphical [application]*firewall-config* tool, press the kbd:[Super] key to enter the Activities Overview, type [command]`firewall`, and press kbd:[Enter]. The [application]*firewall-config* tool appears. You can now view the list of services under the `Services` tab. + +Alternatively, to start the graphical firewall configuration tool using the command-line, enter the following command: + +[subs="quotes, macros"] +---- +$ [command]`firewall-config` +---- + +The `Firewall Configuration` window opens. Note that this command can be run as a normal user, but you are prompted for an administrator password occasionally. +//// +[[exam-firewall_config_services]] +.The Services tab in firewall-config + +image::images/firewall-config-services.png[A screenshot of the firewall configuration tool - the Services tab] +//// +[[sec-Viewing_firewalld_Settings_Using_CLI]] +=== Viewing firewalld settings using CLI + +With the CLI client, it is possible to get different views of the current firewall settings. The [option]`--list-all` option shows a complete overview of the `firewalld` settings. + +`firewalld` uses zones to manage the traffic. If a zone is not specified by the [option]`--zone` option, the command is effective in the default zone assigned to the active network interface and connection. + +To list all the relevant information for the default zone: + +---- +$ firewall-cmd --list-all +public + target: default + icmp-block-inversion: no + interfaces: + sources: + services: ssh dhcpv6-client + ports: + protocols: + masquerade: no + forward-ports: + source-ports: + icmp-blocks: + rich rules: +---- + +[NOTE] +==== +To specify the zone for which to display the settings, add the [option]`--zone=pass:attributes[{blank}]_zone-name_pass:attributes[{blank}]` argument to the [command]`firewall-cmd --list-all` command, for example: +---- +~]# firewall-cmd --list-all --zone=home +home + target: default + icmp-block-inversion: no + interfaces: + sources: + services: ssh mdns samba-client dhcpv6-client +... [output truncated] + +---- +==== + +To see the settings for particular information, such as services or ports, use a specific option. See the `firewalld` manual pages or get a list of the options using the command help: + +---- +$ firewall-cmd --help + +Usage: firewall-cmd [OPTIONS...] + +General Options + -h, --help Prints a short help text and exists + -V, --version Print the version string of firewalld + -q, --quiet Do not print status messages + +Status Options + --state Return and print firewalld state + --reload Reload firewall and keep state information +... [output truncated] +---- + +For example, to see which services are allowed in the current zone: + +---- +$ firewall-cmd --list-services +samba-client ssh dhcpv6-client +---- + +Listing the settings for a certain subpart using the CLI tool can sometimes be difficult to interpret. For example, you allow the `SSH` service and `firewalld` opens the necessary port (22) for the service. Later, if you list the allowed services, the list shows the `SSH` service, but if you list open ports, it does not show any. Therefore, it is recommended to use the [option]`--list-all` option to make sure you receive a complete information. diff --git a/modules/ROOT/pages/_partials/2delete-proc_closing_ports_firewalld.adoc b/modules/ROOT/pages/_partials/2delete-proc_closing_ports_firewalld.adoc new file mode 100644 index 0000000..6953b95 --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-proc_closing_ports_firewalld.adoc @@ -0,0 +1,42 @@ +// Module included in the following assemblies: +// +// firewalld.adoc + +// Base the file name and the ID on the module title. For example: +// * file name: doing-procedure-a.adoc +// * ID: [id='doing-procedure-a'] +// * Title: = Doing procedure A + +// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. +[id=closing-ports-firewalld-fedora] +// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. += Closing a port + +When an open port is no longer needed, close that port in firewalld. It is highly recommended to close all unnecessary ports as soon as they are not used because leaving a port open represents a security risk. + +.Closing a port using the command line + +To close a port, remove it from the list of allowed ports: + +. List all allowed ports: ++ +---- +$ firewall-cmd --list-ports +---- ++ +[WARNING] +==== +This command will only give you a list of ports that have been opened as ports. You will not be able to see any open ports that have been opened as a service. Therefore, you should consider using the --list-all option instead of --list-ports. +==== ++ +. Remove the port from the allowed ports to close it for the incoming traffic: ++ +---- +$ sudo firewall-cmd --remove-port=port-number/port-type +---- ++ +. Make the new settings persistent: ++ +---- +$ sudo firewall-cmd --runtime-to-permanent +---- diff --git a/modules/ROOT/pages/_partials/2delete-proc_configuring_firewalld.adoc b/modules/ROOT/pages/_partials/2delete-proc_configuring_firewalld.adoc new file mode 100644 index 0000000..ceec17d --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-proc_configuring_firewalld.adoc @@ -0,0 +1,43 @@ +// Module included in the following assemblies: +// +// firewalld.adoc + +[id='configuring_firewalld_fedora'] + += Modifying Settings in runtime and permanent configuration using CLI + +Using the CLI, you do not modify the firewall settings in both modes at the same time. You only modify either runtime or permanent mode. To modify the firewall settings in the permanent mode, use the --permanent option with the firewall-cmd command. + +---- +$ sudo firewall-cmd --permanent +---- + +Without this option, the command modifies runtime mode. +To change settings in both modes, you can use two methods: + +Change runtime settings and then make them permanent as follows: +---- +$ sudo firewall-cmd +$ sudo firewall-cmd --runtime-to-permanent +---- + +Set permanent settings and reload the settings into runtime mode: + +---- +$ sudo firewall-cmd --permanent +$ sudo firewall-cmd --reload +---- + +The first method allows you to test the settings before you apply them to the permanent mode. + +[Note] +==== + +It is possible, especially on remote systems, that an incorrect setting results in a user locking themselves out of a machine. To prevent such situations, use the `--timeout` option. After a specified amount of time, any change reverts to its previous state. Using this options excludes the --permanent option. +For example, to add the SSH service for 15 minutes: + +---- +$ sudo firewall-cmd --add-service=ssh --timeout 15m +---- + +==== diff --git a/modules/ROOT/pages/_partials/2delete-proc_enabling_firewalld.adoc b/modules/ROOT/pages/_partials/2delete-proc_enabling_firewalld.adoc new file mode 100644 index 0000000..1f8c56a --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-proc_enabling_firewalld.adoc @@ -0,0 +1,81 @@ +// Module included in the following assemblies: +// +// + +// Base the file name and the ID on the module title. For example: +// * file name: doing-procedure-a.adoc +// * ID: [id='doing-procedure-a'] +// * Title: = Doing procedure A + +// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. +[id='doing-one-procedure_{context}'] +// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. += Doing one procedure +// Start the title of a procedure module with a verb, such as Creating or Create. See also _Wording of headings_ in _The IBM Style Guide_. + +This paragraph is the procedure module introduction: a short description of the procedure. + +.Prerequisites + +* A bulleted list of conditions that must be satisfied before the user starts following this assembly. +* You can also link to other modules or assemblies the user must follow before starting this assembly. +* Delete the section title and bullets if the assembly has no prerequisites. + +.Procedure + +. Start each step with an active verb. + +. Include one command or action per step. + +. Use an unnumbered bullet (*) if the procedure includes only one step. + +.Additional resources + +* A bulleted list of links to other material closely related to the contents of the procedure module. +* For more details on writing procedure modules, see the link:https://github.com/redhat-documentation/modular-docs#modular-documentation-reference-guide[Modular Documentation Reference Guide]. +* Use a consistent system for file names, IDs, and titles. For tips, see _Anchor Names and File Names_ in link:https://github.com/redhat-documentation/modular-docs#modular-documentation-reference-guide[Modular Documentation Reference Guide]. + + +== Do I have FirewallD on my system? + +FirewallD is the default firewall service for current releases of Fedora and is enabled by default. +If you are not sure whether FirewallD is on your Fedora installation use the following commands to check. + + +. Check if your system has FirewallD enabled. + Enter the folowing on the command line: + +[source,bash] + +---- + +sudo firewall-cmd --state + +---- + +You will see `running` if FirewallD is on your system. + +If you see `not running`, then FirewallD is not on your system. Use these commands to install it: + + +. Install FirewallD: + +[source,bash] + +---- + +sudo dnf install firewalld + +---- + +. Install the FirewallD graphical-user-interface application and open it from the command-line, type: + +[source,bash] + +---- + +sudo dnf install firewall-config + +sudo firewall-config + +---- diff --git a/modules/ROOT/pages/_partials/2delete-proc_install_firewalld_gui.adoc b/modules/ROOT/pages/_partials/2delete-proc_install_firewalld_gui.adoc new file mode 100644 index 0000000..97f93f6 --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-proc_install_firewalld_gui.adoc @@ -0,0 +1,18 @@ +// Module included in the following assemblies: +// +// firewalld.adoc + + +[id=installing-firewalld-gui-fedora] +// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. += Installing the [application]*firewall-config* GUI configuration tool + +To use the [application]*firewall-config* GUI configuration tool, install the [package]*firewall-config* package as `root`: + +---- +$ sudo dnf install firewall-config +---- + +Alternatively, in [application]*GNOME*, use the kbd:[Super] key and type `Software` to launch the [application]*Software Sources* application. Type `firewall` to the search box, which appears after selecting the search button in the top-right corner. Select the `Firewall` item from the search results, and click on the btn:[Install] button. + +To run [application]*firewall-config*, use either the [command]`firewall-config` command or press the kbd:[Super] key to enter the `Activities Overview`, type `firewall`, and press kbd:[Enter]. diff --git a/modules/ROOT/pages/_partials/2delete-proc_installing_firewalld.adoc b/modules/ROOT/pages/_partials/2delete-proc_installing_firewalld.adoc new file mode 100644 index 0000000..10ae46d --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-proc_installing_firewalld.adoc @@ -0,0 +1,25 @@ +// Module included in the following assemblies: +// +// firewalld.adoc + +// Base the file name and the ID on the module title. For example: +// * file name: doing-procedure-a.adoc +// * ID: [id='doing-procedure-a'] +// * Title: = Doing procedure A + +// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. +[id=installing-firewalld-fedora] +// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. += Installing firewalld + +.Install firewalld: + +. Run this command on the command line: + +[source,bash] + +---- + +sudo dnf install firewalld + +---- diff --git a/modules/ROOT/pages/_partials/2delete-proc_opening_ports_firewalld.adoc b/modules/ROOT/pages/_partials/2delete-proc_opening_ports_firewalld.adoc new file mode 100644 index 0000000..c30743a --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-proc_opening_ports_firewalld.adoc @@ -0,0 +1,37 @@ +// Module included in the following assemblies: +// +// firewalld.adoc + +// Base the file name and the ID on the module title. For example: +// * file name: doing-procedure-a.adoc +// * ID: [id='doing-procedure-a'] +// * Title: = Doing procedure A + +// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. +[id=opening-ports-firewalld-fedora] +// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. += Opening a port + +Through open ports, the system is accessible from the outside, which represents a security risk. Generally, keep ports closed and only open them if they are required for certain services. + +.Opening a port using the command line + +. Get a list of allowed ports in the current zone: ++ +---- +$ firewall-cmd --list-ports +---- ++ +. Add a port to the allowed ports to open it for incoming traffic: ++ +---- +$ sudo firewall-cmd --add-port=port-number/port-type +---- ++ +. Make the new settings persistent: ++ +---- +$ sudo firewall-cmd --runtime-to-permanent +---- + +The port types are either tcp, udp, sctp, or dccp. The type must match the type of network communication. diff --git a/modules/ROOT/pages/_partials/2delete-proc_starting_firewalld.adoc b/modules/ROOT/pages/_partials/2delete-proc_starting_firewalld.adoc new file mode 100644 index 0000000..47b13b2 --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-proc_starting_firewalld.adoc @@ -0,0 +1,22 @@ +// Module included in the following assemblies: +// +// firewalld.adoc + + +// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. +[id=starting-firewalld-fedora] +// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. += Starting firewalld + +Start firewalld, by entering the following commands: + +---- +$ sudo systemctl unmask firewalld +$ sudo systemctl start firewalld +---- + +To make firewalld start automatically at system start: + +---- +$ sudo systemctl enable firewalld +---- diff --git a/modules/ROOT/pages/_partials/2delete-proc_stopping_firewalld.adoc b/modules/ROOT/pages/_partials/2delete-proc_stopping_firewalld.adoc new file mode 100644 index 0000000..a8993b9 --- /dev/null +++ b/modules/ROOT/pages/_partials/2delete-proc_stopping_firewalld.adoc @@ -0,0 +1,29 @@ +// Module included in the following assemblies: +// +//firewalld.adoc + +// Base the file name and the ID on the module title. For example: +// * file name: doing-procedure-a.adoc +// * ID: [id='doing-procedure-a'] +// * Title: = Doing procedure A + +// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. +[id=stopping-firewalld-fedora] +// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. += Stopping firewalld + + +To stop firewalld, enter the following command as root: +---- +$ sudo systemctl stop firewalld +---- + +Prevent firewalld from starting automatically at system start, enter the following command as root: +---- +$ sudo systemctl disable firewalld +---- + +Make sure firewalld is not started by accessing the firewalld D-Bus interface and also if other services require firewalld, enter the following command as root: +---- +$ sudo systemctl mask firewalld +---- diff --git a/modules/ROOT/pages/_partials/con_controlling_ports_firewalld.adoc b/modules/ROOT/pages/_partials/con_controlling_ports_firewalld.adoc deleted file mode 100644 index 9d9c009..0000000 --- a/modules/ROOT/pages/_partials/con_controlling_ports_firewalld.adoc +++ /dev/null @@ -1,13 +0,0 @@ -// Module included in the following assemblies: -// -// firewalld.adoc - - -[id='controlling-ports-firewalld-fedora'] - -= Controlling ports using firewalld - -== What are ports? -Ports are logical devices that enable an operating system to receive and distinguish network traffic and forward it accordingly to system services. These are usually represented by a daemon that listens on the port, that is it waits for any traffic coming to this port. - -Normally, system services listen on standard ports that are reserved for them. The httpd daemon, for example, listens on port 80. However, system administrators may configure daemons to listen on different ports to enhance security. diff --git a/modules/ROOT/pages/_partials/con_firewalld.adoc b/modules/ROOT/pages/_partials/con_firewalld.adoc deleted file mode 100644 index 43faa31..0000000 --- a/modules/ROOT/pages/_partials/con_firewalld.adoc +++ /dev/null @@ -1,22 +0,0 @@ -// Module included in the following assemblies: -// -// firewalld.adoc - -[id='concept-firewalld-fedora'] -= Using firewalld - -== What is firewalld? - -A _firewall_ is a way to protect machines from any unwanted traffic from outside. It enables users to control incoming network traffic on host machines by defining a set of _firewall rules_. These rules are used to sort the incoming traffic and either block it or allow through. - -`firewalld` is a firewall service daemon that provides a dynamic customizable host-based firewall with a `D-Bus` interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed. - -`firewalld` uses the concepts of _zones_ and _services_, that simplify the traffic management. - -`_Zones_` are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone. - -`_Services_` use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. `firewalld` blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default. - -.Additional resources - -For more information about using firewalld and configuring zones and services, see link:https://firewalld.org/documentation/[firewalld documentation] or link:https://fedoraproject.org/wiki/Firewalld[Fedora wiki:firewalld] diff --git a/modules/ROOT/pages/_partials/con_runtime_and_permanent_firewalld.adoc b/modules/ROOT/pages/_partials/con_runtime_and_permanent_firewalld.adoc deleted file mode 100644 index 8862a6c..0000000 --- a/modules/ROOT/pages/_partials/con_runtime_and_permanent_firewalld.adoc +++ /dev/null @@ -1,15 +0,0 @@ -// Module included in the following assemblies: -// -// firewalld.adoc - -[id='concept-runtime-and-permanent-firewalld-fedora'] - -= Runtime and permanent settings - -Any changes made while firewalld is running will be lost when firewalld is restarted. When firewalld is restarted, the settings revert to their permanent values. - -These changes are said to be made in _runtime mode_. - -To make the changes persistent across reboots, apply them again using the `--permanent` option. Alternatively, to make changes persistent while firewalld is running, use the `--runtime-to-permanent _firewall-cmd_` option. - -If you make changes while firewalld is running using only the `--permanent` option, they do not become effective until firewalld is restarted. However, restarting firewalld briefly stops the networking traffic, causing disruption to your system. diff --git a/modules/ROOT/pages/_partials/proc_changing_runtime_firewalld.adoc b/modules/ROOT/pages/_partials/proc_changing_runtime_firewalld.adoc deleted file mode 100644 index 52eb6b5..0000000 --- a/modules/ROOT/pages/_partials/proc_changing_runtime_firewalld.adoc +++ /dev/null @@ -1,50 +0,0 @@ -// Module included in the following assemblies: -// -// firewalld.adoc - -[id='changing_runtime_firewalld_fedora'] - -= Changing settings in runtime and permanent configuration using CLI - -Using the CLI, you can only modify either runtime or permanent mode. To modify the firewall settings in permanent mode, use the `--permanent` option with the `firewall-cmd` command. - ----- -$ sudo firewall-cmd --permanent ----- - -Without this option, the command modifies runtime mode. -To change settings in both modes, you can use two methods: - -* Change runtime settings and then make them permanent as follows: - -. Change the runtime settings: -+ -`firewall-cmd ` -+ -. Use `--runtime-to-permanent` to make the changes permanent. -+ -`firewall-cmd --runtime-to-permanent` - -* Set permanent settings and reload the settings into runtime mode: - -. Make the changes in permanent mode: -+ -`firewall-cmd --permanent ` -+ -. Reload the settings: -+ -`firewall-cmd --reload` - -The first method allows you to test the settings before you apply them to permanent mode. - -[NOTE] -==== -It is possible that an incorrect setting will result in a user locking themselves out of a machine. To prevent this, use the `--timeout` option. Using this option means that after a specified amount of time, any change reverts to its previous state. -You can not use the `--permanent` option with the `--timeout` option. - -For example, to add the SSH service for 15 minutes use this command: ----- -$ sudo firewall-cmd --add-service=ssh --timeout 15m ----- -The SSH service will be available until access is removed after 15 minutes. -==== diff --git a/modules/ROOT/pages/_partials/proc_checking_firewalld.adoc b/modules/ROOT/pages/_partials/proc_checking_firewalld.adoc deleted file mode 100644 index a31d331..0000000 --- a/modules/ROOT/pages/_partials/proc_checking_firewalld.adoc +++ /dev/null @@ -1,130 +0,0 @@ -// Module included in the following assemblies: -// -// firewalld.adoc - -// Base the file name and the ID on the module title. For example: -// * file name: doing-procedure-a.adoc -// * ID: [id='doing-procedure-a'] -// * Title: = Doing procedure A - -// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. -[id=checking-firewalld-fedora] -// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. -= Checking the firewalld status - -== Viewing the current status of `firewalld` - -The firewall service, `firewalld`, is installed on the system by default. Use the `firewalld` CLI interface to check that the service is running. - -To see the status of the service: - ----- -$ sudo firewall-cmd --state ----- - -For more information about the service status, use the [command]`systemctl status` sub-command: - ----- -$ sudo systemctl status firewalld -firewalld.service - firewalld - dynamic firewall daemon - Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr - Active: active (running) since Mon 2017-12-18 16:05:15 CET; 50min ago - Docs: man:firewalld(1) - Main PID: 705 (firewalld) - Tasks: 2 (limit: 4915) - CGroup: /system.slice/firewalld.service - └─705 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid ----- - -Furthermore, it is important to know how `firewalld` is set up and which rules are in force before you try to edit the settings. To display the firewall settings, see <> - -[[sec-Viewing_Current_firewalld_Settings]] -== Viewing current firewalld settings - -[[sec-Viewing_Allowed_Services_Using_GUI]] -=== Viewing allowed services using GUI - -To view the list of services using the graphical [application]*firewall-config* tool, press the kbd:[Super] key to enter the Activities Overview, type [command]`firewall`, and press kbd:[Enter]. The [application]*firewall-config* tool appears. You can now view the list of services under the `Services` tab. - -Alternatively, to start the graphical firewall configuration tool using the command-line, enter the following command: - -[subs="quotes, macros"] ----- -$ [command]`firewall-config` ----- - -The `Firewall Configuration` window opens. Note that this command can be run as a normal user, but you are prompted for an administrator password occasionally. -//// -[[exam-firewall_config_services]] -.The Services tab in firewall-config - -image::images/firewall-config-services.png[A screenshot of the firewall configuration tool - the Services tab] -//// -[[sec-Viewing_firewalld_Settings_Using_CLI]] -=== Viewing firewalld settings using CLI - -With the CLI client, it is possible to get different views of the current firewall settings. The [option]`--list-all` option shows a complete overview of the `firewalld` settings. - -`firewalld` uses zones to manage the traffic. If a zone is not specified by the [option]`--zone` option, the command is effective in the default zone assigned to the active network interface and connection. - -To list all the relevant information for the default zone: - ----- -$ firewall-cmd --list-all -public - target: default - icmp-block-inversion: no - interfaces: - sources: - services: ssh dhcpv6-client - ports: - protocols: - masquerade: no - forward-ports: - source-ports: - icmp-blocks: - rich rules: ----- - -[NOTE] -==== -To specify the zone for which to display the settings, add the [option]`--zone=pass:attributes[{blank}]_zone-name_pass:attributes[{blank}]` argument to the [command]`firewall-cmd --list-all` command, for example: ----- -~]# firewall-cmd --list-all --zone=home -home - target: default - icmp-block-inversion: no - interfaces: - sources: - services: ssh mdns samba-client dhcpv6-client -... [output truncated] - ----- -==== - -To see the settings for particular information, such as services or ports, use a specific option. See the `firewalld` manual pages or get a list of the options using the command help: - ----- -$ firewall-cmd --help - -Usage: firewall-cmd [OPTIONS...] - -General Options - -h, --help Prints a short help text and exists - -V, --version Print the version string of firewalld - -q, --quiet Do not print status messages - -Status Options - --state Return and print firewalld state - --reload Reload firewall and keep state information -... [output truncated] ----- - -For example, to see which services are allowed in the current zone: - ----- -$ firewall-cmd --list-services -samba-client ssh dhcpv6-client ----- - -Listing the settings for a certain subpart using the CLI tool can sometimes be difficult to interpret. For example, you allow the `SSH` service and `firewalld` opens the necessary port (22) for the service. Later, if you list the allowed services, the list shows the `SSH` service, but if you list open ports, it does not show any. Therefore, it is recommended to use the [option]`--list-all` option to make sure you receive a complete information. diff --git a/modules/ROOT/pages/_partials/proc_closing_ports_firewalld.adoc b/modules/ROOT/pages/_partials/proc_closing_ports_firewalld.adoc deleted file mode 100644 index 6953b95..0000000 --- a/modules/ROOT/pages/_partials/proc_closing_ports_firewalld.adoc +++ /dev/null @@ -1,42 +0,0 @@ -// Module included in the following assemblies: -// -// firewalld.adoc - -// Base the file name and the ID on the module title. For example: -// * file name: doing-procedure-a.adoc -// * ID: [id='doing-procedure-a'] -// * Title: = Doing procedure A - -// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. -[id=closing-ports-firewalld-fedora] -// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. -= Closing a port - -When an open port is no longer needed, close that port in firewalld. It is highly recommended to close all unnecessary ports as soon as they are not used because leaving a port open represents a security risk. - -.Closing a port using the command line - -To close a port, remove it from the list of allowed ports: - -. List all allowed ports: -+ ----- -$ firewall-cmd --list-ports ----- -+ -[WARNING] -==== -This command will only give you a list of ports that have been opened as ports. You will not be able to see any open ports that have been opened as a service. Therefore, you should consider using the --list-all option instead of --list-ports. -==== -+ -. Remove the port from the allowed ports to close it for the incoming traffic: -+ ----- -$ sudo firewall-cmd --remove-port=port-number/port-type ----- -+ -. Make the new settings persistent: -+ ----- -$ sudo firewall-cmd --runtime-to-permanent ----- diff --git a/modules/ROOT/pages/_partials/proc_configuring_firewalld.adoc b/modules/ROOT/pages/_partials/proc_configuring_firewalld.adoc deleted file mode 100644 index ceec17d..0000000 --- a/modules/ROOT/pages/_partials/proc_configuring_firewalld.adoc +++ /dev/null @@ -1,43 +0,0 @@ -// Module included in the following assemblies: -// -// firewalld.adoc - -[id='configuring_firewalld_fedora'] - -= Modifying Settings in runtime and permanent configuration using CLI - -Using the CLI, you do not modify the firewall settings in both modes at the same time. You only modify either runtime or permanent mode. To modify the firewall settings in the permanent mode, use the --permanent option with the firewall-cmd command. - ----- -$ sudo firewall-cmd --permanent ----- - -Without this option, the command modifies runtime mode. -To change settings in both modes, you can use two methods: - -Change runtime settings and then make them permanent as follows: ----- -$ sudo firewall-cmd -$ sudo firewall-cmd --runtime-to-permanent ----- - -Set permanent settings and reload the settings into runtime mode: - ----- -$ sudo firewall-cmd --permanent -$ sudo firewall-cmd --reload ----- - -The first method allows you to test the settings before you apply them to the permanent mode. - -[Note] -==== - -It is possible, especially on remote systems, that an incorrect setting results in a user locking themselves out of a machine. To prevent such situations, use the `--timeout` option. After a specified amount of time, any change reverts to its previous state. Using this options excludes the --permanent option. -For example, to add the SSH service for 15 minutes: - ----- -$ sudo firewall-cmd --add-service=ssh --timeout 15m ----- - -==== diff --git a/modules/ROOT/pages/_partials/proc_enabling_firewalld.adoc b/modules/ROOT/pages/_partials/proc_enabling_firewalld.adoc deleted file mode 100644 index 1f8c56a..0000000 --- a/modules/ROOT/pages/_partials/proc_enabling_firewalld.adoc +++ /dev/null @@ -1,81 +0,0 @@ -// Module included in the following assemblies: -// -// - -// Base the file name and the ID on the module title. For example: -// * file name: doing-procedure-a.adoc -// * ID: [id='doing-procedure-a'] -// * Title: = Doing procedure A - -// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. -[id='doing-one-procedure_{context}'] -// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. -= Doing one procedure -// Start the title of a procedure module with a verb, such as Creating or Create. See also _Wording of headings_ in _The IBM Style Guide_. - -This paragraph is the procedure module introduction: a short description of the procedure. - -.Prerequisites - -* A bulleted list of conditions that must be satisfied before the user starts following this assembly. -* You can also link to other modules or assemblies the user must follow before starting this assembly. -* Delete the section title and bullets if the assembly has no prerequisites. - -.Procedure - -. Start each step with an active verb. - -. Include one command or action per step. - -. Use an unnumbered bullet (*) if the procedure includes only one step. - -.Additional resources - -* A bulleted list of links to other material closely related to the contents of the procedure module. -* For more details on writing procedure modules, see the link:https://github.com/redhat-documentation/modular-docs#modular-documentation-reference-guide[Modular Documentation Reference Guide]. -* Use a consistent system for file names, IDs, and titles. For tips, see _Anchor Names and File Names_ in link:https://github.com/redhat-documentation/modular-docs#modular-documentation-reference-guide[Modular Documentation Reference Guide]. - - -== Do I have FirewallD on my system? - -FirewallD is the default firewall service for current releases of Fedora and is enabled by default. -If you are not sure whether FirewallD is on your Fedora installation use the following commands to check. - - -. Check if your system has FirewallD enabled. - Enter the folowing on the command line: - -[source,bash] - ----- - -sudo firewall-cmd --state - ----- - -You will see `running` if FirewallD is on your system. - -If you see `not running`, then FirewallD is not on your system. Use these commands to install it: - - -. Install FirewallD: - -[source,bash] - ----- - -sudo dnf install firewalld - ----- - -. Install the FirewallD graphical-user-interface application and open it from the command-line, type: - -[source,bash] - ----- - -sudo dnf install firewall-config - -sudo firewall-config - ----- diff --git a/modules/ROOT/pages/_partials/proc_install_firewalld_gui.adoc b/modules/ROOT/pages/_partials/proc_install_firewalld_gui.adoc deleted file mode 100644 index 97f93f6..0000000 --- a/modules/ROOT/pages/_partials/proc_install_firewalld_gui.adoc +++ /dev/null @@ -1,18 +0,0 @@ -// Module included in the following assemblies: -// -// firewalld.adoc - - -[id=installing-firewalld-gui-fedora] -// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. -= Installing the [application]*firewall-config* GUI configuration tool - -To use the [application]*firewall-config* GUI configuration tool, install the [package]*firewall-config* package as `root`: - ----- -$ sudo dnf install firewall-config ----- - -Alternatively, in [application]*GNOME*, use the kbd:[Super] key and type `Software` to launch the [application]*Software Sources* application. Type `firewall` to the search box, which appears after selecting the search button in the top-right corner. Select the `Firewall` item from the search results, and click on the btn:[Install] button. - -To run [application]*firewall-config*, use either the [command]`firewall-config` command or press the kbd:[Super] key to enter the `Activities Overview`, type `firewall`, and press kbd:[Enter]. diff --git a/modules/ROOT/pages/_partials/proc_installing_firewalld.adoc b/modules/ROOT/pages/_partials/proc_installing_firewalld.adoc deleted file mode 100644 index 10ae46d..0000000 --- a/modules/ROOT/pages/_partials/proc_installing_firewalld.adoc +++ /dev/null @@ -1,25 +0,0 @@ -// Module included in the following assemblies: -// -// firewalld.adoc - -// Base the file name and the ID on the module title. For example: -// * file name: doing-procedure-a.adoc -// * ID: [id='doing-procedure-a'] -// * Title: = Doing procedure A - -// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. -[id=installing-firewalld-fedora] -// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. -= Installing firewalld - -.Install firewalld: - -. Run this command on the command line: - -[source,bash] - ----- - -sudo dnf install firewalld - ----- diff --git a/modules/ROOT/pages/_partials/proc_opening_ports_firewalld.adoc b/modules/ROOT/pages/_partials/proc_opening_ports_firewalld.adoc deleted file mode 100644 index c30743a..0000000 --- a/modules/ROOT/pages/_partials/proc_opening_ports_firewalld.adoc +++ /dev/null @@ -1,37 +0,0 @@ -// Module included in the following assemblies: -// -// firewalld.adoc - -// Base the file name and the ID on the module title. For example: -// * file name: doing-procedure-a.adoc -// * ID: [id='doing-procedure-a'] -// * Title: = Doing procedure A - -// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. -[id=opening-ports-firewalld-fedora] -// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. -= Opening a port - -Through open ports, the system is accessible from the outside, which represents a security risk. Generally, keep ports closed and only open them if they are required for certain services. - -.Opening a port using the command line - -. Get a list of allowed ports in the current zone: -+ ----- -$ firewall-cmd --list-ports ----- -+ -. Add a port to the allowed ports to open it for incoming traffic: -+ ----- -$ sudo firewall-cmd --add-port=port-number/port-type ----- -+ -. Make the new settings persistent: -+ ----- -$ sudo firewall-cmd --runtime-to-permanent ----- - -The port types are either tcp, udp, sctp, or dccp. The type must match the type of network communication. diff --git a/modules/ROOT/pages/_partials/proc_starting_firewalld.adoc b/modules/ROOT/pages/_partials/proc_starting_firewalld.adoc deleted file mode 100644 index 47b13b2..0000000 --- a/modules/ROOT/pages/_partials/proc_starting_firewalld.adoc +++ /dev/null @@ -1,22 +0,0 @@ -// Module included in the following assemblies: -// -// firewalld.adoc - - -// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. -[id=starting-firewalld-fedora] -// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. -= Starting firewalld - -Start firewalld, by entering the following commands: - ----- -$ sudo systemctl unmask firewalld -$ sudo systemctl start firewalld ----- - -To make firewalld start automatically at system start: - ----- -$ sudo systemctl enable firewalld ----- diff --git a/modules/ROOT/pages/_partials/proc_stopping_firewalld.adoc b/modules/ROOT/pages/_partials/proc_stopping_firewalld.adoc deleted file mode 100644 index a8993b9..0000000 --- a/modules/ROOT/pages/_partials/proc_stopping_firewalld.adoc +++ /dev/null @@ -1,29 +0,0 @@ -// Module included in the following assemblies: -// -//firewalld.adoc - -// Base the file name and the ID on the module title. For example: -// * file name: doing-procedure-a.adoc -// * ID: [id='doing-procedure-a'] -// * Title: = Doing procedure A - -// The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken. -[id=stopping-firewalld-fedora] -// The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide. -= Stopping firewalld - - -To stop firewalld, enter the following command as root: ----- -$ sudo systemctl stop firewalld ----- - -Prevent firewalld from starting automatically at system start, enter the following command as root: ----- -$ sudo systemctl disable firewalld ----- - -Make sure firewalld is not started by accessing the firewalld D-Bus interface and also if other services require firewalld, enter the following command as root: ----- -$ sudo systemctl mask firewalld ----- diff --git a/modules/ROOT/pages/firewalld.adoc b/modules/ROOT/pages/firewalld.adoc index 480a8e7..19fdaf4 100644 --- a/modules/ROOT/pages/firewalld.adoc +++ b/modules/ROOT/pages/firewalld.adoc @@ -1,33 +1,370 @@ -ifdef::context[:parent-context: {context}] -:context: using-firewalld += Control of System Accessibility by firewalld +Richard Gregory; Petr Bokoc (pbokoc); Peter Boy (pboy) +:revnumber: F34 onwards +:revdate: 2023-08-23 +:category: Security +:tags: How-to firewall :experimental: -:imagesdir: ./images -[[using-firewalld]] -= Using firewalld -:leveloffset: +1 +[abstract] +A _firewall_ is a way to protect machines from any unwanted access from outside. In Fedora, it is installed by default during the installation of the operating system, enabled and configured to provide secure operation even without any additional action by the administrator. It blocks any access other than ssh by default. -include::{partialsdir}/con_firewalld.adoc[] +== How it works -include::{partialsdir}/proc_checking_firewalld.adoc[] +A firewall enables users to control incoming network traffic on host machines by defining a set of _firewall rules_. These rules are used to sort the incoming traffic and either block it or allow through. -include::{partialsdir}/proc_installing_firewalld.adoc[] +`firewalld` is a firewall service daemon that provides a dynamic customizable host-based firewall with a `D-Bus` interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed. -include::{partialsdir}/proc_starting_firewalld.adoc[] +`firewalld` uses the concepts of _zones_ and _services_, that simplify the traffic management. -include::{partialsdir}/proc_stopping_firewalld.adoc[] +`_Zones_` are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone. -include::{partialsdir}/con_runtime_and_permanent_firewalld.adoc[] +`_Services_` use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. `firewalld` blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default. -include::{partialsdir}/proc_changing_runtime_firewalld.adoc[] +.Additional resources -include::{partialsdir}/con_controlling_ports_firewalld.adoc[] +For more information about using firewalld and configuring zones and services, see link:https://firewalld.org/documentation/[firewalld documentation] or link:https://fedoraproject.org/wiki/Firewalld[Fedora wiki:firewalld] -include::{partialsdir}/proc_opening_ports_firewalld.adoc[] -include::{partialsdir}/proc_closing_ports_firewalld.adoc[] -:leveloffset: 0 -ifdef::parent-context[:context: {parent-context}] -ifndef::parent-context[:!context:] +== Setting up firewalld + +All Fedora Editions install, configure and activate the firewall by default. No further action is required. The only exception is _Cloud Edition_, which relies on the higher level cloud system. + +Some third party variations and redistributions may differ. In this case, it is up to the administrator to install and activate the firewall afterwards. + +You check if firewalld is set up in a terminal by issuing +[source,bash] +---- +systemctl status firewalld +---- + +You should get soemething like +---- +● firewalld.service - firewalld - dynamic firewall daemon + Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset> + Drop-In: /usr/lib/systemd/system/service.d + └─10-timeout-abort.conf + Active: active (running) since Sat 2023-08-19 19:05:18 CEST; 3 days ago + ... +---- + + +=== Installing and activating firewalld + +In case you get by the command above something like +---- +Unit firewalld.service could not be found. +---- +you have to install it. Run on the command line: +[source,bash] +---- +$ sudo dnf install firewalld +$ sudo systemctl unmask firewalld +$ sudo systemctl start firewalld +$ sudo systemctl enable firewalld +---- + +This sequence installs, starts and ensures an automatic restart after a system boot. + + +=== Adjusting firewalld operations during system maintenance + +Sometimes a system administrator has to stop or restart firewalld during system maintenance tasks. + +.Stop firewalld +[source,bash] +---- +$ sudo systemctl stop firewalld +---- +.Prevent autostart at system boot +[source,bash] +---- +$ sudo systemctl disable firewalld +---- + +.Start firewalld +[source,bash] +---- +$ sudo systemctl start firewalld +---- +.Activate autostart at system boot +[source,bash] +---- +$ sudo systemctl enable firewalld +---- +.Disconnecting the firewall from the d-bus controller +---- +$ sudo systemctl mask firewalld +---- +.(Re.)Connect the firewall to the d-bus controller +---- +$ sudo systemctl unmask firewalld +---- + + +=== Installing the [application]*firewall-config* GUI configuration tool + +To use the [application]*firewall-config* GUI configuration tool, install the [package]*firewall-config* package as `root`: +[source,bash] +---- +$ sudo dnf install firewall-config +---- + +Alternatively, in [application]*GNOME*, use the kbd:[Super] key and type `Software` to launch the [application]*Software Sources* application. Type `firewall` to the search box, which appears after selecting the search button in the top-right corner. Select the `Firewall` item from the search results, and click on the btn:[Install] button. + +To run [application]*firewall-config*, use either the [command]`firewall-config` command or press the kbd:[Super] key to enter the `Activities Overview`, type `firewall`, and press kbd:[Enter]. + + + +== Managing firewalld + +=== Viewing the current status of `firewalld` + +The firewall service, `firewalld`, is installed on the system by default. Use the `firewalld` CLI interface to check that the service is running. +[source,bash] +---- +$ sudo firewall-cmd --state +---- + +For more information about the service status, use the [command]`systemctl` command +[source,bash] +---- +$ sudo systemctl status firewalld +firewalld.service - firewalld - dynamic firewall daemon + Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr + Active: active (running) since Mon 2017-12-18 16:05:15 CET; 50min ago + Docs: man:firewalld(1) + Main PID: 705 (firewalld) + Tasks: 2 (limit: 4915) + CGroup: /system.slice/firewalld.service + └─705 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid +---- + +Furthermore, it is important to know how `firewalld` is set up and which rules are in force before you try to edit the settings. To display the firewall settings, see <> + +[[sec-Viewing_Current_firewalld_Settings]] +=== Viewing current firewalld settings + +[[sec-Viewing_Allowed_Services_Using_GUI]] +==== Viewing allowed services using GUI + +To view the list of services using the graphical [application]*firewall-config* tool, press the kbd:[Super] key to enter the Activities Overview, type [command]`firewall`, and press kbd:[Enter]. The [application]*firewall-config* tool appears. You can now view the list of services under the `Services` tab. + +Alternatively, to start the graphical firewall configuration tool using the command-line, enter the following command: + +[subs="quotes, macros"] +---- +$ firewall-config +---- + +The `Firewall Configuration` window opens. Note that this command can be run as a normal user, but you are prompted for an administrator password occasionally. +//// +[[exam-firewall_config_services]] +.The Services tab in firewall-config + +image::images/firewall-config-services.png[A screenshot of the firewall configuration tool - the Services tab] +//// +[[sec-Viewing_firewalld_Settings_Using_CLI]] +==== Viewing firewalld settings using CLI + +With the CLI client, it is possible to get different views of the current firewall settings. The [option]`--list-all` option shows a complete overview of the `firewalld` settings. + +`firewalld` uses zones to manage the traffic. If a zone is not specified by the [option]`--zone` option, the command is effective in the default zone assigned to the active network interface and connection. + +To list all the relevant information for the default zone: + +---- +$ firewall-cmd --list-all +public + target: default + icmp-block-inversion: no + interfaces: + sources: + services: ssh dhcpv6-client + ports: + protocols: + masquerade: no + forward-ports: + source-ports: + icmp-blocks: + rich rules: +---- + +[NOTE] +==== +To specify the zone for which to display the settings, add the [option]`--zone=pass:attributes[{blank}]_zone-name_pass:attributes[{blank}]` argument to the [command]`firewall-cmd --list-all` command, for example: +---- +~]# firewall-cmd --list-all --zone=home +home + target: default + icmp-block-inversion: no + interfaces: + sources: + services: ssh mdns samba-client dhcpv6-client +... [output truncated] + +---- +==== + +To see the settings for particular information, such as services or ports, use a specific option. See the `firewalld` manual pages or get a list of the options using the command help: + +---- +$ firewall-cmd --help + +Usage: firewall-cmd [OPTIONS...] + +General Options + -h, --help Prints a short help text and exists + -V, --version Print the version string of firewalld + -q, --quiet Do not print status messages + +Status Options + --state Return and print firewalld state + --reload Reload firewall and keep state information +... [output truncated] +---- + +For example, to see which services are allowed in the current zone: + +---- +$ firewall-cmd --list-services +samba-client ssh dhcpv6-client +---- + +Listing the settings for a certain subpart using the CLI tool can sometimes be difficult to interpret. For example, you allow the `SSH` service and `firewalld` opens the necessary port (22) for the service. Later, if you list the allowed services, the list shows the `SSH` service, but if you list open ports, it does not show any. Therefore, it is recommended to use the [option]`--list-all` option to make sure you receive a complete information. + + + + + + +=== Runtime and permanent settings + +Any changes made while firewalld is running will be lost when firewalld is restarted. When firewalld is restarted, the settings revert to their permanent values. + +These changes are said to be made in _runtime mode_. + +To make the changes persistent across reboots, apply them again using the `--permanent` option. Alternatively, to make changes persistent while firewalld is running, use the `--runtime-to-permanent _firewall-cmd_` option. + +If you make changes while firewalld is running using only the `--permanent` option, they do not become effective until firewalld is restarted. However, restarting firewalld briefly stops the networking traffic, causing disruption to your system. + + + +==== Changing settings in runtime and permanent configuration using CLI + +Using the CLI, you can only modify either runtime or permanent mode. To modify the firewall settings in permanent mode, use the `--permanent` option with the `firewall-cmd` command. + +---- +$ sudo firewall-cmd --permanent +---- + +Without this option, the command modifies runtime mode. +To change settings in both modes, you can use two methods: + +* Change runtime settings and then make them permanent as follows: + +. Change the runtime settings: ++ +`firewall-cmd ` ++ +. Use `--runtime-to-permanent` to make the changes permanent. ++ +`firewall-cmd --runtime-to-permanent` + +* Set permanent settings and reload the settings into runtime mode: + +. Make the changes in permanent mode: ++ +`firewall-cmd --permanent ` ++ +. Reload the settings: ++ +`firewall-cmd --reload` + +The first method allows you to test the settings before you apply them to permanent mode. + +[NOTE] +==== +It is possible that an incorrect setting will result in a user locking themselves out of a machine. To prevent this, use the `--timeout` option. Using this option means that after a specified amount of time, any change reverts to its previous state. +You can not use the `--permanent` option with the `--timeout` option. + +For example, to add the SSH service for 15 minutes use this command: +---- +$ sudo firewall-cmd --add-service=ssh --timeout 15m +---- +The SSH service will be available until access is removed after 15 minutes. +==== + + + +=== Controlling ports using firewalld + +==== What are ports? +Ports are logical devices that enable an operating system to receive and distinguish network traffic and forward it accordingly to system services. These are usually represented by a daemon that listens on the port, that is it waits for any traffic coming to this port. + +Normally, system services listen on standard ports that are reserved for them. The httpd daemon, for example, listens on port 80. However, system administrators may configure daemons to listen on different ports to enhance security. + + + +==== Opening a port + +Through open ports, the system is accessible from the outside, which represents a security risk. Generally, keep ports closed and only open them if they are required for certain services. + +.Opening a port using the command line + +. Get a list of allowed ports in the current zone: ++ +---- +$ firewall-cmd --list-ports +---- ++ +. Add a port to the allowed ports to open it for incoming traffic: ++ +---- +$ sudo firewall-cmd --add-port=port-number/port-type +---- ++ +. Make the new settings persistent: ++ +---- +$ sudo firewall-cmd --runtime-to-permanent +---- + +The port types are either tcp, udp, sctp, or dccp. The type must match the type of network communication. + + + +==== Closing a port + +When an open port is no longer needed, close that port in firewalld. It is highly recommended to close all unnecessary ports as soon as they are not used because leaving a port open represents a security risk. + +.Closing a port using the command line + +To close a port, remove it from the list of allowed ports: + +. List all allowed ports: ++ +---- +$ firewall-cmd --list-ports +---- ++ +[WARNING] +==== +This command will only give you a list of ports that have been opened as ports. You will not be able to see any open ports that have been opened as a service. Therefore, you should consider using the --list-all option instead of --list-ports. +==== ++ +. Remove the port from the allowed ports to close it for the incoming traffic: ++ +---- +$ sudo firewall-cmd --remove-port=port-number/port-type +---- ++ +. Make the new settings persistent: ++ +---- +$ sudo firewall-cmd --runtime-to-permanent +---- + +