cancel
Showing results for 
Search instead for 
Did you mean: 
LuckyDudeThakur
Flight Engineer Flight Engineer
Flight Engineer
  • 1,879 Views

Different Firewall zones and their practical implementation/examples

Hello,

I am trying to learn system administration skills and came across securing your systems via firewall. I would like to know more about the mentioned firewall zones , like what are the practical implementations of these different firewall zones and what are different scenarios/ best practices to use which zone in a particular  situation. Examples from Production systems perspective would be of great help.

Regards,

Abhishek

Labels (4)
2 Replies
varelov
Flight Engineer Flight Engineer
Flight Engineer
  • 1,858 Views

By "firewall" I am assuming you mean "firewalld" introduced along with the transition to systemd. It is important to know that not all zones are active and the  way you activate them is when you assign a network asset to them, like a port or IP address or a service to a particular zone. Zones themselves have various default settings in terms of what traffic they allow or stop, some would drop all traffic, some by default turn masquerading on, some allow any and all traffic, would have only ssh allowed through etc.

firewall-cmd is the command you'd use to interact with firewalld, no changes will take effect right after you issued the command and none are permanent/survive reboot by default. You will have to use options to firewall-cmd to apply changes to the current setup and make them survive reboot. So know the followwing sequence of commands to make your changes to firewall last:

firewall-cmd --permanent [--some-options-here] //to make your command survive reboot use --permanent

firewall-cmd --reload //to make your changes take effect immediately for the current setup.

If you already know iptables syntax, your knowledge is applicable with firewalld as well, in the form of direct rules that will take precedence over any rich rules you already set with firewalld.

RHEL 7's product documentation concerning network administriation will help you go deeper into the subject and of course man pages on firewalld, firewall-cmd and firewalld.richlanguage. Practical application of firewalld shouldn't be that much different from what is described in documentation.

0 Kudos
LuckyDudeThakur
Flight Engineer Flight Engineer
Flight Engineer
  • 1,830 Views


@varelov wrote:

By "firewall" I am assuming you mean "firewalld" introduced along with the transition to systemd. It is important to know that not all zones are active and the  way you activate them is when you assign a network asset to them, like a port or IP address or a service to a particular zone. Zones themselves have various default settings in terms of what traffic they allow or stop, some would drop all traffic, some by default turn masquerading on, some allow any and all traffic, would have only ssh allowed through etc.

firewall-cmd is the command you'd use to interact with firewalld, no changes will take effect right after you issued the command and none are permanent/survive reboot by default. You will have to use options to firewall-cmd to apply changes to the current setup and make them survive reboot. So know the followwing sequence of commands to make your changes to firewall last:

firewall-cmd --permanent [--some-options-here] //to make your command survive reboot use --permanent

firewall-cmd --reload //to make your changes take effect immediately for the current setup.

If you already know iptables syntax, your knowledge is applicable with firewalld as well, in the form of direct rules that will take precedence over any rich rules you already set with firewalld.

RHEL 7's product documentation concerning network administriation will help you go deeper into the subject and of course man pages on firewalld, firewall-cmd and firewalld.richlanguage. Practical application of firewalld shouldn't be that much different from what is described in documentation.


Hello,

Thanks for the explanation. However, I am looking for the practical implelmentation of these commands and options. For example, when to use a public zone or when to use home zone in firewall? It would be great if someone coulod explain with example how it was implemented in production systems.

Regards,
LuckyDudeThakur
----------------------------------------------------------------
https://twitter.com/@LuckyDudeThakur
https://www.linkedin.com/in/luckydudethakur

0 Kudos
Join the discussion
You must log in to join this conversation.