cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
TudorRaduta
Community Manager
Community Manager
yesterday
  • 143 Views

It's Friday! Let's build a firewall.

️ Friday Firewall Challenge!

Happy Friday, everyone!

Let's wrap up the study week with a hands-on scenario that's straight out of the RHCSA playbook: configuring a basic firewall for a new web server using firewalld.

The Scenario:

You've just deployed a new RHEL 9 server. Your task is to secure it with the following rules, and make sure they are permanent:

  • Allow HTTP traffic (port 80) from anywhere.
  • Allow SSH traffic (port 22) but ONLY from the internal management network, 192.168.50.0/24.
  • All other incoming traffic should be blocked.

This is a super common real-world task and a great way to test your knowledge of `firewalld` zones, services, and sources.

How would you solve it?

Drop the firewall-cmd commands you'd use in the comments below!

  • Don't worry about getting it perfect on the first try. Let's just map out the steps together.
  • Bonus Question: What `firewalld` zone would you assign the internal network's source IP range to?

Let's see your solutions! Have a fantastic weekend!

Join the discussion
7 Replies
Chetan_Tiwary_
Community Manager
Community Manager
yesterday
  • 114 Views

Very nicely curated scenario - useful to build that sharp skill of a sysadmin which helps in interviews and on job role ! And surely in the RH exams. 

@Trevor  @87951469 @ClusterCaptain @SimonBM @DeepakRamanath @Blue_bird 

87951469
Flight Engineer
Flight Engineer
yesterday
  • 103 Views

firewall-cmd --permanent --zone=public --add-port=80/http 

firewall-cmd --permanent --add-port=22/ssh --add-source=192.168.50.0/24

firewall-cmd --reload 

 

Bonus Q: --zone=internal 

Chetan_Tiwary_
Community Manager
Community Manager
yesterday
  • 93 Views

@87951469 would it satisfy the condition : 

  • Allow SSH traffic (port 22) but ONLY from the internal management network, 192.168.50.0/24.
  • All other incoming traffic should be blocked.  ?

 

0 Kudos
Chetan_Tiwary_
Community Manager
Community Manager
yesterday
  • 91 Views

Also I dont think it will accept 80/http  or 22/ssh in the firewall-cmd

87951469
Flight Engineer
Flight Engineer
yesterday
  • 71 Views

firewall-cmd --permanent --zone=public --add-service=http

firewall-cmd --permanent --add-sevice=ssh --add-source=192.168.50.0/24

I dont know about blocking all other traffic.... 

Chetan_Tiwary_
Community Manager
Community Manager
yesterday
  • 33 Views

Thanks for trying @87951469 - That is all that matters !!

0 Kudos
Blue_bird
Starfighter Starfighter
Starfighter
yesterday
  • 49 Views

sudo systemctl status firewalld
Assuming that firewall is running and enabled during boot time

sudo firewall-cmd --permanent --add-service=http


sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.50.0/24" service name="ssh" accept'

sudo firewall-cmd --set-default-zone=drop

To apply the changes
--------------------
sudo firewall-cmd --reload

To check the rules
----------------------
sudo firewall-cmd --list-all

Note: if you logged in as root sudo is not required in above commands

 

Thanks

Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2025 Red Hat, Inc. Privacy policy Terms of use