Redhat: Linux Firewall

Link playlist
Red Hat Enterprise Linux Administration
https://www.youtube.com/playlist?list=PLIpLw6v7Z1qnIUiJipjgYEHwxF16TZbCN
2023 06 21 15 35 07

A data packet is formed as a result of a process called encapsulation
whereby the header information is attached to a message (called payload)
during packet formation. The header includes information such as source and
destination IP addresses, port, and type of data. Based on predefined rules, a
firewall intercepts each inbound and outbound data packet, inspects its
header, and decides whether to allow the packet to pass through.
Ports are defined in the /etc/services file for common network services that are
standardized across all network operating systems, including RHEL. Some
common services and the ports they listen on are FTP (File Transfer Protocol)
on port 21, SSH (Secure Shell) 22, Postfix (an email service) 25, HTTP
(HyperText Transfer Protocol) 80, and NTP (Network Time Protocol) on port
123.
The host-based firewall solution employed in RHEL uses a kernel module
called netfilter together with a filtering and packet classification framework
called nftables for policing the traffic movement. It also supports other
advanced features such as Network Address Translation (NAT) and port
forwarding. This firewall solution inspects, modifies, drops, or routes incoming,
outgoing, and forwarded network packets based on defined rulesets.
Overview of firewalld

The firewalld service lets you perform management operations at the
command line using the firewall-cmd command, graphically using the web
console, or manually by editing rules files. firewalld stores the default rules in
files located in the /usr/lib/firewalld directory, and those that contain custom
rules in the /etc/firewalld directory. The default rules files may be copied to the
custom rules directory and modified.
firewalld Zones
firewalld uses the concept of zones for easier and transparent traffic
management. Zones define policies based on the trust level of network
connections and source IP addresses. A network connection can be part of
only one zone at a time; however, a zone can have multiple network
connections assigned to it. Zone configuration may include services, ports,
and protocols that may be open or closed. It may also include rules for
advanced configuration items such as masquerading, port forwarding,
NATting, ICMP filters, and rich language. Rules for each zone are defined and
manipulated independent of other zones.
firewalld inspects each incoming packet to determine the source IP address
and applies the rules of the zone that has a match for the address. In the
event no zone configuration matches the address, it associates the packet
with the zone that has the network connection defined, and applies the rules
of that zone. If neither works, firewalld associates the packet with the default
zone, and enforces the
rules of the default zone on the packet.
The firewalld software installs several predefined zone files that may be
selected or customized. These files include templates for traffic that must be
blocked or dropped, and for traffic that is public-facing, internal, external,
home, public, trusted, and work-related. Of these, the public zone is the
default zone, and it is activated by default when the firewalld service is
started. Table 20-1 lists and describes the predefined zones sorted based on
the trust level from trusted to untrusted.
Zone Description
trusted Allow all incoming
internal Reject all incoming traffic except for what is allowed. Intend
use on internal networks.
home Reject all incoming traffic except for what is allowed. Intend
use in homes.
work Reject all incoming traffic except for what is allowed. Intend
use at workplaces.
dmz Reject all incoming traffic except for what is allowed. Intend
use in publicly-accessible demilitarized zones.
external Reject all incoming traffic except for what is allowed. Outgo
traffic forwarded through this zone is masqueraded to look
originated from the IPv4 address of an outgoing network in
Intended for use on external networks with masquerading
public Reject all incoming traffic except for what is allowed. It is th
default zone for any newly added network interfaces. Inten
us in public places.
block Reject all incoming traffic with icmp-host-prohibited messa
returned. Intended for use in secure places.
drop Drop all incoming traffic without responding with ICMP erro
Intended for use in highly secure places.
Table 20-1 firewalld Default Zones
For all the predefined zones, outgoing traffic is allowed by default.