On day 3 of my RHCA Journey, I went over the topics of firewalld (standard, and rich rules), masquerading, port forwarding, and SELinux. I like Linux security
# man firewalld.richlanguage
Then looking toward the end in the example section you see a variety of options in which you could build your own rich rule with firewalld.
# firewall-cmd –permament –add-rich-rule ‘rule family=”ipv4″ source address=”192.168.0.0/24″ service name=”tftp” log prefix=”tftp” level=”info” limit value=”1/m” accept’
# firewall-cmd –reload
I liked the SELinux portion as well, as I am a big believer in using SELinux and always keeping it on. In this chapter, it focused on SELinux on port security. Usually, you’ll need to use SELinux to add a custom port when running applications, such as web servers, on non-standard ports. If this is the case, with SELinux running,
# sealert -a /var/log/audit/audit.log
For issues with being denied access based on a non-standard port,
# semanage -a -t http_port_t -p tcp 82
The -a is to add the new port, the -t is the type, in our case http_port_t, and the -p is the port, where you pick if it’s
# firewall-cmd –add-port 82/tcp –permanent
# firewall-cmd –reload
After which you can restart the httpd service and all will be well.
In all, it was a fun chapter to go through, and with a bit more practice I believe I’ll do well on this portion. Hopefully today I will get more time than I have the past few days. As I have only been able to hit one chapter at a time, however in some sense it was good, as I was able to spend more time on
Cheers,
Ivan Windon – RHCSA