On day 3 of my RHCA Journey, I went over the topics of firewalld (standard, and rich rules), masquerading, port forwarding, and SELinux. I like Linux security begin with, so it was a fun chapter for me. As though I found a few areas of which I need to work upon, but nothing too difficult, because of man pages. One key thing learn for any Red Hat exam is to understand you may not recall everything, so another good option is to learn WHERE you can find the needed information without using the Internet. This is where man pages come into play. For say you forget the syntax of a rich rule, you can run the following command:
# man firewalld.richlanguage
Then looking toward the end in the example section you see a variety of options in which you could build your own rich rule with firewalld.
# firewall-cmd –permament –add-rich-rule ‘rule family=”ipv4″ source address=”192.168.0.0/24″ service name=”tftp” log prefix=”tftp” level=”info” limit value=”1/m” accept’
# firewall-cmd –reload
I liked the SELinux portion as well, as I am a big believer in using SELinux and always keeping it on. In this chapter, it focused on SELinux on port security. Usually, you’ll need to use SELinux to add a custom port when running applications, such as web servers, on non-standard ports. If this is the case, with SELinux running, would fail to load if it is listening in on a non-standard port. The easiest way to find this information is by using the following command:
# sealert -a /var/log/audit/audit.log
For issues with being denied access based on a non-standard port, will give the reason why, and provide the syntax to add it. You just need to know the SELinux port type to plug in. For , it would be http_port_t. The command then would be to do:
# semanage -a -t http_port_t -p tcp 82
The -a is to add the new port, the -t is the type, in our case http_port_t, and the -p is the port, where you pick if it’s or and the port number required. Of don’t forget to add the port the firewall as well:
# firewall-cmd –add-port 82/tcp –permanent
# firewall-cmd –reload
After which you can restart the httpd service and all will be well.
In all, it was a fun chapter to go through, and with a bit more practice I believe I’ll do well on this portion. Hopefully today I will get more time than I have the past few days. As I have only been able to hit one chapter at a time, however in some sense it was good, as I was able to spend more time on single topic. Be sure and check back tomorrow to see the next topic that I will cover today.
Cheers,
Ivan Windon – RHCSA