Linux Unit 11

Prior to any administrative changes, which zone is the default zone?

Public zone

--get-default-zone

Query the current default zone

home

Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client pre-defined services

internal

Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client pre-defined services ( same as the home zone to start with.

block

Rejects all incoming traffic unless related to outgoing traffic

public

Rejects incoming traffic unless related to outgoing or matching the ssh or dhcpv6-client predefined services. The default zone for newly added newly added network interfaces.

dmz

Rejects incoming traffic unless related to outgoing or matching the ssh pre-defined service

external

Rejects incoming traffic unless related to outgoing or matching the ssh pre-defined service. Outgoing IPv4 traffic forwarded through this zone is masqueraded to look like it originated from the IPv4 address of the outgoing network interface.

work

Rejects incoming traffic unless related to outgoing traffic or matching the ssh, ipp-client or dhcpv6-client predefined services

--add-source=<CIDR>

Route all traffic coming from the IP address on network/netmask to the specified zone. If no -zone= option is provided, the default zone is used

semanage

SELinux Policy Management tool

ebtables

The ebtables program is a filtering tool for a Linux-based bridging firewall. It enables transparent filtering of network traffic passing through a Linux bridge.

Explain SELinux network port labeling. Why is this important to a Linux administrator?

a. Network traffic is also tightly enforced by the SELinux policy. One of the methods that SELinux uses for controlling network traffic is labeling network ports; for example, in the targeted policy, port 22/TCP has the label ssh_port_t associated with it. This can stop a rogue service from taking over ports otherwise used by other (legitimate) network services.

service definitions for firewalld

can be used to easily permit traffic for particular network services to pass through the firewall

firewalld

is a dynamic firewall manager, a front end to the nftables framework using the nft command.

xtables-nft-multi

to translate iptables objects directly into nftables rules and objects

--get-zones

List all available zones

--list-all

List all configured interfaces, sources, services, and ports for zone. If no -zone=option is provided, the default zone is used

List and explain the four configuration tools available in RHEL8/CentOS8 for configuring the firewall using firewalld.

- By directly editing configuration files in /etc/firewalld/ - The Web Console graphic tool - By using firewall-cmd from the command line - OR using the graphical firewall-config tool

Netfilter

A framework for network traffic operations such as packet filtering, network address translation and port translation

Nftables

A new filter and packet classification subsystem that has enhanced portion of netfilters code, but retaining the netfilter architecture such as networking stacks hooks, connection tracking system and the logging facility

trusted

Allow all incoming traffic

--add-service=<service>

Allow traffic to <SERVICE>. If no -zone= option is provided, the default zone will be used.

Iptables

Command to configure netfilter directly

drop

Drop all incoming traffic unless related to outgoing traffic (do not even respond with ICMP errors)

-reload

Drop the runtime configuration and apply the persistent configuration