Linux Unit 11
Prior to any administrative changes, which zone is the default zone?
Public zone
--get-default-zone
Query the current default zone
home
Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client pre-defined services
internal
Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client pre-defined services ( same as the home zone to start with.
block
Rejects all incoming traffic unless related to outgoing traffic
public
Rejects incoming traffic unless related to outgoing or matching the ssh or dhcpv6-client predefined services. The default zone for newly added newly added network interfaces.
dmz
Rejects incoming traffic unless related to outgoing or matching the ssh pre-defined service
external
Rejects incoming traffic unless related to outgoing or matching the ssh pre-defined service. Outgoing IPv4 traffic forwarded through this zone is masqueraded to look like it originated from the IPv4 address of the outgoing network interface.
work
Rejects incoming traffic unless related to outgoing traffic or matching the ssh, ipp-client or dhcpv6-client predefined services
--add-source=<CIDR>
Route all traffic coming from the IP address on network/netmask to the specified zone. If no -zone= option is provided, the default zone is used
semanage
SELinux Policy Management tool
ebtables
The ebtables program is a filtering tool for a Linux-based bridging firewall. It enables transparent filtering of network traffic passing through a Linux bridge.
Explain SELinux network port labeling. Why is this important to a Linux administrator?
a. Network traffic is also tightly enforced by the SELinux policy. One of the methods that SELinux uses for controlling network traffic is labeling network ports; for example, in the targeted policy, port 22/TCP has the label ssh_port_t associated with it. This can stop a rogue service from taking over ports otherwise used by other (legitimate) network services.
service definitions for firewalld
can be used to easily permit traffic for particular network services to pass through the firewall
firewalld
is a dynamic firewall manager, a front end to the nftables framework using the nft command.
xtables-nft-multi
to translate iptables objects directly into nftables rules and objects
--get-zones
List all available zones
--list-all
List all configured interfaces, sources, services, and ports for zone. If no -zone=option is provided, the default zone is used
List and explain the four configuration tools available in RHEL8/CentOS8 for configuring the firewall using firewalld.
- By directly editing configuration files in /etc/firewalld/ - The Web Console graphic tool - By using firewall-cmd from the command line - OR using the graphical firewall-config tool
Netfilter
A framework for network traffic operations such as packet filtering, network address translation and port translation
Nftables
A new filter and packet classification subsystem that has enhanced portion of netfilters code, but retaining the netfilter architecture such as networking stacks hooks, connection tracking system and the logging facility
trusted
Allow all incoming traffic
--add-service=<service>
Allow traffic to <SERVICE>. If no -zone= option is provided, the default zone will be used.
Iptables
Command to configure netfilter directly
drop
Drop all incoming traffic unless related to outgoing traffic (do not even respond with ICMP errors)
-reload
Drop the runtime configuration and apply the persistent configuration