What You Should Do After Start Firewalld
Firewall is a common tool to filter packets flow through network in morden Linux world. It is actually a shell to iptables or nftables. It is zone-based, that is, a bunch of rules should be grouped into one zone and they will be effective on an interface as long as this zone is applied to it.
By default, firewalld offer us 10 zones available, as follow
block dmz drop external home internal nm-shared public trusted work
You can know the detail of each one by the following command
firewall-cmd --zone=[home] --list-allIn the output, target attribute is the default behavior of this zone, and options include [ ACCEPT, REJECT, DROP, Default ], and their name explain themselves well. Another important attribute is services, and its value is the group of services that is allowed in this zone. Service is in fact one or some combination of ports and protocol that will be allowed in this zone. What matters is the two attributes I just introduced, and others you can search document to understand what are they designed for.
So, what you should do if you want to set up a server for web service?
First , start your firewall and “enable” it, that is , allow it to start at boot.
systemctl restart firewalldsystemctl enable firewalld
Second , I will create my own zone, and of course, you can modify one of the default zone if you like.
firewall-cmd --permanent --new-zone=myzone— — permanent will make this rule effective through restart of firewall service, and without which, the rule will only be effective before you restart or stop firewall service that is running. With — — permanent , the rule will not be effective until you reload or restart firewall service.
Third, write your own services, and saved it at /etc/firewalld/services. The service file is a XML file as follow
<service> <short>Web</short> <description>Web Service Description</description> <port protocol="tcp" port="443"/> <port protocol="tcp" port="80"/></service>
What matters is port tag and it explains itself very well.
Fourth, set the default behavior of the zone to DROP and add our web service into it, and do not forget add ssh service to your zone to keep your server under your control.
firewall-cmd --zone=myzone --set-target=DROP --permanentfirewall-cmd --zone=myzone --add-service=web --permanentfirewall-cmd --zone=myzone --add-service=ssh --permanent
Finally, reload the firewall service and set default active zone to our zone.
firewall-cmd --zone=myzone --set-target=DROP --permanentfirewall-cmd --zone=myzone --add-service=web --permanentfirewall-cmd --zone=myzone --add-service=ssh --permanent
And you can check the active zone and its attributes by following command
firewall-cmd --reloadfirewall-cmd --set-default-zone=myzone
Okay, this is all you have to do for a simple web server, and more features like port forwarding will not be introduced here since I just want to tell you what to do when you want to setup a new web server, or what to do after start firewalld service.
