firewalld is major available for RHEL/CentOS and similar distro using the same source code. But here's where things get a bit confusing. On RHEL/CentOS 7, firewalld is implemented differently from the way it is on RHEL/CentOS 8. That's because, on RHEL/CentOS 7, firewalld uses the iptables engine as its backend. On RHEL/CentOS 8, firewalld uses nftables as its backend. Either way, you can't create rules with normal iptables or nftables commands because firewalld stores the rules in an incompatible format.
A big advantage of firewalld is the fact that it's dynamically managed. That means that you can change the firewall configuration without restarting the firewall service, and without interrupting any existing connections to your server.
Installing firewalld
On RHEL Linux variants such CentOS, Rocky Linux, Alma Linux, Fedora the firewalld is installed by default as it is the default firewall on the system.
You can verify the same using:
~]# rpm -qa | grep firewalld firewalld-filesystem-1.0.0-4.el9.noarch firewalld-1.0.0-4.el9.noarch
If it is not installed, you can search for this package in your available repository and install it:
~]# yum search firewalld =========================== Name Exactly Matched: firewalld ============================ firewalld.noarch : A firewall daemon with D-Bus interface providing a dynamic firewall ========================== Name & Summary Matched: firewalld =========================== firewalld-filesystem.noarch : Firewalld directory layout and rpm macros ============================== Summary Matched: firewalld ============================== python3-firewall.noarch : Python3 bindings for firewalld
Now that you have the package name, go ahead and install it:
~]# yum install firewalld -y
OR
~]# dnf install firewalld -y
Check firewalld status
The firewalld is managed via systemctl so make sure the service is up and running:
systemctl status firewalld
If it is not in running state, then you can start the same using:
systemctl start firewalld
Make sure the service is in "enabled" state to auto start on reboot:
~]# systemctl is-enabled firewalld
enabled
If it is in disabled state, then you can enable it using
systemctl enable firewalld
While the firewalld program uses standard text configuration files, you can also use the firewall-cmd
command-line command for most of the things you need to do. To check if firewalld is running:
~]# firewall-cmd --state
running
If firewalld was not active, the output would show as not running
.
Different configuration items under firewalld
firewalld manages three concepts in its configuration:
- Zones: A firewalld zone is a group of rules that can be activated all together and assigned to a network interface. It includes different services and rules but also settings that alter the behavior of network traffic filtering.
- Services: A firewalld service is a port or group of ports that must be configured together for a specific system service (hence the name) to work properly.
- Ports: A firewalld port includes a port number (that is, 80) and a type of traffic (that is, TCP) and can be used to manually enable network traffic to a custom system service.
Understanding Firewalld Zones
Firewalld makes firewall management easier by working with zones. A zone is a collection of rules that are applied to incoming packets matching a specific source address or network interface. Firewalld applies to incoming packets only by default, and no filtering happens on outgoing packets.
The use of zones is particularly important on servers that have multiple interfaces. On such servers, zones allow administrators to easily assign a specific set of rules. On servers that have just one network interface, you might very well do with just one zone, which is the default zone. Every packet that comes into a system is analyzed for its source address, and based on that source address, Firewalld analyzes whether or not the packet belongs to a specific zone. If not, the zone for the incoming network interface is used. If no specific zone is available, the packet is handled by the settings in the default zone.
Zone Name | Default Settings |
---|---|
block | Incoming network connections are rejected with an “icmp-host-prohibited” message. Only network connections that were initiated on this system are allowed. |
dmz | For use on computers in the demilitarized zone. Only selected incoming connections are accepted, and limited access to the internal network is allowed. |
drop | Any incoming packets are dropped and there is no reply. |
external | For use on external networks with masquerading (Network Address Translation [NAT]) enabled, used especially on routers. Only selected incoming connections are accepted. |
home | For use with home networks. Most computers on the same network are trusted, and only selected incoming connections are accepted. |
internal | For use in internal networks. Most computers on the same network are trusted, and only selected incoming connections are accepted. |
public | For use in public areas. Other computers in the same network are not trusted, and limited connections are accepted. This is the default zone for all newly created network interfaces. |
trusted | All network connections are accepted. |
work | For use in work areas. Most computers on the same network are trusted, and only selected incoming connections are accepted. |
Understanding Firewalld Services
The second key element while working with Firewalld is the service.
Note that a service in Firewalld is not the same as a service in Systemd; a Firewalld service specifies what exactly should be accepted as incoming and outgoing traffic in the firewall. It typically includes ports to be opened, as well as supporting kernel modules that should be loaded. In Firewalld, some default services are defined, which allows administrators to easily allow or deny access to specific ports on a server.
Behind each service is a configuration file that explains which UDP or TCP ports are involved and, if so required, which kernel modules must be loaded. To get a list of all services available on your computer, you can use the command firewall-cmd --get-services
:
~]# firewall-cmd --get-services RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver kube-control-plane kube-controller-manager kube-scheduler kubelet-worker ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd netbios-ns nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wireguard wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
Behind each service is an XML configuration file. Changes are easily made to these XML files. Default (RPM installed) XML files are stored in /usr/lib/firewalld/services
. Custom XML files can be added to the /etc/firewalld/services
directory and will automatically be picked up after restarting the Firewalld service.
Here is sample contents of the ftp.xml
Service File
~]# cat /usr/lib/firewalld/services/ftp.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>FTP</short> <description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description> <port protocol="tcp" port="21"/> <helper name="ftp"/> </service>
Create a new firewalld service
Let's say we want to install an Oracle database in our server. We must have the 1521
port open, and it must be of the TCP type. Let's create the /etc/firewalld/services/oracledb.xml
file with the following content:
~]# cat /etc/firewalld/services/oracledb.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>OracleDB</short> <description>Oracle Database firewalld service. It allows connections to the Oracle Database service. You will need to deploy Oracle Database in this machine and enable it for this option to be useful.</description> <port protocol="tcp" port="1521"/> </service>
We can enable it by using the following code:
~]# firewall-cmd --reload success ~]# firewall-cmd --add-service oracledb success ~]# firewall-cmd --list-services cockpit dhcpv6-client oracledb ssh vnc-server
Now, it's ready to be used in the running configuration. We can add it to the permanent configuration like so:
~]# firewall-cmd --add-service oracledb --permanent
success
Most used common firewall-cmd options
firewall-cmd Options | Explanation |
---|---|
--get-zones | Lists all available zones |
--get-default-zone | Shows the zone currently set as the default zone |
--set-default-zone=<ZONE> | Changes the default zone |
--get-services | Shows all available services |
--list-services | Shows services currently in use |
--add-service=<service-name> [--zone=<ZONE>] | Adds a service to the current default zone or the zone that is specified |
--remove-service=<service-name> | Removes a service from the configuration |
--list-all-zones | Shows configuration for all zones |
--add-port=<port/protocol> [--zone=<ZONE>] | Adds a port and protocol |
--remove-port=<port/protocol> [--zone=<ZONE>] | Removes a port from the configuration |
--add-interface=<INTERFACE> [--zone=<ZONE>] | Adds an interface to the default zone or a specific zone that is specified |
--remove-interface=<INTERFACE> [--zone=<ZONE>] | Removes an interface from a specific zone |
--add-source=<ipaddress/netmask> [--zone=<ZONE>] | Adds a specific IP address |
--remove-source=<ipaddress/netmask> [--zone=<ZONE>] | Removes an IP address from the configuration |
--permanent | Writes configuration to disk and not to runtime |
--reload | Reloads the on-disk configuration |
Basic firewall-cmd command examples
1. Difference between adding firewall rule with and without --permanent
You may have seen some people using --permanent argument with each of their firewall rule while some of us don't use this option. So what is the difference? Let's check an example:
We will add vnc server to the firewall configuration without --permanent
:
~]# firewall-cmd --add-service=vnc-server success ~]# firewall-cmd --list-services cockpit dhcpv6-client ssh vnc-server
Next restart the firewall service using systemctl restart firewalld
and repeat firewall-cmd --list-all
to make sure vnc-server is still present in our default zone:
~]# systemctl restart firewalld
~]# firewall-cmd --list-services
cockpit dhcpv6-client ssh
Notice that the vnc-server service is no longer listed; the reason is that the previous command has added the service to the runtime configuration but not to the persistent configuration.
Add the vnc-server service again, but make it permanent this time, using --permanent
argument:
~]# firewall-cmd --add-service vnc-server --permanent
success
Verify if vnc-server is added in our default zone. You’ll see that VNC server service is not listed. Services that have been added to the on-disk configuration are not added automatically to the runtime configuration.
~]# firewall-cmd --list-services
cockpit dhcpv6-client ssh
We have to reload the configuration using --reload
to reload the on-disk configuration into the runtime configuration.
~]# firewall-cmd --reload success ~]# firewall-cmd --list-services cockpit dhcpv6-client ssh vnc-server
So if you wish to make runtime changes to verify certain application flow without making permanent changes then you can apply the rule without using --permanent
otherwise it is recommended to use --permanent
flag for persistent changes. But make sure to reload the configuration if you are applying the firewall rule using --permanent
flag.
2. Show firewall rules for all the available zones
Use --list-all-zone
argument to list all the available zones on the server along with the rules defined for respective zone:
~]# firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: ... work target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
3. Show firewall rules for specific zone
To show firewall rules for a specific zone we have to use --list-all --zone=<zone_name>
. For example to list all the rules of public
zone:
firewall-cmd --list-all --zone=public
The output shows the features and what items are allowed through the firewall for that zone. The target feature defines the action for the zone:
- default: Rejects all packets not matching the zone rules, but sends an ICMP packet to the client indicating why.
- ACCEPT: Accepts packets not matching the zone rules.
- DROP: Drop packets not matching the zone rules.
- %%REJECT%%: Rejects all packets not matching the zone rules.
The sources
, services
, ports
, and protocols
features define the rule items that are either allowed or blocked, based on the target setting.
4. Get the list of available zones
To see which zones are available, use firewall-cmd --get-zones
.
~]# firewall-cmd --get-zones
block dmz drop eth0 eth1 eth2 eth3 eth4 external home internal lo nm-shared public trusted work
5. Check your default zone
To check your default firewall zone, use the following command:
~]# firewall-cmd --get-default-zone
public
6. Change your default zone
If you need to utilize zones, you can choose the default zone and assign interfaces to specific zones as well. Firstly, assign a new default zone as follows:
firewall-cmd --set-default-zone=work
Here, we redirect the default zone to the work zone. In this way, all NICs that have not been explicitly assigned will participate in the work zone. The preceding command should report back with success
7. Assign a zone to specific interface
We can also explicitly assign a zone to an interface. To add interface eth1
to public
zone.
firewall-cmd --zone=public --change-interface=eth1 --permanent firewall-cmd --reload
8. Get the list of active zones
Use --get-active-zone
to get the list of active zones along with the interfaces attached to each respective zone:
~]# firewall-cmd --get-active-zones eth0 interfaces: eth0 eth1 interfaces: eth1 eth2 interfaces: eth2 eth3 interfaces: eth3 eth4 interfaces: eth4 lo interfaces: lo
9. Create new zone and add an interface to this zone
Besides the default zones, you can create your own zones to help customize your server's network environment. The --new-zone option of the firewall-cmd command defines the zone name:
# firewall-cmd --permanent --new-zone=mytest
success
Before you can use the zone, you must tell firewalld to reload the configuration file so it knows about the new zone:
# firewall-cmd --reload
success
Then you can list the zones to see if the new zone exists:
# firewall-cmd --get-zones
block dmz drop external home internal mytest nm-shared public trusted work
Once you've created the zone, you can move a network interface to the zone using the --add-interface option:
# firewall-cmd –zone=mytest --add-interface=enp0s8
success
10. Check interface is mapped to which zone
You can check what zone a specific interface is currently in by using the --get-zone-of-interface
option:
~]# firewall-cmd --get-zone-of-interface=enp0s8
public
11. Add a firewall rule to allow TCP port
Apply the following command to allow port TCP 2020 permanent to the system followed by firewall-cmd --reload
:
~]# firewall-cmd --add-port=2020/tcp --permanent // Add a port to default zone success ~]# firewall-cmd --reload success ~]# firewall-cmd --list-ports 22/tcp 80/tcp 443/tcp 2020/tcp 7878/tcp 162/udp ~]# firewall-cmd --remove-port=2020/tcp --permanent // Remove a port from default zone success ~]# firewall-cmd --reload success ~]# firewall-cmd --list-ports 22/tcp 80/tcp 443/tcp 7878/tcp 162/udp
12. Add or Remove a service from a specific zone
Let's try to add and remove service from public zone:
~]# firewall-cmd --add-service http --zone=public --permanent // Add a service to public zone success ~]# firewall-cmd --reload success ~]# firewall-cmd --list-services --zone=public cockpit dhcpv6-client http ssh vnc-server ~]# firewall-cmd --remove-service http --zone=public --permanent // Remove a service to public zone success ~]# firewall-cmd --reload success ~]# firewall-cmd --list-services --zone=public cockpit dhcpv6-client ssh vnc-server
13. Drop all INPUT and FORWARD packets only
We would like to specifically drop all input and forward packets only (unless explicitly permitted). On top of that, we want to permit all output packets by default.
firewall-cmd --zone=public --add-port=22/tcp --permanent firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -o ethX -j ACCEPT firewall-cmd --set-default-zone=drop
This will ensure that ssh is not blocked, so you will still be able to login if you block everything. Easily allow all traffic outbound with direct rules. Set all other traffic to be dropped.
14. Log dropped packets to specified file location
In the firewalld configuration file, configure firewalld to log dropped packets.
vim /etc/firewalld/firewalld.conf
# LogDenied
# Add logging rules right before reject and drop rules in the INPUT, FORWARD
# and OUTPUT chains for the default rules and also final reject and drop rules
# in zones. Possible values are: all, unicast, broadcast, multicast and off.
# Default: off
LogDenied=all
Alternatively, this can also set this by running the following command:
~]# firewall-cmd --set-log-denied=all
success
Supported value may be one of: all, unicast, broadcast, multicast, or off
The default behaviour of this firewalld logging option is to log the dropped packets to /var/log/messages
. In order to change the logging location we need to configure rsyslog to capture the dropped packets messages.
Create /etc/rsyslog.d/firewalld.conf
with the following:
# log DROP and REJECT firewalld messages to /var/log/firewalld.log
:msg,contains,"_DROP" /var/log/firewalld.log
& stop
:msg,contains,"_REJECT" /var/log/firewalld.log
& stop
You can replace any desired file path and name with /var/log/firewalld.log
above.
Restart rsyslog
systemctl restart rsyslog.service
To verify if the configuration worked, check /var/log/firewalld.log
- the file should contain DROP and REJECT logs. Also verify that no new DROP and REJECT messages are put in the /var/log/messages
file.
15. Enable debugging in firewalld
You can enable and incremdent the debug range inside firewalld configuration file:
# vim /etc/sysconfig/firewalld FIREWALLD_ARGS=--debug=10
Then restart firewalld service to enable debug
systemctl restart firewalld
Working with firewalld Rich Rules
1. Add comment to firewalld rule
There is no option for firewalld rich rules yet, but direct rule can via '-m comment --comment "description"
'.
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -m tcp -s 10.10.10.60 --dport=80 -j ACCEPT -m comment --comment "Accept ip 60"
It can be checked '--get-all-rules' option not 'firewall-cmd --list-all'
# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp -m tcp -s 10.10.10.60 --dport=80 -m comment --comment 'Accept ip 60' -j ACCEPT
2. Allow the echo requests in the drop zone
Use the following firewall command
# firewall-cmd --permanent --zone=drop --add-rich-rule='rule icmp-type name="echo-request" accept'
success
You can read more at How to disable ICMP and ICMPv6 redirects in Linux and How to stop ICMP ping flood attack (DOS) on Linux
3. Add rich rule with firewall-cmd
The program also uses what it calls rich rules, which allow you to customize a rule to specify a specific object, such as a single IP address and a port or service:
# firewall-cmd --zone=mytest --permanent --add-rich-rule='rule family=ipv4 source address=192.168.1.70 port port=22 protocol=tcp reject' success # firewall-cmd --reload success
This rich rule example rejects SSH packets (port 22) coming from a specific source address, 192.168.1.70
. The command applies this rich rule to the mytest zone. You can then check if the rule was applied:
# firewall-cmd --zone=mytest --list-all mytest target: default icmp-block-inversion: no interfaces: sources: services: ports: 631/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.1.70" port port="22" protocol="tcp" reject
4. Firewalld rich rule to allow all incoming traffic
Execute following commands to allow all incoming traffic.
// For IPV4 traffic # firewall-cmd --zone=home --add-rich-rule='rule family="ipv4" source address="0.0.0.0/0" accept' // For IPV6 traffic # firewall-cmd --zone=home --add-rich-rule='rule family="ipv6" source address="::/0" accept' // Make changes permanent # firewall-cmd --runtime-to-permanent
5. Create and use ipset with firewalld rich rule
First, create an ipset with the list of ip addresses:
# firewall-cmd --permanent --new-ipset=myipset --type=hash:ip success # firewall-cmd --permanent --ipset=myipset --add-entry=10.0.0.1 success # firewall-cmd --permanent --ipset=myipset --add-entry=10.0.0.2 success
Then configure a firewalld rich rule to make use of the ipset for a particular tcp port:
# firewall-cmd --permanent --zone=work --add-rich-rule='rule source ipset=myipset port port=12345 protocol=tcp accept' success # firewall-cmd --reload success
6. In firewalld, are rich rules or direct rules processed first?
You can see the order of rule processing with iptables -nvxL
firewalld is just a state machine for managing iptables rules (or nftables
rules on RHEL8).
Direct rules appear in the chains called _direct, for example INPUT_direct
and OUTPUT_direct
.
By following the entry point of a default chain (eg: INPUT or OUTPUT) you can follow the hierarchy like:
INPUT INPUT_direct # direct rules in here INPUT_ZONES IN_public IN_public_log IN_public_deny IN_public_allow # firewalld services and rich rules in here
Advanced firewalld rules
1. Add rule for port forwarding
To forward an incoming port to another listening port and make it permanent
# firewall-cmd --zone=<desired_zone> --add-forward-port=port=<incoming_port>:proto=<protocol>:toport=<destination_port> --permanent # firewall-cmd --reload
The destination port must also be open for this to work.
# firewall-cmd --zone=<desired_zone> --add-port=<port>/<protocol> --permanent # firewall-cmd --reload
Example:
Incoming http request coming in port 80
, but Apache is configured to listen on port 8080
. I need to forward the incoming request to port 8080
in the public
zone.
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent firewall-cmd --reload
2. Add firewall rule to block icmp packet to the certain IP
To block only ICMP packet to certain host.
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -p icmp --icmp-type 8 -d xx.xx.xx.xx -j DROP
To block all the traffic destined to a certain host.
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 --dst xx.xx.xx.xx -j DROP
To get the list of direct rule.
~]# firewall-cmd --direct --get-all-rules
ipv4 filter OUTPUT 0 -p icmp --icmp-type 8 -d xx.xx.xxx.xx -j DROP
ipv4 filter OUTPUT 0 --dst xx.xx.xx.xx -j DROP
To remove this rule use "--remove-rule
".
firewall-cmd --direct --remove-rule ipv4 filter OUTPUT 0 --dst xx.xx.xx.xx -j DROP
Also Read: How to disable ICMP timestamp responses in Linux
3. Block ICMPv4 message type 17 (Address Mask Request) and 18 (Address Mask Reply)
Use the firewall direct rules to block the ICMPv4 message type 17 and 18:
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp --icmp-type address-mask-request -j DROP # firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp --icmp-type address-mask-reply -j DROP
Reload the firewall rules:
# firewall-cmd --reload
Verify the configuration :
# firewall-cmd --permanent --direct --get-all-rules
ipv4 filter INPUT 0 -p icmp --icmp-type address-mask-request -j DROP
ipv4 filter INPUT 0 -p icmp --icmp-type address-mask-reply -j DROP
4. Implement TCP Wrappers user/group match in firewall rules
User and group matching is implemented in iptables and firewalld direct rules with with the owner extension, eg:
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -m owner --uid-owner USERNAME -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -m owner --gid-owner GROUPNAME -j ACCEPT
You can also use a numeric UID (eg: 1000) or a range (eg: 1000-9999).
5. Restrict access to a server from a specific sub-network
Users can set and control IP sets to restrict the access using firewalld. To add a new IP set:
# firewall-cmd --permanent --new-ipset=block_subnet --type=hash:net
To add an entry (192.168.122.0/24) to the block_subnet IP set:
# firewall-cmd --permanent --ipset=block_subnet --add-entry=192.168.122.0/24
To get the list of current entries in block_subnet IP set:
# firewall-cmd --permanent --ipset=block_subnet --get-entries
To add the block_subnet IP set as a source to the drop zone to drop all packets coming from all entries listed in the block_subnet IP set:
# firewall-cmd --permanent --zone=drop --add-source=ipset:block_subnet
To reload firewalld configuration to activate the changes:
# firewall-cmd --reload
To list blocked ipset:
# firewall-cmd --info-zone=drop
...
sources: ipset:block_subnet
...
Using cockpit web interface to manage firewall
To use the RHEL web administrative interface of RHEL8, we must install it. The package and service running it are both called cockpit. We can install it by running the following code:
dnf install cockpit -y
Next enable and start the service
~]# systemctl enable --now cockpit.socket
Created symlink /etc/systemd/system/sockets.target.wants/cockpit.socket → /usr/lib/systemd/system/cockpit.socket.
Cockpit uses a clever trick to save resources. The interface is stopped but a socket is enabled to listen on port 9090. When it receives a connection, cockpit is started. This way, it will only consume resources in your machine when it is in use.
Let's access cockpit by pointing a browser to the IP of the machine and port 9090 –
~]# ip a
...
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:05:a8:37 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.171/24 brd 192.168.0.255 scope global dynamic noprefixroute enp0s8
valid_lft 6248sec preferred_lft 6248sec
inet6 fe80::a00:27ff:fe05:a837/64 scope link noprefixroute
valid_lft forever preferred_lft forever
...
in this case, https://192.168.0.171:9090
. Let's log in as root with the password that was provided during installation:
Now, we can access the cockpit dashboard, which contains information about the system:
Now, let's go to Networking and then click on Firewall, as shown in the following screenshot:
At this point, we can click on Add Services in the public zone section to modify it and add one more service:
The steps to add the dns service to the public zone section of the firewall are simple:
- Click on Services.
- Filter the services by typing
dns
into it. - Select the dns service with TCP:53 and UDP:53.
- Click on Add Services:
Once you've done this, the service will be added to the running and permanent configurations. It will be displayed on the public zone section of cockpit:
With this, we know how to make modifications to the firewall in RHEL8 using a web interface.
Manage firewall rule using firewall-config GUI
By default firewall-config
may not be installed on your server so you can manually install it using:
dnf -y install firewall-config
OR
yum -y install firewall-config
To access firewall-config you must connect to graphical desktop of your RHEL server and execute following command as root user from the terminal:
~]# firewall-config &
This will open the firewall configuration GUI
If all you need to do is open some firewall ports to allow access to selected services, that's very easy to do from the Firewall Configuration window. With the public zone selected, just click the services you want to open. The port allowing access to that service is opened immediately (when you select the Runtime configuration) and opened permanently (when you select the Permanent configuration).
Further Reading
How to configure firewalld in RHEL?