Open Firewall Ports on CentOS 7 and RHEL 7

stacksofplates

@JaredBusch said in Open Firewall Ports on CentOS 7 and RHEL 7:

@scottalanmiller said in Open Firewall Ports on CentOS 7 and RHEL 7:

CentOS 7 and RHEL 7 versions of Linux now use the firewall-cmd command to open firewall ports. In a default installation, we just need to add the "ports" that we need to the default zone and reload. In the example below we will do this for the two common web ports: 80 and 443. The default zone is "public" but can be set to anything, of course.

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload

If you forget to use --permanent then the change will not persist through a reload operation.

I thought permanent, is to survive a reboot or service restart, not a reload.

Correct. However it won't take effect until you do a reload or restart if you use --permanent.

JaredBusch

@stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7:

@JaredBusch said in Open Firewall Ports on CentOS 7 and RHEL 7:

@scottalanmiller said in Open Firewall Ports on CentOS 7 and RHEL 7:

CentOS 7 and RHEL 7 versions of Linux now use the firewall-cmd command to open firewall ports. In a default installation, we just need to add the "ports" that we need to the default zone and reload. In the example below we will do this for the two common web ports: 80 and 443. The default zone is "public" but can be set to anything, of course.

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload

If you forget to use --permanent then the change will not persist through a reload operation.

I thought permanent, is to survive a reboot or service restart, not a reload.

Correct. However it won't take effect until you do a reload or restart if you use --permanent.

Ok, at least I was not going crazy. @scottalanmiller's last sentence needs changed.

scottalanmiller

@JaredBusch fixed

coliver

Did anyone ever figure out if there was a way to setup files for firewalld? Or was the XML service files the way to go?

scottalanmiller

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

Did anyone ever figure out if there was a way to setup files for firewalld? Or was the XML service files the way to go?

XML I think.

coliver

@scottalanmiller said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

Did anyone ever figure out if there was a way to setup files for firewalld? Or was the XML service files the way to go?

XML I think.

That's what I was afraid of. We're using IPTables on all of our OEL7 servers right now but I think moving to the default firewalld may be a good idea. I'll have to look into the XML config and see how much more difficult, if at all, it is over the IPTables file. It's a shame we can't just copy a single file around anymore but the XML files probably won't be too much more difficult.

stacksofplates

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

@scottalanmiller said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

Did anyone ever figure out if there was a way to setup files for firewalld? Or was the XML service files the way to go?

XML I think.

That's what I was afraid of. We're using IPTables on all of our OEL7 servers right now but I think moving to the default firewalld may be a good idea. I'll have to look into the XML config and see how much more difficult, if at all, it is over the IPTables file. It's a shame we can't just copy a single file around anymore but the XML files probably won't be too much more difficult.

Ya it's not bad at all. Here's the config from my Identity Management server. It's pretty similar to /etc/sysconfig/system-config-firewall on RHEL 6, just in zone specific XML files.

<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="http"/>
  <service name="https"/>
  <service name="ntp"/>
  <service name="dhcpv6-client"/>
  <service name="kerberos"/>
  <service name="ldaps"/>
  <service name="ssh"/>
  <service name="dns"/>
  <service name="ldap"/>
</zone>

coliver

@stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

@scottalanmiller said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

Did anyone ever figure out if there was a way to setup files for firewalld? Or was the XML service files the way to go?

XML I think.

That's what I was afraid of. We're using IPTables on all of our OEL7 servers right now but I think moving to the default firewalld may be a good idea. I'll have to look into the XML config and see how much more difficult, if at all, it is over the IPTables file. It's a shame we can't just copy a single file around anymore but the XML files probably won't be too much more difficult.

Ya it's not bad at all. Here's the config from my Identity Management server. It's pretty similar to /etc/sysconfig/system-config-firewall on RHEL 6, just in zone specific XML files.

<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="http"/>
  <service name="https"/>
  <service name="ntp"/>
  <service name="dhcpv6-client"/>
  <service name="kerberos"/>
  <service name="ldaps"/>
  <service name="ssh"/>
  <service name="dns"/>
  <service name="ldap"/>
</zone>

Those services are predefined right? You can also build your own services via the same process.

stacksofplates

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

@stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

@scottalanmiller said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

Did anyone ever figure out if there was a way to setup files for firewalld? Or was the XML service files the way to go?

XML I think.

That's what I was afraid of. We're using IPTables on all of our OEL7 servers right now but I think moving to the default firewalld may be a good idea. I'll have to look into the XML config and see how much more difficult, if at all, it is over the IPTables file. It's a shame we can't just copy a single file around anymore but the XML files probably won't be too much more difficult.

Ya it's not bad at all. Here's the config from my Identity Management server. It's pretty similar to /etc/sysconfig/system-config-firewall on RHEL 6, just in zone specific XML files.

<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="http"/>
  <service name="https"/>
  <service name="ntp"/>
  <service name="dhcpv6-client"/>
  <service name="kerberos"/>
  <service name="ldaps"/>
  <service name="ssh"/>
  <service name="dns"/>
  <service name="ldap"/>
</zone>

Those services are predefined right? You can also build your own services via the same process.

Ya and you can define specific ports. I prob could have grabbed a better example.

coliver

@stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

@stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

@scottalanmiller said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

Did anyone ever figure out if there was a way to setup files for firewalld? Or was the XML service files the way to go?

XML I think.

That's what I was afraid of. We're using IPTables on all of our OEL7 servers right now but I think moving to the default firewalld may be a good idea. I'll have to look into the XML config and see how much more difficult, if at all, it is over the IPTables file. It's a shame we can't just copy a single file around anymore but the XML files probably won't be too much more difficult.

Ya it's not bad at all. Here's the config from my Identity Management server. It's pretty similar to /etc/sysconfig/system-config-firewall on RHEL 6, just in zone specific XML files.

<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="http"/>
  <service name="https"/>
  <service name="ntp"/>
  <service name="dhcpv6-client"/>
  <service name="kerberos"/>
  <service name="ldaps"/>
  <service name="ssh"/>
  <service name="dns"/>
  <service name="ldap"/>
</zone>

Those services are predefined right? You can also build your own services via the same process.

Ya and you can define specific ports. I prob could have grabbed a better example.

No, I think I've got it just need to investigate actually setting these up.