The target is to protect the server against undesired accesses. The current public services running are ssh and https. For those access will be allowed
install firewalld service
- root# pacman -S firewalld
starting firewalld
- root# systemctl start firewalld
set default zone and activating
- root# firewall-cmd --get-active-zones
If no zones are listed, then activate the zone by assigning a network interface (check your interfaces with ip a, and choose the one used for public connections)
Activating a zone:
- root# firewall-cmd --zone public --change-interface
- check the default zone. For the server the default zone is public
- root# firewall-cmd --get-default-zone
If no zone is listed, it means there are no default zone is enabled.
Set the default zone:
- root# firewall-cmd --set-default-zone public
current zone configuration
- root# firewall-cmd --list-all --zone public
- public
- target: default
- icmp-block-inversion: no
- interfaces:
- sources:
- services: dhcpv6-client ssh
- ports:
- protocols:
- masquerade: no
- forward-ports:
- source-ports:
- icmp-blocks:
- rich rules:
adding allowed services
We just need to add https to the services allowed in the server. (ssh is already there)
- root# firewall-cmd --zone public --add-service https
- root# firewall-cmd --list-all --zone public
- public (active)
- target: default
- icmp-block-inversion: no
- interfaces: eth0
- sources:
- services: dhcpv6-client https ssh
- ports:
- protocols:
- masquerade: no
- forward-ports:
- source-ports:
- icmp-blocks:
- rich rules:
final steps: test, making changes permanent
Before proceeding test your services
Make the configuration permanent and reload rules
- root# firewall-cmd --runtime-to-permanent
- root# firewall-cmd --reload
Make sure firewalld service is enabled
- root# systemctl enable firewalld
