Bobcares

Setup Guide of Linode Firewalld

by | Nov 11, 2024

To know more about the use of Firewalld on Linode, read our latest blog. Bobcares, as a part of our Linode Managed Services offers solutions to every query that comes our way.

Overview
  1. Firewalld on Linode
  2. Why Firewalld?
  3. Installation of Firewalld on Linode
  4. Configuration of Firewalld on Linode
  5. Advanced Firewalld Features
  6. Using Firewalld with Linode Cloud Firewall
  7. Best Practices
  8. Security Practices
  9. Troubleshooting Common Issues
  10. Conclusion

Firewalld on Linode

Firewalld is a powerful, user-friendly tool that makes managing firewall rules on Linux servers easy and effective. It’s commonly found on RHEL-based distributions (such as CentOS, AlmaLinux, and Rocky Linux), CentOS Stream, Fedora, and openSUSE Leap.

Why Firewalld?

Firewalld is a frontend tool for nftables (or iptables in older setups), providing dynamic, simplified firewall management. Here’s why it’s great for managing firewalls on Linode servers:

  • Ease of Use: Simplifies firewall setup compared to manually configuring iptables.
  • Enhanced Security: Controls network traffic, adding a layer of protection to the server.

linode firewalld

  • Flexibility: Makes real-time rule updates without disrupting active connections.
  • Seamless Integration: Works well with Linode, complementing its security features.

Installation of Firewalld on Linode

Prerequisites

  • A Linode VPS running CentOS, Fedora, or RHEL.
  • Root or sudo access.

Installation Steps

1. Update Packages

sudo yum update -y # For CentOS/RHEL
sudo dnf update -y # For Fedora

2. Install Firewalld

sudo yum install firewalld -y # For CentOS/RHEL
sudo dnf install firewalld -y # For Fedora

3. Start and Enable Firewalld

sudo systemctl start firewalld
sudo systemctl enable firewalld

4. Verify Status

sudo systemctl status firewalld

Configuration of Firewalld on Linode

1. Understanding Zones

Firewalld organizes network connections into “zones,” each with preset security levels:

Drop: Blocks all incoming connections without notification.

Public: For use in public, untrusted networks.

Home/Work: Trusted networks like home or workplace.

DMZ: For isolated servers in a Demilitarized Zone.

Trusted: Allows all network connections.

2. Common Commands

i. List Zones

sudo firewall-cmd --get-zones

ii. Set Default Zone

sudo firewall-cmd --set-default-zone=public

iii. View Active Zone

sudo firewall-cmd --get-active-zones

3. Managing Services and Ports

i. Allow HTTP and HTTPS Traffic

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent
sudo firewall-cmd --reload

ii. Open a Custom Port (e.g., 8080)

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

iii. Remove a Service (e.g., SSH – use with caution)

sudo firewall-cmd --zone=public --remove-service=ssh --permanent
sudo firewall-cmd --reload

Advanced Firewalld Features

Rich Rules: Rich rules offer advanced control for fine-tuning security:

Example: Allow SSH access only from a specific IP:

sudo firewall-cmd --permanent --add-rich-rule='
rule family="ipv4"
source address="203.0.113.4"
service name="ssh" accept'
sudo firewall-cmd --reload

Masquerading (NAT)

Enable masquerading to allow the server to function as a router (useful for NAT setups):

sudo firewall-cmd --zone=public --add-masquerade --permanent
sudo firewall-cmd --reload

Using Firewalld with Linode Cloud Firewall

Linode Cloud Firewall offers an added security layer at the network level, filtering unwanted traffic before it reaches the server. Here’s how using both firewalls together can improve security:

  • Defense in Depth: Multiple firewalls add protection layers, making unauthorized access more challenging.
  • Improved Performance: Linode Cloud Firewall blocks traffic before it reaches the server, saving resources.
  • Enhanced Flexibility: Firewalld handles real-time changes, while Cloud Firewall manages broad, static rules.

Best Practices

  • Consistency: Ensure both firewalls allow essential ports/services.
  • Rule Order: Cloud Firewall rules apply first, followed by firewalld rules.
  • Testing: Test connections after configuring to confirm access for legitimate traffic.

Security Practices

  • Use the Least Privilege Principle: Open only the necessary ports/services.
  • Stay Updated: Regularly update firewalld and system packages.
  • Monitor Traffic: Review logs and monitor traffic for any unusual activity.
  • Backup Configuration: Save firewall settings to restore them if needed.

Troubleshooting Common Issues

1. If we can’t connect to a service, we’ve to check firewalld Rules: Verify if the service or port is open:

sudo firewall-cmd --zone=public --list-all

Confirm the Linode Cloud Firewall allows the service.

2. If firewalld Not Starting, then, check Status:

sudo systemctl status firewalld

View Logs:

sudo journalctl -xe

By following this guide, we’ll have a secure, flexible firewall setup on Linode, combining firewalld’s easy management with Linode’s Cloud Firewall for comprehensive protection and smooth performance!

[Searching solution for a different question? We’re happy to help.]

Conclusion

By following this guide, we’ll have a secure, flexible firewall setup on Linode, combining firewalld’s easy management with Linode’s Cloud Firewall for comprehensive protection and smooth performance.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF