How to configure firewall and SELinux in CentOS 8
Firewall
The firewall is a security system which monitors and controls all incoming and outgoing network traffic, based on the set security rules. CentOS, RHL, and Fedora all come with a firewall, which is provided by the firewalld
service. This is automatically enabled in CentOS 8. You can check its status by running this command:
[root@localhost ~]# systemctl status firewalld
* firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr
Active: active (running) since Tue 2019-10-29 22:14:39 EDT; 44min ago
Docs: man:firewalld(1)
Main PID: 705 (firewalld)
Tasks: 2 (limit: 4915)
CGroup: /system.slice/firewalld.service
└─705 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork
You can view its settings by issuing:
[root@localhost ~]# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Its possible to disable this firewall. You can do this safely if this server is on your local network and not connected to the internet. It is VERY unrecommended to disable the firewall if it is connected to the internet.
To disable it, you can run these commands:
# stop the service
[root@localhost ~]# systemctl stop firewalld
# disable the service
[root@localhost ~]# systemctl disable firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
To re-enable the firewall, run these commands:
# start the service
[root@localhost ~]# systemctl start firewalld
# enable the service
[root@localhost ~]# systemctl enable firewalld
SELinux
SELinux ("Security Enhanced Linux") gives additional security to the system by determining which process can access what files, directories, ports, etc. SELinux has two possible states, "enabled" and "disabled". If SELinux is disabled, then only Discretionary Access Control (DAC) rules are used. If its enabled, SELinux can run in two modes: "Enforcing" or "Permissive".
Enforcing mode means that SELinux policies are enforced, and SELinux will deny access based on policy rules, and only enables interactions that are allowed. This is the default mode.
Permissive mode means SELinux policies are not enforced, and SELinux does not deny access but denials are still logged for things that would have been denied in enforcing mode. Permissive mode is the default during installation.
You can check the status of SELinux like this:
[root@localhost ~]# getenforce
Enforcing # This means SELinux is enabled and set to "Enforcing" mode
Again, its very unrecommended to disable SELinux if you're connected to the internet (although it may be necessary in some cases), but if you're running on a Local Network or need to disable it for another reason, you can do it temporarily like this:
[root@localhost ~]# setenforce Enforcing # set SELinux to Enforcing mode
[root@localhost ~]# setenforce Permissive # set SELinux to Permissive mode
If you need to permanently set the SELinux status, here is how to do that:
[root@localhost ~]# vi /etc/selinux/config
# press i to go into "insert mode"
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# CHANGE THE VALUE BELOW.
# Valid values: "enforcing" - SELinux is enabled and in enforcing mode
# "disabled" - SELinux is disabled.
# "permissive" - SELinux is in "permissive" mode - it will still log, but will not deny access.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
# press escape, then type :w and :q to exit and save
[root@localhost ~]# reboot now # Reboot to have the changes take effect