How to configure firewall and SELinux in CentOS 8
< Add user accounts | Configure the network >
The firewall is a security system which monitors and controls all incoming and outgoing network traffic, based on the set security rules. CentOS, RHL, and Fedora all come with a firewall, which is provided by the
firewalld service. This is automatically enabled in CentOS 8. You can check its status by running this command:
[[email protected] ~]# systemctl status firewalld * firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr Active: active (running) since Tue 2019-10-29 22:14:39 EDT; 44min ago Docs: man:firewalld(1) Main PID: 705 (firewalld) Tasks: 2 (limit: 4915) CGroup: /system.slice/firewalld.service └─705 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork
You can view its settings by issuing:
[[email protected] ~]# firewall-cmd --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Its possible to disable this firewall. You can do this safely if this server is on your local network and not connected to the internet. It is VERY unrecommended to disable the firewall if it is connected to the internet.
To disable it, you can run these commands:
# stop the service [[email protected] ~]# systemctl stop firewalld # disable the service [[email protected] ~]# systemctl disable firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
To re-enable the firewall, run these commands:
# start the service [[email protected] ~]# systemctl start firewalld # enable the service [[email protected] ~]# systemctl enable firewalld
SELinux ("Security Enhanced Linux") gives additional security to the system by determining which process can access what files, directories, ports, etc. SELinux has two possible states, "enabled" and "disabled". If SELinux is disabled, then only Discretionary Access Control (DAC) rules are used. If its enabled, SELinux can run in two modes: "Enforcing" or "Permissive".
Enforcing mode means that SELinux policies are enforced, and SELinux will deny access based on policy rules, and only enables interactions that are allowed. This is the default mode.
Permissive mode means SELinux policies are not enforced, and SELinux does not deny access but denials are still logged for things that would have been denied in enforcing mode. Permissive mode is the default during installation.
You can check the status of SELinux like this:
[[email protected] ~]# getenforce Enforcing # This means SELinux is enabled and set to "Enforcing" mode
Again, its very unrecommended to disable SELinux if you're connected to the internet (although it may be necessary in some cases), but if you're running on a Local Network or need to disable it for another reason, you can do it temporarily like this:
[[email protected] ~]# setenforce Enforcing # set SELinux to Enforcing mode [[email protected] ~]# setenforce Permissive # set SELinux to Permissive mode
If you need to permanently set the SELinux status, here is how to do that:
[[email protected] ~]# vi /etc/selinux/config # press i to go into "insert mode" # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # CHANGE THE VALUE BELOW. # Valid values: "enforcing" - SELinux is enabled and in enforcing mode # "disabled" - SELinux is disabled. # "permissive" - SELinux is in "permissive" mode - it will still log, but will not deny access. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted # press escape, then type :w and :q to exit and save [[email protected] ~]# reboot now # Reboot to have the changes take effect