Securing your server
Running servers is a constant challenge and a public facing device will be hammered by bots trying to find a hole so securing such a device is a high priority task.
Due to the immense popularity of using GNU/Linux for servers several firewalls have been developed over time.
Most users know of ufw and the graphical tool gufw which uses iptables to control inbound and outbound traffic.
Recently members of the forum has asked for application firewalls - arguing that it can be simpler for new users to understand and apply the concept of controlling network traffic.
Traditionally firewalls requires knowledge of which port(s) a given service uses and the ability to create a rule that limits inbound traffic to the given service - further restricting network interface and source addresses allowed.
This is a complex business and you got to have routes and priorities straight or you can get into serious connectivity problems and weird issues. The iptables based rules requires a reload and large complicated rulesets are hard to troubleshoot.
Due to my chat with @xabbu I have revised my perspective. Application firewalls is not just another word for the same thing and it does not work quite the same way as e.g. ufw.
Firewalld is the latest breed in free and opensource firewall applications. Firewalld can be configured using the term application since an application is merely a definition of which ports should be allowed - e.g. a http application or ssh or smtp.
When you configure the firewall you use zones to define where you are and services to define what you allow. Install firewalld
# pacman -Syu firewalld
When firewalld is enabled and started the default zone is public which allows the computer to be visible but all ports closed.
Adding a specific service (application) is most easily done using the command line. A GUI is available if you install the dependencies for it.
Adding services has immediate effect - no need to reload the service.
Simply add the service to the allowed service to the desired zone
Example - adding http to public zone
# firewall-cmd --zone=public --add-service=http success
It is important to realize that changes you make on the fly is not permanent. To make a certain service available on a permanent base you add the --permanent argument
# firewall-cmd --permanent --zone=public --add-service=http success
What if you want to add your own service definition?
Easy-peasy - look in the folder /usr/lib/firewalld/services and make a copy of an appropriate service definition.
Example - you want to run a ssh server on a non default port.
Copy the ssh.xml service definition to /etc/firewalld/services
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/my-ssh.xml
Edit the service definition
# nano /etc/firewalld/services/my-ssh.xml
Change the port to match your service and the short name to distinguish from the original service.
<?xml version="1.0" encoding="utf-8"?> <service> <short>My SSH service</short> <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description> <port protocol="tcp" port="30000"/> </service>
Wait 5-10 seconds for the service file to be recognized and activate it
# firewall-cmd --zone=public --add-service=my-ssh success
Same rule on permanent applies and that's it.
Firewalld is an extremely powerful and configurable firewall - it deserves much more attention than it gets.