Stories of compromised servers and data theft fill today's news. It isn't difficult for someone who has read an informative blog post to access a system via a misconfigured service, take advantage of a recently exposed vulnerability, or gain control using a stolen password. Any of the many internet services found on a typical Linux server could harbor a vulnerability that grants unauthorized access to the system.
Since it's an impossible task to harden a system at the application level against every possible threat, firewalls provide security by limiting access to a system. Firewalls filter incoming packets based on their IP of origin, their destination port, and their protocol. This way, only a few IP/port/protocol combinations interact with the system, and the rest do not.
Linux firewalls are handled by netfilter, which is a kernel level framework. For over a decade, iptables has provided the userland abstraction layer for netfilter. Iptables subjects packets to a gauntlet of rules where, if the IP/port/protocol combination of the rule matches the packet, the rule is applied causing the packet to be accepted, rejected, or dropped.
Firewalld is a newer userland abstraction layer for netfilter. Unfortunately, its power and flexibility are underappreciated due to a lack of documentation describing multi-zoned configurations. This article provides examples to remedy this situation.
Repository citation: Vance, Nathan R. and Polik, William F., "Understanding Firewalld in Multi-Zone Configurations" (2016). Faculty Publications. Paper 1436.
Published in: Linux Journal, Issue 269, September 1, 2016, pages 80-93. Copyright © 2016 Belltown Media, Inc., Houston, Texas.