Lmst

Managing firewall rules is a crucial security task on Linux systems. In #Debian 13, depending on the server configuration, different firewall tools can be installed. The most common are #UFW, #iptables, or #firewalld. You must first check if your firewall is active and what rules are in place. Also, make sure that network ports are open or blocked.🔥

Continue reading:👇
https://greenwebpage.com/community/how-to-check-firewall-status-on-debian-13/

#UFW #IPTables #Firewalld #FirewallStatus #Debian13 #LinuxAdministration #GreenWebpage

next #firewalld oddity; you can't use 'firewall-cmd' when firewalld is stopped (like configuring a rootfs not yet booted), but it has got 'firewall-offline-cmd' that lets you do it - except the options are sometimes different; e.g.
firewall-cmd --zone=external --remove-service ssh --permanent
becomes
firewall-offline-cmd --zone=external --remove-service-from-zone=ssh

(Which is odd anyway because --permanent works on the xml files, so feels like it should work offline)

A thread dumping some (non-obvious?) notes about #firewalld - I think I've got it doing what I want, but it's been a bit of a fight, and I made a bunch of wrong turns.

It's a layer on top of nftables or iptables; is XML based but you can just drive it from a command line tool firewall-cmd and avoid the XML.
It's main idea is a graph of 'zones' where a 'zone' represents 1 or more NICs. The 'zones' are linked via 'policies' saying what can flow between them.

https://firewalld.org/documentation/concepts.html

1/n 🧵

I think #firewalld is slowly doing what I want - I asked on their irc channel and after a bit 'erig' came back and helped me; I'm going to post some summaries of the things which confused me - because it took me quite a while and really needed those hints, the docs just weren't enough for me.

OK, firewalld is actually annoying me now - I thought I had a simple setup working to start with; masquerade to outside world [all tested in a VM] but no; it's not masquerading trusted->external even though the external zone has masquerade set. The packets are just dropping through unchanged.
And I've spent a long time playing with 'policy' but they aren't doing what I want. Hmph. Any #firewalld people?

@MsDropbear42 @Foxboron I’ve found the #cockpit webui to be the best interface for managing #firewalld. It converts it into the best Linux firewall imho.

@Foxboron@chaos.social

firewalld confuses & terrifies me.

gufw holds my hand & comforts me.

"writing nftables rules" is a skill i shall never possess even if i exist another 42 years.

I installed & use gufw in my primary pooter's ArchLinux, SparkyLinux boots that have existed for many years, & in said pooter's newest boot, KDELinux, i was greatly relieved to find #gufw already part of the furniture.

when i use #Fedora & #openSUSE distros, their use of #firewalld simply intimidates me... it presumes far too much innate user knowledge than i have.

#DropbearPooterising #Linux #LinuxWomen #FOSS #ArchLinux #KDEPlasma #SparkyLinux #KDELinux :archlinux: :kde: :plasma:

Firewalld è un sistema di gestione del firewall moderno e dinamico, progettato per semplificare la configurazione della sicurezza su Linux. #Firewalld #Software #Linux

https://www.linuxeasy.org/firewalld-su-linux-sicurezza-dinamica-e-semplificata-per-tutti/?utm_source=mastodon&utm_medium=jetpack_social

🚀CentOS 10 includes a firewall management tool called firewalld. This tool provides network security through the control of incoming and outgoing traffic. CentOS’s firewalld service makes it easy to manage network security on Linux servers. You may need to disable your firewall in some situations, such as when troubleshooting a network issue, installing a web app, or testing connectivity.🔥

https://greenwebpage.com/community/disable-firewall-on-centos-10/

#DisableFirewall #Firewalld #Security #CentOS10 #LinuxAdministration

2/2
#firewalld añade funcionalidades como zonas de seguridad y una API, que facilitan la administración, pero como backend usa nftables o iptables.

👉 Conclusión: cualquier firewall que utilices en #Linux en la actualidad, seguramente por debajo esté escribiendo reglas de #iptables o #nftables.

✨ Sabiendo configurar estos backends directamente puede ayudarte a entender y solucionar muchos problemas! 🙂

#gnu #linux #learning #educacion #softwarelibre #opensource #freesoftware #sysadmin #devops

I just had one of the most perplexing problems that I had ever seen with #firewalld on #AlmaLinux. It took me a while to reach that conclusion. Here is how it began: I have a WireGuard tunnel between a VPS and my home server. The VPS basically gives me a static public IP address.

To make a long story short, I could not figure out why pings and ssh attempts from the VPS to my home server failed yet all the other services were working just fine…..yeah, real head scratcher. Finally, I turned off both firewalls and pings were working from both machines. Mkay!? Then I turned on the firewall on the side of the WieGuard in my home and did a ping from the VPS side and it worked. Ah ha! The problem seemed to be the firewall on the VPS side.

But it was strange that the firewall was strangely blocking outgoing SSH and outgoing ICMP over the WireGuard tunnel only. Eventually, I gave up. I just turned off firewalls, nukes its confit files, and started over. Problem solved !

Benefits:
Working ssh
Working ping

[Перевод] Linux Open Port: пошаговое руководство по управлению портами фаервола

Открытый порт — это не «дырка в фаерволе», а процесс, который слушает сокет. В материале разбираемся, где заканчивается приложение и начинается сетевой фильтр: как корректно отличать listening от доступности снаружи, чем проверять (ss, lsof, nmap), и как на практике управлять правилами в nftables, firewalld и UFW. Поговорим о well-known портах и CAP_NET_BIND_SERVICE, типовых политиках (allow/deny), логировании и безопасной последовательности действий, чтобы не уронить прод. Текст для системных администраторов и DevOps/SRE, которым нужна понятная и проверяемая методика без мифов и магии.

https://habr.com/ru/companies/otus/articles/947750/

#linux #открытый_порт #фаервол_Linux #слушающий_сокет #iptables #firewalld #nftables

@hongster
Nice post,

here is a detailed #FirewallD #cheatsheet from #NixGems

https://gitlab.com/DeaDSouL/NixGems

A FirewallD cheatsheet from NixGems file

Continuing to find little issues with server upgrades from Debian 12 Bookwork to Debian 13 Trixie. Todays adventure involved discovering the new firewalld config NftablesTableOwner=yes. This locks firewalld created nftables rule sets to be owned exclusively by firewalld. Meaning my custom fail2ban action couldn't interact directly with the firewall. Changing that setting to no fixed the issue. But not until after I wasted some some time looking for non-existant nft command option changes.

#debian #debian13 #firewalld #fail2ban