Initial Settings : Firewall2021/04/28 |
|
Configure Firewall and SELinux.
|
|
| [1] | It's possible to see FireWall Service Status like follows. (enabled by default) |
|
[root@localhost ~]# systemctl status firewalld
* firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor>
Active: active (running) since Wed 2021-04-27 19:14:58 JST; 3min 53s ago
Docs: man:firewalld(1)
Main PID: 680 (firewalld)
Tasks: 2 (limit: 4664)
Memory: 37.0M
CPU: 693ms
CGroup: /system.slice/firewalld.service
+-- 680 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
# [Active: active (running) ***] means firewalld is running now |
| [2] |
If you use FireWall service, it needs to modify FireWall settings manually because incoming requests for services are mostly not allowed by default.
Refer to here for basic Firewall operation and settins (CentOS Stream 8). Configuration examples of Fedora 34 on this site are based on the environment Firewalld service is always enabled. |
| [3] | If you don't need FireWall service because of some reasons like that some FireWall Machines are running in your Local Netowrk or others, it's possbile to stop and disable FireWall service on Fedora server like follows. |
|
# disable service [root@localhost ~]# systemctl disable firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. |
|
Initial Settings : SELinux
|
| [4] | It's possible to show current SELinux (Security-Enhanced Linux) Status like follows. (enabled by default) |
|
[root@localhost ~]# getenforce
Enforcing # SELinux is enabled
|
| [5] |
If you enable SELinux, there are cases to modify SELinux policy manually because sometimets SELinux stop applications.
Refer to here for basic SELinux operation and settins (CentOS Stream 8). Configuration examples of Fedora 34 on this site are based on the environment SELinux is always Enforcing. |
| [6] | If you don't need SELinux feature because of some reasons like that your server is running only in Local safety Network or others, it's possbile to disable SELinux like follows. |
|
[root@localhost ~]#
vi /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # See also: # https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/#getting-started-with-selinux-selinux-states-and-modes # # NOTE: In earlier Fedora kernel builds, SELINUX=disabled would also # fully disable SELinux during boot. If you need a system with SELinux # fully disabled instead of SELinux running with no policy loaded, you # need to pass selinux=0 to the kernel command line. You can use grubby # to persistently set the bootloader to boot with selinux=0: # # grubby --update-kernel ALL --args selinux=0 # # To revert back to SELinux enabled: # # grubby --update-kernel ALL --remove-args selinux # # change the value below # enforcing ⇒ enabled # disabled ⇒ disabled # permissive ⇒ enabled but only loging, not deny accesses SELINUX=disabled # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted # restart computer to apply changes [root@localhost ~]# |
| Sponsored Link |