Scribd Logo
Upload

Welcome to Scribd!

  • Firewalld Lab&Exercise

    Uploaded by

    4thingyan
    50 views6 pages
    This document provides instructions for configuring firewall rules and SELinux settings to allow access to multiple web servers. The user is asked to log in to a server and configure the firewall and SELinux to allow ports 80/TCP, 1001/TCP, and 22/TCP. The user then tests access to the web servers from a workstation and verifies the configuration is retained after a reboot.

    Original Description:

    Firewalld-Lab&Exercise

    Original Title

    Firewalld-Lab&Exercise

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for configuring firewall rules and SELinux settings to allow access to multiple web servers. The user is asked to log in to a server and configure the firewall and SELinux to allow ports 80/TCP, 1001/TCP, and 22/TCP. The user then tests access to the web servers from a workstation and verifies the configuration is retained after a reboot.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    50 views6 pages

    Firewalld Lab&Exercise

    Uploaded by

    4thingyan
    This document provides instructions for configuring firewall rules and SELinux settings to allow access to multiple web servers. The user is asked to log in to a server and configure the firewall and SELinux to allow ports 80/TCP, 1001/TCP, and 22/TCP. The user then tests access to the web servers from a workstation and verifies the configuration is retained after a reboot.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Chapter 15 | Managing Network Security

    Guided Exercise

    Managing Server Firewalls


    In this exercise, you will control access to system services by adjusting system firewall rules
    with firewalld.

    Outcomes
    You should be able to configure firewall rules to control access to services.

    Before You Begin


    Log in as the student user on workstation using student as the password.

    From workstation, run the lab netsecurity-firewalls start command. The


    command runs a start script to determine whether the servera host is reachable on the
    network.

    [student@workstation ~]$ lab netsecurity-firewalls start

    1. From workstation, use SSH to log in to servera as student user. The systems are
    configured to use SSH keys for authentication, so a password is not required.

    [student@workstation ~]$ ssh student@servera


    ...output omitted...
    [student@servera ~]$

    2. On the servera system, ensure that both httpd and mod_ssl packages are installed. These
    packages provide the Apache web server you will protect with a firewall, and the necessary
    extensions for the web server to serve content over SSL.

    [student@servera ~]$ sudo yum install httpd mod_ssl


    [sudo] password for student: student
    ...output omitted...
    Is this ok [y/N]: y
    ...output omitted...
    Complete!

    3. As the student user on servera, create the /var/www/html/index.html file. Add


    one line of text that reads: I am servera.

    [student@servera ~]$ sudo bash -c \


    "echo 'I am servera.' > /var/www/html/index.html"

    4. Start and enable the httpd service on your servera system.

    534 RH199-RHEL8.2-en-1-20200928
    Chapter 15 | Managing Network Security

    [student@servera ~]$ sudo systemctl enable --now httpd


    Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service → /usr/
    lib/systemd/system/httpd.service.

    5. Exit from servera.

    [student@servera ~]$ exit


    logout
    Connection to servera closed.
    [student@workstation ~]$

    6. From workstation, attempt to access your web server on servera using both the
    cleartext port 80/TCP and the SSL encapsulated port 443/TCP. Both attempts should fail.

    6.1. This command should fail:

    [student@workstation ~]$ curl http://servera.lab.example.com


    curl: (7) Failed to connect to servera.lab.example.com port 80: No route to host

    6.2. This command should also fail:

    [student@workstation ~]$ curl -k https://servera.lab.example.com


    curl: (7) Failed to connect to servera.lab.example.com port 443: No route to host

    7. Log in to servera as the student user.

    [student@workstation ~]$ ssh student@servera


    ...output omitted...
    [student@servera ~]$

    8. On servera, make sure that the nftables service is masked and the firewalld service
    is enabled and running.

    8.1. Determine whether the status of the nftables service is masked.

    [student@servera ~]$ sudo systemctl status nftables


    [sudo] password for student: student
    ● nftables.service - Netfilter Tables
    Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor
    preset: disabled)
    Active: inactive (dead)
    Docs: man:nft(8)

    The results show that nftables is disabled and inactive but not masked. Run the
    following command to mask the service.

    [student@servera ~]$ sudo systemctl mask nftables


    Created symlink /etc/systemd/system/nftables.service → /dev/null.

    8.2. Verify that the status of the nftables service is masked.

    RH199-RHEL8.2-en-1-20200928 535
    Chapter 15 | Managing Network Security

    [student@servera ~]$ sudo systemctl status nftables


    ● nftables.service
    Loaded: masked (Reason: Unit nftables.service is masked.)
    Active: inactive (dead)

    8.3. Verify that the status of the firewalld service is enabled and running.

    [student@servera ~]$ sudo systemctl status firewalld


    ● firewalld.service - firewalld - dynamic firewall daemon
    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor
    preset: enabled)
    Active: active (running) since Wed 2019-05-22 15:36:02 CDT; 5min ago
    Docs: man:firewalld(1)
    Main PID: 703 (firewalld)
    Tasks: 2 (limit: 11405)
    Memory: 29.8M
    CGroup: /system.slice/firewalld.service
    └─703 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --
    nopid

    May 22 15:36:01 servera.lab.example.com systemd[1]: Starting firewalld - dynamic


    firewall daemon...
    May 22 15:36:02 servera.lab.example.com systemd[1]: Started firewalld - dynamic
    firewall daemon.

    8.4. Exit from servera.

    [student@servera ~]$ exit


    logout
    Connection to servera closed.
    [student@workstation ~]$

    9. From workstation, open Firefox and log in to the Web Console running on servera to
    add the httpd service to the public network zone.

    9.1. Open Firefox and browse to https://servera.lab.example.com:9090 to


    access the Web Console. Accept the self-signed certificate used by servera by
    adding an exception.

    9.2. Select the check box next to Reuse my password for privileged tasks to ensure
    administrative privileges.
    Log in as student user with student as the password.

    9.3. Click Networking in the left navigation bar.

    9.4. Click the Firewall link in main Networking page.

    9.5. Click the Add Services... button located in the upper right side of the Firewall page.

    9.6. In the Add Services user interface, scroll down or use Filter Services to locate and
    select the check box next to the Secure WWW (HTTPS) service.

    536 RH199-RHEL8.2-en-1-20200928
    Chapter 15 | Managing Network Security

    9.7. Click the Add Services button located at the lower right side of the Add Services
    user interface.

    10. Return to a terminal on workstation and verify your work by attempting to view the web
    server contents of servera.

    10.1. This command should fail:

    [student@workstation ~]$ curl http://servera.lab.example.com


    curl: (7) Failed to connect to servera.lab.example.com port 80: No route to host

    10.2. This command should succeed:

    [student@workstation ~]$ curl -k https://servera.lab.example.com


    I am servera.

    Note
    If you use Firefox to connect to the web server, it will prompt for verification of the
    host certificate if it successfully gets past the firewall.

    Finish
    On workstation, run the lab netsecurity-firewalls finish script to complete this
    exercise.

    [student@workstation ~]$ lab netsecurity-firewalls finish

    This concludes the guided exercise.

    RH199-RHEL8.2-en-1-20200928 537
    Chapter 15 | Managing Network Security

    Lab

    Managing Network Security


    Performance Checklist
    In this lab, you will configure firewall and SELinux settings to allow access to multiple web
    servers running on serverb.

    Outcomes
    You should be able to configure firewall and SELinux settings on a web server host.

    Before You Begin


    Log in as the student user on workstation using student as the password.

    From workstation, run the lab netsecurity-review start command. The


    command runs a start script to determine whether the serverb host is reachable on the
    network.

    [student@workstation ~]$ lab netsecurity-review start

    Your company has decided to run a new web app. This application listens on ports 80/TCP and
    1001/TCP. Port 22/TCP for ssh access must also be available. All changes you make should
    persist across a reboot.

    If prompted by sudo, use student as the password.

    Important: The graphical interface used in the Red Hat Online Learning environment needs
    port 5900/TCP to remain available as well. This port is also known under the service name vnc-
    server. If you accidentally lock yourself out from your serverb, you can either attempt to
    recover by using ssh to your serverb machine from your workstation machine, or reset your
    serverb machine. If you elect to reset your serverb machine, you must run the setup scripts for
    this lab again. The configuration on your machines already includes a custom zone called ROL that
    opens these ports.
    1. From workstation, test access to the default web server at http://
    serverb.lab.example.com and to the virtual host at http://
    serverb.lab.example.com:1001.
    2. Log in to serverb to determine what is preventing access to the web servers.
    3. Configure SELinux to allow the httpd service to listen on port 1001/TCP.
    4. From workstation, test access to the default web server at http://
    serverb.lab.example.com and to the virtual host at http://
    serverb.lab.example.com:1001.
    5. Log in to serverb to determine whether the correct ports are assigned to the firewall.
    6. Add port 1001/TCP to the permanent configuration for the public network zone. Confirm
    your configuration.

    538 RH199-RHEL8.2-en-1-20200928
    Chapter 15 | Managing Network Security

    7. From workstation, confirm that the default web server at serverb.lab.example.com


    returns SERVER B and the virtual host at serverb.lab.example.com:1001 returns
    VHOST 1.

    Evaluation
    On workstation, run the lab netsecurity-review grade command to confirm success of
    this lab exercise.

    [student@workstation ~]$ lab netsecurity-review grade

    Finish
    On workstation, run the lab netsecurity-review finish script to complete this
    exercise.

    [student@workstation ~]$ lab netsecurity-review finish

    This concludes the lab.

    RH199-RHEL8.2-en-1-20200928 539

    You might also like