RHEL Installation & Firewall Flashcards
What is the program for installing RHEL?
anaconda
How do you generate the kickstart file
1) Use the form at access.redhat.com/labs/kickstartconfig
2) Install a RHEL and collect the anaconda-ks.cfg file in root home
How do you validate an anaconda file
ksvalidator filename.cfg
Install ksvalidator
dnf install pykickstart
How do you install virtualization on RHEL?
dnf group install “Virtualization Host”
How do you install cockit?
dnf install -y cockpit-machines
systemctl enable --now cockpit
What is the firewall solution on rhel 9?
firewalld
Determine default firewalld zone
firewall-cmd --get-default-zone
Display config of the current active zone
firewalld-cmd --list-all
Add http service to current zone
firewall-cmd –add-service http
Where are the standard stock zone files stored?
/usr/lib/firewalld/zones
Add http service to current zone permanently
firewall-cmd –add-service http –permanent
Write all the rules that are in memory to permanent
firewall-cmd --runtime-to-permanent
Display config of the firewall zone called block
firewall-cmd --list-all --zone block
Add a source to a zone
firewall-cmd --add-source 172.160.10.30 --zone block --permanent
if a packet does not have a match for a zone, how is it handled?
It is handled by the default zone
What are elements of a zone
target
interfaces
ports
sources
forward
protocols
source-ports
services
rich rules
forward ports
How do I cause firewalld to consider a new service i just created
firewall-cmd --reload
remove a service from the current zone
firewall-cmd –remove-service http –permanent
Find out which interfaces and ports are associated with sshd process
netstat -plnt | grep sshd
You changed sshd to use port 23 but it doesn’t work. why?
it does not have the appropriate selinux context.
Find the port section of the sshd daemon in selinux db?
semalance port -l | grep ssh
ssh is mapped to port 22, telnet is mapped to port 23. how do you get ssh to use port 23?
you do a port context modification so that ssh uses port 23 instead of port 22
Change ssh port context to use port 23 instead of port 22
semanage port -m -t ssh_port_t -p tcp 23
You want to run apache on port 82. what do you do?
1) Change config to use port 82
2) Start the server
3) Check status: systemctl status httpd
4) Notice error: could not bind bind to address 0.0.0.0:82
5) Check logs: sealert -a /var/log/audit/audit.log
6) Execute recommendation:
semanage port -a -t http_port_t -p tcp 82
7) firewall-cmd –add-port 82/tcp –permanent
Find example of config in semanage db that uses http protocol
semanage port -l | grep http
Open port 82 for apache in firewalld
firewall-cmd --add-port 82/tcp --permanent
Where do you get RHEL binaries from
access.redhat.com
What is a kickstart file
a file that allows anakonda to install rhel in a non-interactive way
How do you secure the grub?
in kickstart file, supply a GRUB password
After installation, where can i find the configuration that was used to install rhel?
/root/anakonda-ks.cfg
How do you manage your vms on rhel
use virt cmd line tool or the web console
How do you validate that you have all the prerequisites to run vms
virt-host-validate
Provision a virtual machine
virt-install
netfilter
framework for network traffic operations such as packet filtering, network address translation, and port translation
nftables
1) replacement for iptables
2) packet classification framework
3) uses netfilter for rules enforcement
Advantages of nftables
1) Usability
2) Efficient rule set
3) iptables required a rule for each protocol, but nftables rules can apply to both IPv4 and IPv6 simultaneously
4) iptables required using different tools, such as iptables, ip6tables, arptables, and ebtables, for each protocol
Firewalld mapping process
source IP -> network Interface -> default zone
runtime vs permanent vs reload
1) if you run a cmd with –runtime, you must run –permanent later
2) if you run it with –permanent, you must run –reload
