Sec. 36 Firewalls

Question 1

firewalls are used to _______ ______ ________ and _________ access to your systems and local ________.

Answer 1

firewalls are used to control both incoming and outgoing access to your systems and local network.

Question 2

Packets are made up of what the items?

Answer 2

Header , footer , payload

Question 3

What information does the header and footer contain?

Answer 3

• destination - source addresses - type of packing it is - which protocol it obeys - and other meta data

Question 4

Almost all firewalls are based on _______ ________?

Answer 4

Packet Filtering .

Question 5

Packet filtering intercepts packets at one more stages in the network transmission , including ___________, ___________, _____________, and ___________.

Answer 5

application, transport, network, and datalink.

Question 6

Firewalls establish rules by which each packet may be :

Answer 6

• accepted or rejected based on content, addresses -mangled in some way -redirected to another address -inspected for security reasons.

Question 7

What are the two main utilities of the firewalld package?

Answer 7

1. firewall-cmd 2. firewall-config.

Question 8

where are the configuration files for firewalld located? which one should the system admin use?

Answer 8

1. /etc/firewalld, /usr/lib/firewalld 2. /etc/fireealld. why ? because the /etc/firewalld will override the other file rules.

Question 9

firewalld is the _________ __________ ________.

Answer 9

Dynamic firewall manager

Question 10

firewalld utilizes ________/______ zones.

Answer 10

network/firewall zones.

Question 11

firewalld also separates _______ and _________ changes to configuration files .

Answer 11

runtime , permanent(persistent)

Question 12

what is the command line tool for firewalld?

Answer 12

1. firewall-cmd.

Question 13

if i would like help with the firewall-cmd command what could i type in the command line?

Answer 13

$ firewall-cmd –help

Question 14

it is an error to run both _______ and _________ at the same time.

Answer 14

firewalld and iptables

Question 15

using the cmd line how would i enable and start the firewalld service?

Answer 15

to enable : - $ sudo systemctl enable/disable to start: -& sudo systemctl start/stop

Question 16

using the cmd line what are two ways that i could see the status of firewalld ?

Answer 16

1. $ sudo systemctl status firewalld 2. $ sudo firewall-cmd –state

Question 17

firewalld works with ______.

Answer 17

zones .

Question 18

what does the zone: drop do w.r.t. firewalld ?

Answer 18

Zone: Drop - all incoming packets are dropped with no reply. only outgoing connections are permitted.

Question 19

What does the zone: block do w.r.t. firewalld?

Answer 19

Zone: Block – all incoming connections are rejected. The only permitted connections are those from within the system

Question 20

Define the Zone : Public w.r.t. firewalls

Answer 20

Zone: Public – Do not trust any computers on the network; only certain consciously selected incoming connections are permitted.

Question 21

Define the zone: external w.r.t firewalls

Answer 21

Zone: External – used when masquerading is being used. such as in routers. Trust levels are the same as public.

Question 22

Define the zone: dmz w.r.t firewalls

Answer 22

Zone: dmz (Demilitarized Zone) – used when access to some (but not all) services are allowed to the public. only particular incoming connections are allowed.

Question 23

what is the zone: work w.r.t firewalls ?

Answer 23

Zone: work –trust (but not completely) connected nodes to be harmful. Only certain incoming connections are allowed.

Question 24

define the zone: home wrt firewalls ?

Answer 24

Zone: Home – you mostly trust the other network nodes, but still select which incoming connections are allowed.

Question 25

define the zone : trusted wrt firewalls

Answer 25

Zone: trusted – all network nodes are allowed.

Question 26

Information: ———————– on system installation, most , if not all Linux distributions , will select the public zone as default for all interfaces.

Answer 26

Information: ——————————— the differences between some of the zones we mentioned are not obvious, and we do not need to go into that much detail here. but note that one should not use more open zone than is nesseary.

Question 27

what does the command $ sudo firewall-cmd –get-default-zone return?

Answer 27

the default zone.

Question 28

to obtain a list of zones that are in use i can run the following command $ sudo firewall-cmd –get-active-zones .

Answer 28

if i would like to list all available zones i can run the command $ sudo firewall-cmd –get-zones

Question 29

if i would like to obtain the list of the zones being used w.r.t firewalls. what command could I use

Answer 29

Command: >>> $ sudo firewall-cmd –get-active-zones

Question 30

What command could i run if i want to list all available zones?

Answer 30

Command: >>> % sudo firewall-cmd –get-zones

Question 31

Information: ——————————————- if i would like to find out which zone is associated with a particular interface I could run the command. >>>$ sudo firewall-cmd –get-zone-of-interface= eno1 return >>> public. –where the eno1 is the interface in question. – the zone of eno1 is public .

Answer 31

Information: ————————————- if I would like to change the zone of a particular interface permanently I would run the following command: >>$ sudo firewall-cmd –permanent –zone=inteatrnal –change-interface=eno1. return >>> success – where the interface in question is en01 – the zone it was changed to was internal .

Question 32

How would I find out what zone was associated with the interface eno1?

Answer 32

Command: >>>$ sudo firewall-cmd –get-zone-of-interface=eno1.

Question 33

Information: ——————————- controlling firewalld is done through the firewall-cmd program. More detailed information can be obtained with: >>>$ man firewalld-cmd

Answer 33

Education: ——————————– Any zone can be bound not just to a network interface, but also to particular network addresses. A packet is associated with a zone if: – It comes from a source address already bound to the zone;or it not –it comes from an interface bound to the zone. Any packet not fitting the above criteria is assigned to the default zone(i.e. usually public.)

Question 34

A packet is associated with a zone if ….? any packet not fitting the answer to the above question is assigned to what zone?

Answer 34

1. a. it comes from a source address already bound to the zone. ; or if not. b. it comes from an interface bound to a zone. 2. default zone ( usually public)

Question 35

Education: ——————————————— To assign a source to a zone (permanetly): >>>& sudo firewall-cmd –permanent –zone=trusted –add-source=192.168.1.0/24 # this says anyone with the ip address of 192.168.1.x will be added to the trusted zone.

Answer 35

Education: —————————————– I can list the sources bound to a zone with: >>>$ sudo firewall-cmd –permanent –zone=trusted –list-sources # if I were to leave out the –permanent option the change would only last as long as the runtime of the computer.

Question 36

How would I assign a source to a zone(permanently)?

Answer 36

>>> $ sudo firewall-cmd –permanent –zone=trusted –add-source=198.168.1.0/24

Question 37

If I would like to see all the available services connected to firewalld what command can I use?

Answer 37

>>>$ sudo firewall-cmd –get-services # this command will show me all services available.

Question 38

what command could I use to see the services currently accessible in a particular zone?

Answer 38

>>> $ sudo firewall-cmd –list-services –zone=public # Will return the services accessible in the public zone.

Question 39

If I would like to add a service to a zone, what command could I use?

Answer 39

• $ sudo firewall-cmd –permanent –zone=home –add-service=dhcp
• $ sudo firewall-cmd –reload # the last command will make the change effective from the first command.

Question 40

If I would like to add a new services to firewalld what configuration file would I update?

Answer 40

/etc/firewalld/services

Question 41

If I would like to add a port to the zone home, how would i use the firewall-cmd program?

Answer 41

>>> $ sudo firewall-cmd –zone=home –add-port=21/tcp

Question 42

If would would like to ascertain what a certain port corresponds to what file could I look up?

Answer 42

/etc/services

Question 43

how would I use the firewall-cmd program to list what ports are associated with the zone home?

Answer 43

>>> $ sudo firewall-cmd –zone=home –list-ports

Question 44

how would I show my current ip address ?

Answer 44

>>> $ ip addr show [put device name here] or >>> ifconfig [put device name here]

Question 45

how would I a look up the default route?

Answer 45

>>> $ ip route or >>> $ route -n

Question 46

what command would i use to copy a file?

Answer 46

command : cp

Question 47

what is firewall-cmd?

Answer 47

firewall-cmd is the command line client of the firewalld daemon

Question 48

firewall-cmd acts as an _________ to manage runtime and permanent configuration

Answer 48

interface

Question 49

can firewall-cmd make permanent changes ?

Answer 49

yes

Question 50

firewall-cmd –state ; what does this do?

Answer 50

checks whether the firewall daemon is active

-returns 0 if its active

Question 51

what is the purpose of the following comand : firewall-cmd –reload

Answer 51

reloads firewall rules and keep state information -permanent config will become runtime conf.

Question 52

what is the purpose of the following command: firewall-cmd –runtime-to-permanent runtim

Answer 52

saves runtime config and makes it permanent

Question 53

what is the purpose of the following command : firewall-cmd –check-config

Answer 53

runs checks on permanent configuration.

Question 54

what is the purpose of the following command : firewall-cmd –get-log-denied

Answer 54

prints the log denied settings

Question 55

what is the purpose of the following command : firewall-cmd –permanentq

Answer 55

can be used to set options permanently

*changes will be effective after restart /reload

Question 56

what is the purpose of the following command : firewall-cmd –get-default-zone

Answer 56

prints default zone for connections and interfaces

Question 57

what is the purpose of the following command: firewall-cmd –set-default-zone=zone

Answer 57

set default zone for connections and interfaces . where no zone is selected.