Linux Firewall

Linux Security

Note: A firewall isn't the only thing preventing a connection. For example, for an ssh connection to a Linux VirtualBox virtual machine...

Identify Firewall

You are likely using ufw or firewalld. Try these commands...

systemctl status firewalld

systemctl status ufw

firewalld

Check

firewall-cmd --version

firewall-cmd --state

firewall-cmd --zone=public --list-ports

firewall-cmd --permanent --zone=public --list-ports

firewall-cmd --list-all-zones

firewall-cmd --get-active-zones

firewall-cmd --get-default-zone

firewall-cmd --get-service

firewall-cmd --get-service --permanent

firewall-cmd --runtime-to-permanent

Which version of firewalld is installed

is it running?

which ports are open now?

which ports will be open after reboot?






Overwrite permanent config with active runtimw config

Adding Ports

Depending on your active zone, there may be some ports enabled by default which will not show up when you list-ports. For example, on Oracle Linux 9.5, the public zone looks like this (in the output from firewall-cmd --list-all-zones...

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: enp1s0

  sources: 

  services: cockpit dhcpv6-client ssh

  ports: 

  protocols: 

  forward: yes

  masquerade: no

  forward-ports: 

  source-ports: 

  icmp-blocks: 

  rich rules: 

This means that, although port 22 may not be listed (by --list-ports), ssh connections are still allowed.

firewall-cmd --permanent --zone=public --list-ports

If you want to be able to connect via ssh you should see this in the output to the above command...

22/tcp

If you don't see it, do this to add it...

firewall-cmd --zone=public --add-port=22/tcp

If you want the change to still be ther after a reboot...

firewall-cmd --permanent --zone=public --add-port=22/tcp

For Oracle database access

For Oracle database access you will need commands similar to this...

firewall-cmd --zone=public --add-port=1521/tcp               # Assumes listener is running on port 1521

firewall-cmd --zone=public --permanent --add-port=1521/tcp   # Assumes listener is running on port 1521

For MySQL database access

firewall-cmd --zone=public --add-port=3306/tcp               # Assumes MySQL is running on port 3306

firewall-cmd --zone=public --permanent --add-port=3306/tcp   # Assumes MySQL is running on port 3306

firewall-cmd --zone=public --add-port=3306/tcp --permanent

firewall-cmd --zone=public --add-port=33060/tcp --permanent

firewall-cmd --zone=public --add-port=33061/tcp --permanent

firewall-cmd --reload

To enable default MySQL Port

To enable default X-Protocol (object store) Port

To enable group replication (InnoDB cluster) Port

Make the permanent changes active now (without restart)

UFW

Check

sudo ufw status

Enable

If status shows as "inactive" you can enable the firewall using the command below...

Until you enable the firewall no connections will be allowed; even if you have entered the commands to allow them.

sudo ufw enable

Once enabled the firewall should remain enabled even across restarts

Adding Ports

sudo ufw allow ssh

sudo ufw allow 22/tcp

sudo ufw allow from 9.9.9.9 to any port 22      # Where 9.9.9.9 is a valid IP Address

sudo ufw allow from 9.9.9.9/9 to any port 22    # Where 9.9.9.9/9 is a valid CIDR block

CIDR

Limiting Ports

Deny connections from an IP address that has attempted to initiate 6 or more connections...

sudo ufw limit ssh

sudo ufw limit 22/tcp

Removing Rules

sudo ufw status numbered

sudo ufw delete 1

VirtualBox

Open VirtualBox Manager, select your target VM, open up the Settings → Network and select "Bridge Networking" instead of "NAT".

Even if you have opened Firewall ports, if you have not made this change you will not be able to connect to your virtual host from any other host on your network.

Bibliography