On day 3 of my RHCA Journey, I went over the topics of firewalld (standard, and rich rules), masquerading, port forwarding, and SELinux. I like Linux security to begin with, so it was a fun chapter for me. As usual though I found a few areas of which I need to work upon, but nothing too difficult, because of man pages. One key thing learn for any Red Hat exam is to understand you may not recall everything, so another good option is to learn WHERE you can find the needed information without using the Internet. This is where man pages come into play. For instnace lets say you forget the syntax of a rich rule, you can run the following command:

# man firewalld.richlanguage

Then looking toward the end in the example section you see a variety of options in which you could build your own rich rule with firewalld.

# firewall-cmd –permament –add-rich-rule ‘rule family=”ipv4″ source address=”″ service name=”tftp” log prefix=”tftp” level=”info” limit value=”1/m” accept’

# firewall-cmd –reload

I liked the SELinux portion as well, as I am a big believer in using SELinux and always keeping it on. In this chapter, it focused on SELinux on port security. Usually, you’ll need to use SELinux to add a custom port when running applications, such as web servers, on non-standard ports. If this is the case, with SELinux running, httpd would fail to load if it is listening in on a non-standard port. The easiest way to find this information is by using the following command:

# sealert -a /var/log/audit/audit.log

For issues with being denied access based on a non-standard port, sealert will give the reason why, and provide the syntax to add it. You just need to know the SELinux port type to plug in. For http, it would be http_port_t. The command then would be to do:

# semanage -a -t http_port_t -p tcp 82

The -a is to add the new port, the -t is the type, in our case http_port_t, and the -p is the port, where you pick if it’s tcp or udp and the port number required. Of course don’t forget to add the port in the firewall as well:

# firewall-cmd –add-port 82/tcp –permanent

# firewall-cmd –reload

After which you can restart the httpd service and all will be well.

In all, it was a fun chapter to go through, and with a bit more practice I believe I’ll do well on this portion. Hopefully today I will get more time than I have the past few days. As I have only been able to hit one chapter at a time, however in some sense it was good, as I was able to spend more time on each single topic. Be sure and check back tomorrow to see the next topic that I will cover today.


Ivan Windon – RHCSA

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.