A firewall or a packet filter, in general, is a network security system that prevents all network communications except those connections that are explicitly allowed. Network firewalls filter traffic between networks and host-based firewalls filter incoming and outgoing traffic on a host machine.
For the following example, keep in mind that by default, no traffic is allowed to pass a firewall. The client in Image1 is not allowed to send a request to the web server until an exception is added to the firewall rule set.
Allow incoming HTTP/HTTPS traffic
In our example, we have a web server running on our host, but no one can access this webserver because a network firewall and a host-based firewall are filtering all incoming traffic. Let's change that now.
Because we are root on our web server, we can configure the host-based firewall by ourselves. If you are running RHEL or CentOS, you can allow HTTP and HTTPS traffic to pass the host-based firewall with the following commands:
$ sudo firewall-cmd --add-service=http
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent
For more information on how to use the firewall-cmd command see the firewall-cmd(1) documentation:
RHEL 7 -- Using Firewalls
RHEL 8 -- Using and configuring firewalls
For the network firewall, we have to ask our network security administrator kindly to add an exception to the firewall ruleset.
We are lucky and get an exception for our client in Image1 to access our web server. Table 1 shows a simple example of a rule set, allowing our client to access the ports 80 (HTTP) and 443 (HTTPS) on our web server and forbids all other traffic.
How to troubleshoot firewall issues
Sometimes you think that everything has been configured on all related firewalls to allow access to a particular service, but the clients are still not able to connect to it. Here is what I do in such a situation.
First, I'll check the webserver to confirm whether the service is running or whether it has stopped for some reason. I do so by running the following commands on my webserver:
$ sudo systemctl is-active nginx.service
active
$ ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:443 0.0.0.0:*
Now I know that my web server is running and listening on the expected ports. Next, I'll check the host-based firewall to see whether both ports/services are allowed or not.
$ sudo firewall-cmd --list-services
dhcpv6-client http https ssh
If either HTTP or HTTPS was missing here, I would know that I have forgotten something, and the host-based firewall is blocking the client requests. The next step would be to try to access the webserver from a host on the same subnet. This way, I could confirm whether there is still some problem with my host or not. When everything is fine, it's time to probe the network firewall.
For this, I send a request from my client to my webserver and take note of the timestamp, source IP address, destination IP address, and destination port of my request. With this information, I kindly ask my network security administrator to check the logs of the network firewall for any access denied entries. Maybe the guy just forgot to commit the new rule to the running config.
That makes up the following troubleshooting order:
- Check that service is up and running
- Check that the host is listening on the appropriate ports
- Check the host-based firewall for allowed services and ports
- Check whether service is accessible from a host on the same subnet
- Try to connect to service from another network host and make a note of timestamp and IP addresses and ports that are involved.
- Ask you network security administrator kindly to check the logs of the network firewall(s)
Wrapping up
The list of steps above should help you diagnose firewall configurations that are preventing connectivity. Remember that the host-based firewalls protect the server and the network firewalls separate network segments.
[ Want more for your network? Download a free ebook on network automation with Ansible. ]
About the author
Jörg has been a Sysadmin for over ten years now. His fields of operation include Virtualization (VMware), Linux System Administration and Automation (RHEL), Firewalling (Forcepoint), and Loadbalancing (F5). He is a member of the Red Hat Accelerators Community and author of his personal blog at https://www.my-it-brain.de.
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit