Firewalls¶

Overview¶

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined rules. Firewalls can operate at different layers of the network stack — packet-filtering firewalls work at Layer 3/4 (IP addresses and ports), while application-level firewalls (like Web Application Firewalls) inspect Layer 7 traffic.

In a typical server setup, there are often multiple layers of firewall protection: the cloud provider's security groups (external firewall), the host's own firewall (e.g., firewalld on CentOS), and potentially application-level firewalls like ModSecurity. Each layer serves a different purpose and provides defense in depth.

How It Works¶

Layers of Firewall Protection¶

Modern server deployments typically involve at least two firewall layers, each controlled independently:

1. Cloud / External Firewall (Security Groups)¶

Cloud providers (AWS, ETAIS, OpenStack, etc.) provide security groups — sets of rules that control inbound and outbound traffic at the virtual network level, outside the VM. Security groups act as the first line of defense and are configured through the cloud provider's interface, not from within the server.

Key characteristics:

Rules are defined per port, protocol (TCP/UDP), direction (ingress/egress), and source CIDR
Applied at the hypervisor level — traffic is filtered before it reaches the VM
Even if the host firewall is misconfigured, security groups still protect the VM
Multiple security groups can be attached to a single VM
Changes take effect without restarting the VM

Example: To allow SSH access, you create a security group rule allowing TCP port 22 ingress from your network.

2. Host Firewall (firewalld / iptables)¶

The host firewall runs inside the VM and provides a second layer of filtering. On RHEL/CentOS systems, firewalld is the default firewall management tool (which manages nftables or iptables rules underneath).

Host firewalls use the concept of zones to group network interfaces and define trust levels. The default zone for servers is typically public, which blocks all incoming traffic except explicitly allowed services.

Traffic must pass both the external security group and the host firewall to reach a service. This means you need to open ports in both places.

3. Application-Level Firewalls (WAF)¶

Web Application Firewalls (WAFs) like ModSecurity operate at Layer 7 (HTTP) and inspect the content of requests, not just ports and IPs. They can:

Block SQL injection and cross-site scripting (XSS) attempts
Enforce request size limits
Filter based on URL patterns, headers, or request bodies
Log suspicious activity for forensic analysis

WAFs are typically deployed as modules within the web server (e.g., mod_security in Apache).

How Packet Filtering Works¶

When a network packet arrives at a firewall, it is evaluated against an ordered list of rules. Each rule specifies:

Source/Destination IP — where the traffic comes from and where it's going
Protocol — TCP, UDP, ICMP, etc.
Port — the destination port number (e.g., 22 for SSH, 80 for HTTP)
Action — ACCEPT, DROP (silently discard), or REJECT (discard with error response)

Rules are evaluated top-down. The first matching rule determines the action. If no rule matches, a default policy applies (typically DROP for incoming traffic).

Stateful vs Stateless Firewalls¶

Stateful firewalls (like firewalld) track the state of network connections. Once an outgoing connection is established, return traffic is automatically allowed without needing an explicit rule. This is the standard for modern host firewalls.

Stateless firewalls evaluate each packet independently. They require explicit rules for both directions of traffic. Cloud security groups are typically stateful.

Key Terminology¶

Ingress: Inbound traffic — connections initiated from outside toward your server.
Egress: Outbound traffic — connections initiated from your server toward the outside.
CIDR: Classless Inter-Domain Routing notation for IP ranges (e.g., 10.0.0.0/24 means all IPs from 10.0.0.0 to 10.0.0.255). 0.0.0.0/0 means "any IP".
Zone: In firewalld, a zone groups network interfaces and defines the level of trust. Common zones: public (default, restrictive), trusted (allow all), drop (drop all).
Service: In firewalld, a named definition mapping a service name to its port(s) and protocol (e.g., ssh = TCP/22, http = TCP/80).
Security Group: A cloud-level firewall rule set that controls traffic to/from VMs at the hypervisor level.
Defense in Depth: The practice of using multiple layers of security controls so that if one layer fails, others still protect the system.

Why It Matters¶

As a system administrator, you will:

Open ports for every new service you deploy (in both cloud security groups and host firewall)
Restrict access to sensitive services (e.g., SSH, databases) to specific IP ranges
Use defense in depth to ensure no single misconfiguration exposes your server
Debug connectivity issues by checking firewall rules at each layer
Deploy WAFs to protect web applications from common attacks

Common Pitfalls¶

Forgetting to open ports in both layers — opening a port in firewalld but not in the cloud security group (or vice versa) means traffic still can't reach the service.
Opening too many ports — every open port is an attack surface. Only open what's needed.
Using 0.0.0.0/0 for sensitive services — allowing SSH from anywhere invites brute-force attacks. Restrict to your network.
Not reloading after changes — firewalld requires firewall-cmd --reload for permanent rules to take effect.
Confusing --permanent with runtime — without --permanent, firewalld rules are lost on reboot. With --permanent only, rules don't apply until reload.
Locking yourself out — removing the SSH security group or firewall rule while connected remotely means you lose access. Always keep SSH open.
Ignoring egress rules — while less common, restricting outbound traffic prevents compromised servers from communicating with attackers.