I have Clear Linux Live Server installed to a remote dedicated server hardware, (5,000km away) no VPS or shared hosting etc. I access the unit remotely via ssh port 4200.
Firewall document says “Clear Linux OS does not impose a firewall policy out of the box. All traffic is allowed inbound and all traffic is allowed outbound.”
https://docs.01.org/clearlinux/latest/guides/network/firewall.html
I have nginx-mainline web server, php 7.4.2, mariadb, redis native etc.
Ports listening now are:
nmap -n -Pn -sT -sU -p- 23.123.12.123
Host is up (0.000042s latency).
Not shown: 131066 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
3306/tcp open mysql
4200/tcp open vrml-multi-use
Before the website goes public i’ll need to install and configure a firewall.
I’m familiar with ufw and the configuration rules are very simple but this is not available on Clear LInux.
Clear Linux Firewall software avaible lists:
iptables
ipset
firewalld
Configuration rule sets for firewalld look to be the least obtuse of the options. I’ve never configured a firewall like this before, and very much cautioned by the warning on the Firewall document page:
Warning
Changing firewall configuration can cause abrupt network disconnection. If this happens on a remote host, local recovery may be required.
Be sure to test your firewall configuration before committing it permanently to ensure your system will remain accessible remotely, if required.
I want to make sure I receive safe accurate configuration advice to avoid locking myself out of my ssh session to the server preventing further access.
Some examples on the www show adding service, some show add port some show add both service and port (without explanation).
As I will be ssh’d into the remote machine, if I follow exactly the details on installing and using firewalld on Clear Linux in the document, is there a risk it can kill my ssh session and lock me out?
Will the below rules satisfy:
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --permanent --zone=public --add-port=443/tcp
firewall-cmd --permanent --zone=public --add-port=4200/tcp
firewall-cmd --reload
Step 4 firewalld:
Enable the firewalld service the so that the firewalld daemon is automatically started and rules applied at boot from the /etc/firewalld/*
file:
sudo systemctl enable --now firewalld.service
can I assume running this command creates a config file the the location or it just enables the service and user need manually create the config file?