# Networking 

- Configure Networking and Hostname Resolution Statically or Dynamically
  - `/etc/sysconfig/network-scripts/` contains config files for network interfaces on the system
  - `systemctl status NetworkManager.service`
  - `ss -plunt` to veiw listening services
- Implement Packet Filtering
  - Zones:
    - public = the defualt zone for new network interfaces
    - trusted = allow all incoming traffic
    - internal
    - home
    - work
    - dmz
    - external
    - block
    - drop
  - firewalld implements packet filtering in redhat distributions
    - firewalld stores zone rules in two locations:
      - /usr/lib/firewalld/zones = contains default rules
      - /etc/firewalld/zones = contains user defined rules
    - NICs go into zones, and rules are applied to zones
    - The default zone is public, all icoming connections blocked by default
    - To get the default zone:
      - `firewall-cmd --get-default-zone`
    - To change the default zone:
      - `firewall-cmd --set-default-zone=<zone name>`
        - Example: `firewall-cmd --set-default-zone=public`
    - To see the current firewall rules:
      - `firewall-cmd --list-all`
    - Services are friendly names for adding firewall rules. The services in this example are allowed inbound:
      ```
      [root@centos01 sysctl.d]# firewall-cmd --list-all
      public (active)
        target: default
        icmp-block-inversion: no
        interfaces: eth0
        sources:
        services: cockpit dhcpv6-client http https ssh
        ports:
        protocols:
        forward: no
        masquerade: no
        forward-ports:
        source-ports:
        icmp-blocks:
        rich rules:
      ```
      - To get more info about a service, run:
        - `firewall-cmd --info-service=<service name>`
          - Example: `firewall-cmd --info-service=cockpit`
    - To allow traffic for Apache:
      - `firewall-cmd --add-service=http` OR `firewall-cmd --add-port=80/tcp`, NOT BOTH!
    - To disallow traffic for Apache:
      - `firewall-cmd --remove-service=http` OR `firewall-cmd --remove-port=80/tcp`
    - To allow traffic from a trusted zone (like a subnet):
      - `firewall-cmd --add-source=192.169.1.0/24` --zone=trusted
    - Rules are not permanent unless you use this command:
      - `firewall-cmd --runtime-to-permanent`
      - <b>`--runtime-to-permanent` does not appear in the help for `firewall-cmd`</b>
  - Statically Route Traffic
    - To add a static route to a subnet via the gateway 10.11.12.100
      - `ip route add 192.168.1.0/24 via 10.11.12.100`
    - To add a default gateway
      - `ip route add default via 10.0.0.100`
    - Routes added via the `ip` command are temporary. To make them permenant
      - `sudo nmcli connection modify eth1 +ipv4.routes "192.168.0.0/24 172.28.128.100"`
      - `sudo nmcli device reapply eth1`
  - Sync time using other network peers
    - `timedatectl` can be used to check if the time is synced
    - `timedatectl` can also be used to set the default time zone
      - `timedatectl set-timezone America/Indiana/Indianapolis`
    - `timedatectl` can use NTP as a time source if `chonyd` is installed:
      - `timedatectl set-ntp true`


- Commands:
```
ip
nmtui
nmcli

ss
netstat

firewall-cmd
ip

timedatectl
```