Editing Pass and fixes

docs/guides/security/firewalld-beginners.md

@@ -1,18 +1,19 @@
 ---
 title: firewalld for Beginners
 author: Ezequiel Bruni
-contributors: 
+contributors: Steven Spencer
+update: 16-Feb-2022
 ---
 
 # `firewalld` for Beginners
 
 ## Introduction
 
-A long time ago, I was a little newbie computer user who heard that having a firewall was *supposed* to be super good. It would let me decide what got in, and what got out of my computer, right? But it mostly seemed to stop my video games from accessing the internet; I was *not* a happy camper. 
+A long time ago, I was a little newbie computer user who heard that having a firewall was *supposed* to be super good. It would let me decide what got in, and what got out of my computer, right? But it mostly seemed to stop my video games from accessing the internet; I was *not* a happy camper.
 
 Of course, if you're here, you probably have a better idea what a firewall is and what it does than I did. But if your firewall experience amounts to telling Windows Defender that yes, for the love of all that is holy, your new app is allowed to use the internet, don't worry. It says "for Beginners" up top; I've got you.
 
-In other words, my fellow nerds should be aware that there'll be a lot of explanations incoming.
+In other words, my fellow nerds should be aware that there will be a lot of explanations incoming.
 
 So let's talk about what we're here for. `firewalld` is the default firewall app packaged with Rocky Linux, and it's designed to be pretty simple to use. You just need to know a little bit about how firewalls work, and not be afraid to use the command line.
 
@@ -29,15 +30,15 @@ This is *not* intended to be a complete or exhaustive guide.
 
 Well... there *are* graphical firewall configuration options. On the desktop, there's `firewall-config` which can be installed from the repos, and on servers you can [install Cockpit](https://linoxide.com/install-cockpit-on-almalinux-or-rocky-linux/) to help you manage firewalls and a whole bunch of other stuff. **However, I'll be teaching you the command-line way to do things in this tutorial for a couple of reasons:**
 
-1. If you're running a server, you'll be using the command line for most of this stuff anyway. Lots of tutorials and guides for Rocky server stuff will give command line instructions for firewall management, and it's best that you understand those instructions, rather than just copying and pasting whatever you see.
+1. If you're running a server, you'll be using the command line for most of this stuff anyway. Lots of tutorials and guides for Rocky server will give command line instructions for firewall management, and it's best that you understand those instructions, rather than just copying and pasting whatever you see.
 2. Understanding how the `firewalld` commands work might help you better grasp how the firewall software works. You can take the same principles you learn here, and have a better idea what you're doing if you do decide to use a graphical interface in the future.
 
 ## Prerequisites and Assumptions
 You'll need:
 
 * A Rocky Linux machine of any kind, local or remote, physical or virtual
-* Access to the terminal, and a willingess to use it
-* You need root access, or at least the ability to use `sudo` on your user account. For simpliicity's sake, I'm assuming all commands are bing run as root.
+* Access to the terminal, and a willingness to use it
+* You need root access, or at least the ability to use `sudo` on your user account. For simplicity's sake, I'm assuming all commands are being run as root.
 * A basic understanding of SSH wouldn't hurt for managing remote machines.
 
 ## Basic Usage
@@ -70,7 +71,7 @@ And to give the service a hard restart:
 systemctl restart firewalld
 ```
 
-### Basic `firewalld` configuration and managment commands
+### Basic `firewalld` configuration and management commands
 
 `firewalld` is configured with the `firewall-cmd` command. You can, for example, check the status of `firewalld` with:
 
@@ -111,7 +112,7 @@ public (active)
 
 ### Saving your changes
 
-!!! Warning Seriously, read this next bit.
+!!! Warning "Warning: Seriously, read this next bit."
 
     By default, all changes to `firewalld`'s configuration are temporary. If you restart the whole `firewalld` service, or restart your machine, none of your changes to the firewall will be saved unless you do one of two very specific things.
 
@@ -133,24 +134,31 @@ firewall-cmd --permanent [the rest of your command]
 
 Before anything else, I need to explain zones. Zones are a feature that basically allow you to define different sets of rules for different situations. Zones are a huge part of `firewalld` so it pays to understand how they work.
 
-If your machine has multiple ways to connect to different networks (eg. ethernet and wifi), you can decide that one connection is more trusted than other. You might set your ethernet connection to the "trusted" zone if it's only connected to a local network that you built, and put the wifi (which might be connected to the internet) in the "public" zone with more stringent restrictions. 
+If your machine has multiple ways to connect to different networks (eg. Ethernet and WiFi), you can decide that one connection is more trusted than the other. You might set your Ethernet connection to the "trusted" zone if it's only connected to a local network that you built, and put the WiFi (which might be connected to the internet) in the "public" zone with more stringent restrictions.
 
 !!! Note
-    
-    A network interface (ethernet, wifi, or what-have-you) can *only* be assigned to one zone at a time. If you're running `firewalld` on a remote server or VPS, and it doesn't come with extra network interfaces (physical or virtual) then you can only have one zone that's actually active and doing anything at a time.
+
+    A network interface (Ethernet, WiFi, or what-have-you) can *only* be assigned to one zone at a time. If you're running `firewalld` on a remote server or VPS, and it doesn't come with extra network interfaces (physical or virtual) then you can only have one zone that's actually active and doing anything at a time.
 
     That zone should be the "public" zone, if you're running a web server.
 
 Default zones include the following (I've taken this explanation from [DigitalOcean's guide to `firewalld`](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-8), which you should also read):
 
 > **drop:** The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
+
 > **block:** Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
+
 > **public:** Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
 external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
+
 > **internal:** The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
+
 > **dmz:** Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
+
 > **work:** Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
+
 > **home:** A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
+
 > **trusted:** Trust all of the machines in the network. The most open of the available options and should be used sparingly.
 
 Okay, so some of those explanations get complicated, but Honestly? The average beginner can get by with understanding "trusted", "home", and "public", and when to use which.
@@ -169,7 +177,7 @@ To see which zones are active and doing things, run:
 firewall-cmd --get-active-zones
 ```
 
-!!! Note Some of this might have been done for you.
+!!! Note "Note: Some of this might have been done for you."
 
     If you're running Rocky Linux on a VPS, it's probable that a basic configuration has been set up for you. Specifically, you should be able to access the server via SSH, and the network interface will already have been added to the "public" zone.
 
@@ -206,19 +214,19 @@ firewall-cmd --get-zones
 
 ## Managing Ports
 
-For the uninitiated, ports (in this context) are just virtual endpoints where computers connect to each other so they can send information back and forth. Think of them like physical ethernet or USB ports on your computer, but invisible, and you can have up to 65,535 of them all going at once. 
+For the uninitiated, ports (in this context) are just virtual endpoints where computers connect to each other so they can send information back and forth. Think of them like physical Ethernet or USB ports on your computer, but invisible, and you can have up to 65,535 of them all going at once.
 
 I wouldn't, but you can.
 
-Every port is defined by a number, and some ports are reserved for specific services, and kinds of information. If you've ever worked with web servers to build a website, for example, you may be familiar with port 80, and port 443. Those ports allow for the transmission of web page data. 
+Every port is defined by a number, and some ports are reserved for specific services, and kinds of information. If you've ever worked with web servers to build a website, for example, you may be familiar with port 80, and port 443. Those ports allow for the transmission of web page data.
 
 Specifically, port 80 allows for transferring data via the Hypertext Transfer Protocol (HTTP), and port 443 is reserved for Hypertext Transfer Protocol Secure (HTTPS) data. *
 
 Port 22 is reserved for the Secure Shell protocol (SSH) which lets you log into and manage other machines via the command line (see [our short guide](ssh_public_private_keys.md) on the suject).A brand new remote server might only allow connections over port 22 for SSH, and nothing else.
 
-Other examples include FTP (ports 20 and 21), SSH (port 22), and so many more. You can aslo set custom ports to be used by new apps you might install, that don't already have a standard number.
+Other examples include FTP (ports 20 and 21), SSH (port 22), and so many more. You can also set custom ports to be used by new apps you might install, that don't already have a standard number.
 
-!!! Note You shouldn't use ports for everything.
+!!! Note "Note: You shouldn't use ports for everything."
 
     For things like SSH, HTTP/S, FTP, and more, it's actually recommended to add them to your firewall zone as *services*, and not as port numbers. I'll show you how that works below. That said, you still need to know how to open ports manually.
 
@@ -240,7 +248,9 @@ To add a port to your firewall zone (thus opening it for use), just run this com
 firewall-cmd --zone=public --add-port=9001/tcp
 ```
 
-!!! Note About that `/tcp` bit...
+!!! Note
+
+    About that `/tcp` bit:
 
     That `/tcp` bit at the end tells the firewall that connections will be coming in over the Transfer Control Protocol, which is what you'll be using for most server-and-home-related stuff.
 
@@ -263,13 +273,15 @@ This is the preferred way to open up the ports for these common services, and a
 * SSH: For controlling remote machines and moving files bacck and forth the new way
 * Samba: For sharing files with Windows machines
 
-!!! Warning Never remove the SSH service from a remote server's firewall!
+!!! Warning
+
+    **Never remove the SSH service from a remote server's firewall!**
 
     Remember, SSH is what you use to log in to your server. Unless you have another way to access the physical server, or its shell (ie via. a control panel provided by the host), removing the SSH service will lock you out permanently.
 
     You'll either need to contact support to get your access back, or reinstall the OS entirely.
 
-## Service management commands 
+## Service management commands
 
 To see a list of all available service services that you could potentially add to your firewall, run:
 
@@ -295,13 +307,13 @@ To remove/close a service on your firewall, just change one word again:
 firewall-cmd --zone=public --remove-service=http
 ```
 
-!!! Note You can add your own services.
+!!! Note "Note: You can add your own services"
 
-    And customize the heck out of them, too. However, that's a topic that gets kind of complex. Get famailiar with `firewalld` first, and go from there.
+    And customize the heck out of them, too. However, that's a topic that gets kind of complex. Get familiar with `firewalld` first, and go from there.
 
 ## Restricting Access
 
-Let's say you have a server, and you just don't want to make it public. if you want to define just who is allowed to access it via SSH, or view some private web pages/apps, you can do that. 
+Let's say you have a server, and you just don't want to make it public. if you want to define just who is allowed to access it via SSH, or view some private web pages/apps, you can do that.
 
 There are a couple of methods to accomplish this. First, for a more locked-down server, you can pick one of the more restrictive zones, and add the SSH service to it as shown above, and then whitelist your own public IP address like so:
 
@@ -317,7 +329,7 @@ firewall-cmd --permanent --add-source=192.168.1.0/24 [< insert your IP here]
 
 Again, just change `--add-source` to `--remove-source` in order to reverse the process.
 
-However, if you're managing a remote server with a website on it that needs to be public, and still only want to open up SSH for one IP address or a small range of them, it gets a little more complicated. Remember, you can't have two sets of rules (the zones) working on the same network interface. 
+However, if you're managing a remote server with a website on it that needs to be public, and still only want to open up SSH for one IP address or a small range of them, it gets a little more complicated. Remember, you can't have two sets of rules (the zones) working on the same network interface.
 
 In this case, you'll need a "rich rule", and it would look something like this:
 
@@ -329,7 +341,9 @@ Once the rich rule is in place, *don't* make the rules permanent yet. First, rem
 
 If you get locked out, restart the server (most VPS control panels have an option for this) and try again.
 
-!!! Warning These techniques only work if you have a static IP address.
+!!! Warning
+
+    These techniques only work if you have a static IP address.
 
     If you're stuck with an internet service provider that changes your IP address every time your modem reboots, don't use these rules (at least not for SSH) until you have a fix for that. You'll lock yourself out of your server
 
@@ -347,6 +361,6 @@ For you fans of `iptables` (if you've gotten this far...), [we have a guide](fir
 
 ## Conclusion
 
-And that is `firewalld` in as few words as I could manage while still explaining all the basics. Take it slow, experiment carefully, and don't make any rules permamnent until you're sure they work.
+And that is `firewalld` in as few words as I could manage while still explaining all the basics. Take it slow, experiment carefully, and don't make any rules permanent until you're sure they work.
 
-And, you know, have fun. Once you have the basics down, actually setting up a decent, workable firewall can take 5-10 minutes.
+And, you know, have fun. Once you have the basics down, actually setting up a decent, workable firewall can take 5-10 minutes.