CentOS Stream 8 Initial Config Firewall & SELinux

Firewall & SELinux

Initial Settings : Firewall

Configure Firewall and SELinux

It's possible to display FireWall Service Status like follows. (enabled by default)


[root@onlinebrands ~]# systemctl status firewalld
*  firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor p>
   Active: active (running) since Fri 2021-02-18 19:46:07 JST; 12min ago
     Docs: man:firewalld(1)
 Main PID: 921 (firewalld)
    Tasks: 2 (limit: 49464)
   Memory: 33.7M
   CGroup: /system.slice/firewalld.service
           +- 921 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork ->

# [Active: active (running) ***] means firewalld is running now

If you use FireWall service, it needs to modify FireWall settings manually because incoming requests for services are mostly not allowed by default. Refer to here for basic Firewall operation and settings. Configuration examples of CentOS Stream 8 on this site are based on the environment Firewalld service is always enabled.
If you don't need FireWall service because of some reasons like that some FireWall Machines are running in your Local Network or others, it's possibile to stop and disable FireWall service on CentOS Stream server like follows.


# stop service
[root@onlinebrands ~]# systemctl stop firewalld
# disable service
[root@onlinebrands ~]# systemctl disable firewalld
Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

Initial Settings : SELinux

It's possible to display current SELinux (Security-Enhanced Linux) Status like follows. (enabled by default)


[root@onlinebrands ~]# getenforce
Enforcing     # SELinux is enabled

If you enable SELinux, there are cases to modify SELinux policies manually because sometimes SELinux stop applications. Refer to here for basic SELinux operation and settings. Configuration examples of CentOS Stream 8 on this site are based on the environment SELinux is always Enforcing.
If you don't need SELinux feature because of some reasons like that your server is running only in Local safety Network or others, it's possible to disable SELinux like follows.


[root@onlinebrands ~]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# change the value below
# enforcing  ⇒ enabled
# disabled   ⇒ disabled
# permissive ⇒ enabled but only logging, not deny accesses
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are proo
tected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

# restart computer to apply setting
[root@onlinebrands ~]# reboot