Firewall Configuration

Linux

Audience
Public
Product
FlashBlade
FlashArray
Technology Integrations
Linux
Source Type
Documentation
Important: If the firewall is disabled skip this section.

firewalld Best Practices

Why firewalld:

  • Default in RHEL 8/9
  • Dynamic firewall management
  • Zone-based configuration
  • Integration with NetworkManager

Check firewalld status:

sudo systemctl status firewalld
sudo firewall-cmd --state

Option 1: Trusted Zone (Recommended for Dedicated Storage Networks)

For dedicated storage networks, disable firewall filtering on storage interfaces to eliminate CPU overhead from packet inspection. This is important for high-throughput iSCSI storage.

Why disable filtering on storage interfaces:

  • CPU overhead: Firewall packet inspection adds latency and consumes CPU cycles
  • Performance impact: At high IOPS, filtering overhead becomes significant
  • Network isolation: Dedicated storage VLANs provide security at the network layer
  • Simplicity: No port rules to maintain for storage traffic
# Add storage interfaces to trusted zone (no packet filtering)
sudo firewall-cmd --permanent --zone=trusted --add-interface=ens1f0
sudo firewall-cmd --permanent --zone=trusted --add-interface=ens1f1

# Reload
sudo firewall-cmd --reload

# Verify
sudo firewall-cmd --zone=trusted --list-all

Option 2: Port Filtering (For Shared or Non-Isolated Networks)

Use port filtering only when storage interfaces share a network with other traffic or when additional host-level security is required by policy.

Warning:

Performance Note: Port filtering adds CPU overhead for every packet. For production storage with high IOPS requirements, use Option 1 with network-level isolation instead.

Allow iSCSI traffic:

# Add iSCSI service (port 3260)
sudo firewall-cmd --permanent --add-service=iscsi-target

# Or add port directly
sudo firewall-cmd --permanent --add-port=3260/tcp

# Reload firewall
sudo firewall-cmd --reload

# Verify
sudo firewall-cmd --list-all

Dedicated storage zone with port filtering:

# Create storage zone
sudo firewall-cmd --permanent --new-zone=storage

# Add storage interfaces to zone
sudo firewall-cmd --permanent --zone=storage --add-interface=ens1f0
sudo firewall-cmd --permanent --zone=storage --add-interface=ens1f1

# Allow iSCSI in storage zone
sudo firewall-cmd --permanent --zone=storage --add-port=3260/tcp

# Set target to DROP (deny by default except allowed ports)
sudo firewall-cmd --permanent --zone=storage --set-target=DROP

# Reload
sudo firewall-cmd --reload

# Verify
sudo firewall-cmd --zone=storage --list-all

Rich Rules for Advanced Control

Restrict iSCSI to specific source IPs:

# Allow iSCSI only from storage array
sudo firewall-cmd --permanent --add-rich-rule='
  rule family="ipv4"
  source address="10.100.1.10"
  port protocol="tcp" port="3260" accept'

sudo firewall-cmd --permanent --add-rich-rule='
  rule family="ipv4"
  source address="10.100.2.10"
  port protocol="tcp" port="3260" accept'

sudo firewall-cmd --reload