firewalld Best Practices
Why firewalld:
- Default in RHEL 8/9
- Dynamic firewall management
- Zone-based configuration
- Integration with NetworkManager
Check firewalld status:
sudo systemctl status firewalld
sudo firewall-cmd --state
Option 1: Trusted Zone (Recommended for Dedicated Storage Networks)
For dedicated storage networks, disable firewall filtering on storage interfaces to eliminate CPU overhead from packet inspection. This is important for high-throughput iSCSI storage.
Why disable filtering on storage interfaces:
- CPU overhead: Firewall packet inspection adds latency and consumes CPU cycles
- Performance impact: At high IOPS, filtering overhead becomes significant
- Network isolation: Dedicated storage VLANs provide security at the network layer
- Simplicity: No port rules to maintain for storage traffic
# Add storage interfaces to trusted zone (no packet filtering)
sudo firewall-cmd --permanent --zone=trusted --add-interface=ens1f0
sudo firewall-cmd --permanent --zone=trusted --add-interface=ens1f1
# Reload
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --zone=trusted --list-all
Option 2: Port Filtering (For Shared or Non-Isolated Networks)
Use port filtering only when storage interfaces share a network with other traffic or when additional host-level security is required by policy.
Performance Note: Port filtering adds CPU overhead for every packet. For production storage with high IOPS requirements, use Option 1 with network-level isolation instead.
Allow iSCSI traffic:
# Add iSCSI service (port 3260)
sudo firewall-cmd --permanent --add-service=iscsi-target
# Or add port directly
sudo firewall-cmd --permanent --add-port=3260/tcp
# Reload firewall
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --list-all
Dedicated storage zone with port filtering:
# Create storage zone
sudo firewall-cmd --permanent --new-zone=storage
# Add storage interfaces to zone
sudo firewall-cmd --permanent --zone=storage --add-interface=ens1f0
sudo firewall-cmd --permanent --zone=storage --add-interface=ens1f1
# Allow iSCSI in storage zone
sudo firewall-cmd --permanent --zone=storage --add-port=3260/tcp
# Set target to DROP (deny by default except allowed ports)
sudo firewall-cmd --permanent --zone=storage --set-target=DROP
# Reload
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --zone=storage --list-all
Rich Rules for Advanced Control
Restrict iSCSI to specific source IPs:
# Allow iSCSI only from storage array
sudo firewall-cmd --permanent --add-rich-rule='
rule family="ipv4"
source address="10.100.1.10"
port protocol="tcp" port="3260" accept'
sudo firewall-cmd --permanent --add-rich-rule='
rule family="ipv4"
source address="10.100.2.10"
port protocol="tcp" port="3260" accept'
sudo firewall-cmd --reload