FirewallD Best Practices
Why FirewallD:
- Default in RHEL 8/9
- Dynamic firewall management
- Zone-based configuration
- Integration with NetworkManager
Check firewall status:
sudo firewall-cmd --state
sudo firewall-cmd --list-all
Storage Network Firewall Rules
Option 1: Trusted Zone (Recommended for Dedicated Storage Networks)
For dedicated storage networks, disable firewall filtering on storage interfaces to eliminate CPU overhead from packet inspection. This is critical for high-throughput NVMe-TCP storage.
# Add storage interfaces to trusted zone (no packet filtering)
sudo firewall-cmd --permanent --zone=trusted --add-interface=ens1f0
sudo firewall-cmd --permanent --zone=trusted --add-interface=ens1f1
# Reload
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --zone=trusted --list-all
Why disable filtering on storage interfaces:
- CPU overhead: Firewall packet inspection adds latency and consumes CPU cycles
- Performance impact: At high IOPS (millions with NVMe-TCP), filtering overhead becomes significant
- Network isolation: Dedicated storage VLANs provide security at the network layer
- Simplicity: No port rules to maintain for storage traffic
Option 2: Custom Zone with Port Filtering (For Shared Networks)
Use port filtering only when storage interfaces share a network with other traffic or when additional host-level security is required by policy.
Performance Note: Port filtering adds CPU overhead for every packet. For production storage with high IOPS requirements, use Option 1 with network-level isolation instead.
# Create custom storage zone
sudo firewall-cmd --permanent --new-zone=storage
# Port 4420 = Data port (connections)
# Port 8009 = Discovery port (optional, for nvme discover)
sudo firewall-cmd --permanent --zone=storage --add-port=4420/tcp
sudo firewall-cmd --permanent --zone=storage --add-port=8009/tcp
sudo firewall-cmd --permanent --zone=storage --add-interface=ens1f0
sudo firewall-cmd --permanent --zone=storage --add-interface=ens1f1
# Set target to DROP (deny by default)
sudo firewall-cmd --permanent --zone=storage --set-target=DROP
# Reload
sudo firewall-cmd --reload
Rich Rules for Advanced Filtering
# Allow NVMe-TCP only from specific subnet
sudo firewall-cmd --permanent --zone=storage --add-rich-rule='
rule family="ipv4"
source address="10.100.1.0/24"
port protocol="tcp" port="4420" accept'
sudo firewall-cmd --permanent --zone=storage --add-rich-rule='
rule family="ipv4"
source address="10.100.1.0/24"
port protocol="tcp" port="8009" accept'
# Log dropped packets
sudo firewall-cmd --permanent --zone=storage --add-rich-rule='
rule family="ipv4"
log prefix="STORAGE-DROP: " level="warning"
drop'
# Reload
sudo firewall-cmd --reload