Firewalld Setup
The following specific script is required for the firewall daemon (firewalld). The script requires the above “nem.xml” file (see Firewall Settings) and has to be executed to apply the firewall rules:
#!/bin/bash
# Activate / Start firewalld service
systemctl enable firewalld
systemctl start firewalld
# Apply firewalld rules for the NEM Core Services
firewall-cmd --zone=public --add-service=nem
# Make it persistent
firewall-cmd --zone=public --permanent --add-service=nem
# Exclude FOX51x network e.g. eth1 (avoid problems with ftp protocol)
firewall-cmd --zone=trusted --change-interface=eth1
If a separation of FOX61x network communication from FOX51x network communication is not possible the FTP protocol should be allowed in the firewall settings. For that purpose the script should be complemented by the following lines.
Add a rich rule for a group of FOX51x running on a specific network (example):
firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.2.0/24 accept'
firewall-cmd –reload
Add a rich rule for a list of FOX51x; specify the single FOX51x IP address (example):
firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.2.230/32 accept'
firewall-cmd --reload
Add a rule to allow FTP service for FOX51x - this command ensures that firewalld uses the correct FTP connection flow inspection and gets notified when a new server port is opened from the command channel:
firewall-cmd --permanent --add-service=ftp --zone=public
firewall-cmd --reload
To apply the firewall rules reload the firewall configuration via the command
firewall-cmd --reload
Enable netfilter conntrack helper kernel parameter. To do this, execute the following command (using sudo as shown in the command):
echo "net.netfilter.nf_conntrack_helper = 1" | sudo tee /etc/sysctl.d/90-conntrack_helper.conf
After this configuration has been applied, the NMS server must be restarted.