Lab 03 — firewalld and systemd Services
Target: rhcsa-node2 (server) · Time: 25 minutes · Reboot required: yes
Scenario
The server is moving to production. You need firewalld zones cleanly configured, services tightened down, and a custom systemd unit that fires a maintenance script daily.
Tasks
- Ensure firewalld is enabled and running. Make `public` the default zone.
- In zone `public`: open SSH (already there), HTTPS (443/tcp), and a custom port `9100/tcp` for node_exporter.
- Create a NEW zone called `internal`. Bind interface eth0 to it ONLY if you have a second interface — otherwise just create the zone. Add services `http` and `nfs` to `internal`.
- Block ICMP echo-request in `public` zone (so the node doesn't reply to pings).
- Install httpd. **Do not start it.** Disable httpd from auto-starting.
- Install vsftpd. Mask the vsftpd service (stronger than disable — prevents anyone from starting it).
- Write a script `/usr/local/sbin/daily-maintenance.sh` (any non-empty content, mode 0755).
- Create systemd unit `/etc/systemd/system/daily-maintenance.service` that runs the script as oneshot.
- Create systemd timer `/etc/systemd/system/daily-maintenance.timer` that fires the service daily at 03:30, persistent across reboots.
- Enable + start the timer.
Reboot. Re-run grader.
Grading
~/labs/lab03-firewall-services/grader.sh