Firewall & Security — Fedora FAQ

Configure fail2ban Install the fail2ban package via `dnf` and enable the service to start automatically on boot. Configure firewalld Firewalld is Fedora's default firewall manager, using zones and services to control which network traffic is allowed in and out of your system. Configure SELinux on Fedora Fedora runs SELinux in enforcing mode by default, and the recommended way to configure it is to adjust booleans, file contexts, and policies rather than disabling it. Enable Automatic Security Updates on Fedora Fedora's dnf-automatic tool can download and apply security updates on a schedule, keeping your system protected without manual intervention. Fedora Installation Fails with UEFI Secure Boot: How to Fix Disable Secure Boot in your BIOS/UEFI settings to resolve Fedora installation failures caused by unsigned drivers. firewalld vs iptables vs nftables: Which Should You Use on Fedora? On Fedora, firewalld is the right choice for most users — it is the default, actively maintained frontend that uses nftables under the hood, while direct iptables use is discouraged. Fix SELinux denials Fix SELinux denials by generating and loading a custom policy module using ausearch and audit2allow. How to Allow a Service Through the Firewall on Fedora To allow a service through the firewall on Fedora, use `firewall-cmd` to add the predefined service name to the active zone and make the change permanent. How to Allow Specific IP Ranges Through the Firewall on Fedora Allow specific IP ranges through the Fedora firewall using firewall-cmd rich rules. How to Audit System Security with OpenSCAP on Fedora Install OpenSCAP and run the XCCDF evaluation command against the SCAP Security Guide to generate a security audit report on Fedora. How to Back Up LUKS Encrypted Partition Headers on Fedora Backup LUKS headers on Fedora using cryptsetup luksHeaderBackup to prevent data loss from header corruption. How to Block an IP Address with firewalld on Fedora Block a specific IP address on Fedora by adding a rich rule to firewalld and reloading the service. How to Check Open Ports and Active Connections on Fedora Use `ss` for the fastest, most modern view of open ports and active connections, or `netstat` if you need legacy compatibility. How to Check SELinux Status and Mode on Fedora Use getenforce and sestatus commands to check SELinux mode and status on Fedora. How to Close or Block a Port in the Firewall on Fedora Block a port on Fedora by removing the service or port rule from the firewall and reloading the configuration. How to Configure AIDE (File Integrity Monitoring) on Fedora Install AIDE, initialize the database, and enable the systemd timer to monitor file integrity on Fedora. How to Configure Fail2Ban on Fedora to Prevent Brute Force Attacks Install Fail2Ban on Fedora, enable the SSH jail in jail.local, and start the service to block brute force attacks. How to Configure Fail2Ban to Protect SSH on Fedora Install Fail2Ban on Fedora, configure the SSH jail in /etc/fail2ban/jail.d/ssh.conf, and enable the service to block brute-force attacks. How to Configure firewalld Using firewall-cmd on Fedora firewall-cmd is the primary command-line tool for managing firewalld on Fedora, letting you add services, open ports, and manage zones with permanent or runtime rules. How to Configure firewalld Using the GNOME Firewall GUI Configure firewalld via the GNOME GUI by launching the app, toggling the service, and editing zones or ports in the interface. How to Configure Git SSH Keys and GPG Signing on Fedora Generate SSH and GPG keys on Fedora and configure Git to use them for authentication and commit signing. How to Configure Rich Rules in firewalld on Fedora Configure firewalld Rich Rules using the firewall-cmd --add-rich-rule command to define complex traffic filtering policies. How to Configure SELinux for Database Servers on Fedora Enable the container_use_devices SELinux boolean to allow database containers to access host devices and data volumes on Fedora. How to Configure SELinux for Web Servers on Fedora Enable container device access on Fedora by setting the container_use_devices SELinux boolean to true. How to Confine a Custom Application with SELinux on Fedora You can write a custom SELinux policy module on Fedora to confine a home-grown application, restricting what files, sockets, and capabilities it can access. How to Create Custom SELinux Policy Modules on Fedora Create a custom SELinux policy module by writing rules in a .te file, compiling it with checkmodule, packaging it with semodule_package, and loading it with semodule. How to Dual Boot Fedora and Windows 10 with Secure Boot Enabled You can dual boot Fedora and Windows 10 with Secure Boot enabled by shrinking your Windows partition to create unallocated space, then installing Fedora's bootloader (shim) which is signed by Microsoft and recognized by your firmware. How to Enable and Configure Automatic Security Updates on Fedora Install dnf-automatic and enable its timer to get automatic security updates on Fedora. How to Enable Secure Boot on Fedora and Sign Kernel Modules Enable Secure Boot in BIOS, generate a MOK key with mokutil, and sign kernel modules using kmodsign to allow them to load on Fedora. How to Enable, Start, and Stop firewalld on Fedora Enable, start, and stop the firewalld service on Fedora using systemctl commands to manage network security. How to Fix "firewalld Is Not Running" Error on Fedora Enable and start the `firewalld` service immediately using `systemctl`, then verify the firewall is active and the default zone is configured correctly. How to Fix "Package Does Not Match Intended Download" GPG Check Error Fix the GPG check error by importing the correct distribution key and refreshing the package cache. How to Fix SELinux Blocking a Web Server (Apache/Nginx) on Fedora Fix SELinux blocking Apache or Nginx on Fedora by enabling the httpd_can_network_connect boolean with setsebool. How to Fix SELinux Blocking Samba File Sharing on Fedora Fix SELinux blocking Samba on Fedora by enabling the samba_enable_home_dirs boolean and restoring file contexts. How to Fix SELinux Blocking SSH on a Non-Standard Port on Fedora Fix SELinux blocking SSH on a non-standard port by adding the port to the ssh_port_t type using semanage. How to Fix "SELinux Is Preventing..." Errors on Fedora Fix SELinux device access errors on Fedora by enabling the container_use_devices boolean with setsebool. How to Import RPM GPG Keys on Fedora You import RPM GPG keys on Fedora by using `rpm --import` with the key file or by adding a repository that automatically handles key retrieval via `dnf`. How to Install and Configure a Firewall on Fedora Fedora ships with firewalld as its default firewall; install it if missing, then use firewall-cmd to open ports and manage zones for your network interfaces. How to Install Fedora with Full Disk Encryption (LUKS) Enable LUKS full disk encryption on Fedora by checking the 'Encrypt' box in the Installation Destination screen during setup. How to List All Firewall Rules and Open Ports on Fedora Use `firewall-cmd --list-all` to view every active zone's configuration, including open ports, services, and forwarding rules, or run `firewall-cmd --list-all-zones` to see a summary of all zones at once. How to Log Dropped Packets with firewalld on Fedora Enable firewalld dropped packet logging by setting log-dropped to yes and reloading the firewall. How to Manage SELinux File Contexts on Fedora (semanage, restorecon) Define persistent SELinux labels with semanage fcontext and apply them using restorecon to fix permission issues on Fedora. How to Manage SSL/TLS Certificates on Fedora Fedora provides system-wide tools for managing SSL/TLS certificates, including the update-ca-trust command and the ca-certificates package for adding or removing trusted certificate authorities. How to Open a Port in the Firewall on Fedora Open a specific port on Fedora's firewall permanently using firewall-cmd and reload the service to apply the rule immediately. How to Permanently Disable SELinux on Fedora (And Why You Shouldn't) You can permanently disable SELinux on Fedora by setting SELINUX=disabled in /etc/selinux/config and rebooting, but doing so removes a critical layer of security and is almost never the right fix. How to Read and Understand SELinux Audit Logs on Fedora Use ausearch and audit2why to find SELinux denials and generate a policy to fix them. How to Relabel the Entire Filesystem for SELinux on Fedora To relabel the entire filesystem for SELinux on Fedora, you must create a special marker file named `.autorelabel` in the root directory and then reboot the system. How to Scan for Rootkits and Malware on Fedora (rkhunter, chkrootkit, ClamAV) Install rkhunter, chkrootkit, and ClamAV on Fedora to scan for rootkits and malware using DNF and standard CLI commands. How to Set SELinux Booleans to Allow Specific Behaviors on Fedora Use setsebool and getsebool on Fedora to view and change SELinux booleans, enabling specific system behaviors without weakening the overall security policy. How to Set Up Automatic Certificate Renewal with Certbot on Fedora Enable the certbot.timer systemd unit on Fedora to automatically renew SSL certificates before they expire. How to Set Up DNS over HTTPS (DoH) or DNS over TLS (DoT) on Fedora Configure DNS over HTTPS or TLS on Fedora using resolvectl to set encrypted DNS providers for your network interface. How to Set Up Full Disk Encryption After Installation on Fedora Full disk encryption cannot be added after Fedora installation and requires a fresh OS install to configure. How to Set Up HTTPS with Let's Encrypt and Certbot on Fedora Install Certbot via DNF and run the standalone command to generate a free Let's Encrypt certificate for your Fedora server. How to Set Up Port Forwarding with firewalld on Fedora Open a specific port on Fedora's firewalld using firewall-cmd to allow external access to containerized services. How to Sign RPM Packages with GPG Keys Generate a GPG key pair, import the public key into the RPM database, and use rpmsign to sign the package file. How to Temporarily Set SELinux to Permissive Mode on Fedora To temporarily set SELinux to permissive mode on Fedora, run `setenforce 0` as root, which allows the system to log violations without enforcing them until the next reboot. How to Troubleshoot Connection Issues Caused by firewalld on Fedora Identify and fix firewalld-related connection problems on Fedora by checking active rules, zones, and logs, then adding the appropriate service or port exceptions. How to Use audit2why and audit2allow to Troubleshoot SELinux Denials Use audit2why to get a plain-English explanation of an SELinux denial and audit2allow to generate and load a custom policy module that permits the blocked action. How to Use aureport and ausearch for System Auditing on Fedora Use ausearch to query SELinux logs and aureport to generate summaries for system auditing on Fedora. How to Use Firewall and SELinux Together for Defense in Depth on Fedora Fedora ships with both firewalld and SELinux enabled by default — using them together gives you network-level and process-level protection that significantly reduces your attack surface. How to Use Firewall Zones on Fedora (Trusted, Public, Home, etc.) Fedora's firewalld organizes network interfaces into zones with different trust levels, letting you control which traffic is allowed with a single tool. How to Use GPG Encryption on Fedora for Files and Email Fedora ships with GnuPG pre-installed, allowing you to generate keys, encrypt and sign files, and secure email through a few straightforward commands. How to Use LUKS Disk Encryption on Fedora Configure LUKS disk encryption on Fedora by adding a Luks object with device and keyFile details to the Ignition storage configuration. How to Use nftables Directly for Advanced Firewall Rules on Fedora Use nft commands to create tables and chains in the inet family for advanced firewall rules on Fedora. How to Use setroubleshoot and sealert to Fix SELinux Issues on Fedora Use sealert to analyze audit logs and get clear instructions for fixing SELinux access denials on Fedora. How to Verify Fedora ISO Checksum and GPG Signature Before Installing Verify Fedora ISO integrity by matching the SHA256 checksum and validating the GPG signature before installation. Install Fedora with Disk Encryption Fedora's installer (Anaconda) supports full-disk encryption via LUKS during installation, protecting your data if the device is lost or stolen. SELinux Context Types You Should Know on Fedora Understanding the most common SELinux context types on Fedora helps you diagnose access-denied errors and apply correct labels without disabling enforcement. SELinux explained for beginners SELinux is a mandatory access control system built into the Linux kernel that enforces strict rules about which processes can access which files and resources, and Fedora ships with it enabled and set to Enforcing by default. SELinux Modes Explained: Enforcing, Permissive, and Disabled SELinux modes (Enforcing, Permissive, Disabled) control whether security violations are blocked, logged, or ignored, managed via getenforce and setenforce commands. SELinux Troubleshooting Flowchart: Diagnosing Permission Denials When SELinux blocks something on Fedora, a clear diagnostic sequence — checking audit logs, using audit2why, and applying targeted fixes — gets you unblocked without disabling SELinux entirely. Set up firewall rules Fedora uses firewalld to manage firewall rules, letting you open ports and services with the firewall-cmd tool. Understanding firewalld on Fedora: Zones, Services, and Rules firewalld is Fedora's default firewall manager, using zones to group network interfaces and services to define which traffic is allowed through each zone. What Is SELinux and Why Does Fedora Enable It by Default? SELinux is a mandatory access control system Fedora enables by default to enforce strict security policies and limit process permissions.