MonthFebruary 2020

openssl – part 1

1) Generate an RSA key with 2048 bits.

$ openssl genrsa -out server.key 2048

2) Create an X509 self signed certificate(for development purposes and …)

$ openssl req -x509 -new -nodes -key server.key -sha256 -days 365 -out server.pem

3) Create a PKCS12 key store from private key and certificate

$ openssl pkcs12 -export -name server.cer -in server.pem -inkey server.key -out server.p12

openssl – part 2

usually when you get SSL Certificate, you will get multiple cert files which can be confusing.

they mostly contains a

  1. CA (Certificate Authority)
  2. Trusted Cgain
  3. Organizer
  4. domain cer (your main certificate file with your domain name on it)
  5. domain private key (your private key which you created when you where requesting for SSL

if you want to combine all of these certificate and create a so called certificate bundle or store, you should first concatenate ROOT certificate authority or CA file with chain 1 (Trusted Chain) and Chain 2 (Organizer).

$ cat chain1 chain2 root > bundle.cer

then you can verify it with

$ openssl verify -verbose -purpose sslserver -cafile bundle.cer domain.cer

now create a key store (PKCS12) from the bundle and private key

$ openssl PKCS12 -export -out domain.pfx -inkey private.key -in domain.cer -cert bundle.cer

firewalld – firewall-cmd

Redhat and CentOS distros are using firewalld aka firewall-cmd as base firewall manager.

at first, you can check if the firewall is working or not

$ firewall-cmd --state

in firewalld you have two states: running or current configuration and permanent. some commands requires this switch. for example creating new zone

$ firewall-cmd --permanent 

firewall-cmd consists of several zones which any of them can contain several sources or you can connect each of these zones to interfaces.

you can get list of zones by:

$ firewall-cmd --get-zones

you can get the default zone by:

$ firewall-cmd --get-default-zone

also you can check what zones are active.this is very helpful when you have several zones and you want to know which zones are connected to sources, interfaces , etc

$ firewall-cmd --get-active-zones

creating new zone.

remember you have to add the –permanent switch in order to add a new zone. you can only create in permanent mode.

$ firewall-cmd --permanent --new-zone=my-custom-zone


you can add any interface in your network to zones.

you can get list of interfaces with:

$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:11:22:99:88:55 brd ff:ff:ff:ff:ff:ff

and add to the zone

$ firewall-cmd --zone=public --add-interface=eno1


you can add several IP addresses to a zone like this:

$ firewall-cmd --zone=company --add-source=
# or
$ firewall-cmd --zone=another-zone --add-source=


you can add port to a zone so any requests comming to that zone will see this port open

$ firewall-cmd --zone=mongo-server --add-port=23070/tcp


you can decide which service are going to be connected through an specified zone.they are like presets so you don’t need to remember the port name for that service.

for example in order to let access to your MySql, you only have to add the mysql service to the zone and not the 3306 port itself.this is good specially when you are going to query several zones and seeing them by eyes and you can quickly know which zone allows what service, instead of thinking for a while to know what was that port number for ๐Ÿ™‚

$ firewall-cmd --zone=company --add-source=mysql

or add several services

$ firewall-cmd --zone=company --add-source=mysql --add-source=ssh


if there is no saved service exist for your port or you are using an unusual port number, you can add by port number

and don’t forget, you have to specify the protocol

$ firewall-cmd --zone=company --add-port=1234/tcp


$ firewall-cmd --add-port=1234/tcp --add-port=4321/udp

UFW – Uncomplecated FireWall

itโ€™s very easy to work with ufw

say we want to allow a port from everywhere
ufw allow 22/tcp

and allow a certain ip address
ufw allow from
ufw allow from

a certain port from certain IP
ufw allow from port 8888

you can even set the protocol in there
ufw allow from port 8888 proto tcp

it can be used for setting the destination.
ufw allow from port 8888 proto tcp to port 8888

a complete rule :
ufw allow from port 8888 to port 8888