A Linux administrator is hardening a newly deployed web server. The security policy dictates that all unencrypted HTTP traffic must be blocked, and only HTTPS traffic should be allowed. The firewalld service is active, and the 'public' zone is configured to allow both the http and httpss services. Which of the following commands is the most appropriate and direct way to enforce this policy permanently?
The correct command is sudo firewall-cmd --permanent --zone=public --remove-service=http. This command is the most direct and appropriate way to block the unencrypted web traffic. It targets the specific service ('http') that is allowing the unwanted traffic and uses the --permanent flag to ensure the change persists after a reboot. The option without --permanent would only apply to the runtime configuration and would be lost on reboot. Using --remove-port=80/tcp would also block the traffic, but since the scenario specifies that the http service is enabled, removing the service is a cleaner and more direct administrative action. The rich rule to reject the service is unnecessarily complex; the simpler and more effective solution is to remove the rule that allows the service in the first place.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is `firewall-cmd` and why is it used?
Open an interactive chat with Bash
What is the role of the `--permanent` flag in `firewall-cmd` commands?
Open an interactive chat with Bash
Why does `http` use port 80 and how is it different from HTTPS traffic?