LINUX-28 FIREWALLD (RHEL7) -P1
FIREWALLD AND IT’s SIGNIFICANCE,
Well,
what is this FIREWALLD?
Its
packet filtering based on “Netfilter” module,
Wait…Wait,
we did it already via iptables. Then what & why is this?
IPTABLES
still exists in RHEL-7 but its silent means it is not default firewall option,
default option is firewalld.
And
thing to remember is to use only one at a time, no need to show talent. Just
disable and mask the either service which is not supposed to use.
Firealld
is firewall service daemon which is dynamic in nature,
Hmmm
Dynamic!!
What
is this Dynamic firewall?
Create,
change and delete the rules without restarting the firewall daemon.
Also,
it is declared that firewalld is much easier to configure & manage compare
to iptables.
Let’s
check it,
* Firewalld
is based on concept of Zones and Services compared to Chains & Rules in
iptables.
* Zone is a collection of rules applied on incoming packets to match the defined rules based on source/services and interface.
* Firewalld by default applied on incoming packets no rules for outgoing packets.
First we have to identify which "zone" is suitable according to requirement then need to assign "interface" to that zone, then add "services" to the selected zone.
* Zone is a collection of rules applied on incoming packets to match the defined rules based on source/services and interface.
* Firewalld by default applied on incoming packets no rules for outgoing packets.
First we have to identify which "zone" is suitable according to requirement then need to assign "interface" to that zone, then add "services" to the selected zone.
DAEMON:
firewalld
is the firewall daemon. It provides a dynamically managed firewall with support
for “zones” to assign a level of trust to a network and its associated
connections, interfaces or sources.
TARGETS:
When a zone processes a packet, but there is no rule that explicitly handles the packet. The target of the zone determines the behavior:
ACCEPT: Accept the packet.
REJECT: Reject the packet, the receiver will be informed that the port is not accessible.
DROP: drop the packet, returning no reply. Simply results in a timeout and is used in public networks
Default: Don't do anything.
TARGETS:
When a zone processes a packet, but there is no rule that explicitly handles the packet. The target of the zone determines the behavior:
ACCEPT: Accept the packet.
REJECT: Reject the packet, the receiver will be informed that the port is not accessible.
DROP: drop the packet, returning no reply. Simply results in a timeout and is used in public networks
Default: Don't do anything.
ZONES:
Zones
are predefined set of rules, means incoming traffic is bifurcated into separate
zones based on requirement. We need network interface and source for zone. A connection
can only be part of one zone, but a zone can be used for many network
connections.
let’s
check the meaning of available zones.
[root@rhel7-server ~]# ls -ltr /usr/lib/firewalld/zones
total 36
-rw-r-----. 1 root root 342 Feb 28 2014 work.xml
-rw-r-----. 1 root root 162 Feb 28 2014 trusted.xml
-rw-r-----. 1 root root 315 Feb 28 2014 public.xml
-rw-r-----. 1 root root 415 Feb 28 2014 internal.xml
-rw-r-----. 1 root root 400 Feb 28 2014 home.xml
-rw-r-----. 1 root root 304 Feb 28 2014 external.xml
-rw-r-----. 1 root root 291 Feb 28 2014 drop.xml
-rw-r-----. 1 root root 293 Feb 28 2014 dmz.xml
-rw-r-----. 1 root root 299 Feb 28 2014 block.xml
drop
No
warning/notification, just kill everything whatever coming. Only outgoing
connections are allowed.
Default action=DROP
Enabled services=NO
Outgoing
Connections=Allowed
Incoming Connections=Dropped
block
Here
I will again kill all, but now I am generous and will notify them
with
an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6.
Only network connections initiated within this system are possible.
Default action=REJECT
Enabled services=NO
Default action=REJECT
Enabled services=NO
Outgoing
Connections=Allowed
Incoming Connections=Rejected with "icmp_host_prohibited" msg
public
I
don’t trust anyone, I will allow only those whom I know well.
Enabled services=ssh, dhcpv6-client
Outgoing
Connections=Allowed
Incoming Connections=
external
For
use on external networks with masquerading enabled especially for routers. You
do not trust the other computers on networks to not harm your computer. Only
selected incoming connections are accepted.
Enabled services=ssh
Outgoing Connections=Allowed & masqueraded to IP of o/g network interface.
Incoming Connections=ssh
dmz
For
computers in your demilitarized zone that are publicly-accessible with limited
access to your internal network. Only selected incoming connections are
accepted.
Default action=KEINE
Enabled services=ssh
Outgoing Connections=Allowed
Incoming Connections=ssh
work
For
use in work areas. You mostly trust the other computers on networks. Only
selected incoming connections are accepted.
Enabled services=ssh, dhcpv6-client
Outgoing Connections=Allowed
Incoming Connections=ssh, dhcpv6-client
home
For
use in home areas. You mostly trust the other computers on networks to not harm
your computer. Only selected incoming connections are accepted.
Enabled services=ssh, dhcpv6-client, mdns, samba-client
Outgoing Connections=Allowed
Incoming Connections=ssh, dhcpv6-client, mdns, samba-client
internal
For
use on internal networks. You mostly trust the other computers on the networks.
Only selected incoming connections are accepted.
Enabled services=ssh, dhcpv6-client, mdns, samba-client
Outgoing Connections=Allowed
Incoming Connections=ssh, dhcpv6-client, mdns, samba-client
trusted
All
network connections are accepted.
Default action=ACCEPT
Enabled services=all
Outgoing Connections=Allowed
Incoming Connections=Allowed
[root@rhel7-server ~]# cd /usr/lib/firewalld/zones/
[root@rhel7-server zones]# cat public.xml
<?xml version="1.0"
encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other
computers on networks to not harm your computer. Only selected incoming
connections are accepted.</description>
<service
name="ssh"/>
<service
name="dhcpv6-client"/>
</zone>
[root@rhel7-server zones]# cat drop.xml
<?xml version="1.0"
encoding="utf-8"?>
<zone target="DROP">
<short>Drop</short>
<description>Unsolicited incoming network packets are dropped.
Incoming packets that are related to outgoing network connections are accepted.
Outgoing network connections are allowed.</description>
</zone>
SERVICES:
Somewhere
above we learned that “Firewalld is based on concept of Zones and Services”.
Now
we have manageable idea about zones, but what are “services”
Though
we have option of source and interface, but both are to sort packets, both
sources and interfaces do not decide whether to filter or allow a package. To filter
packets, we need services to be defined.
Listing
all available services,
[root@rhel7-server zones]# firewall-cmd --get-services
amanda-client
bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http
https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt
libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi
pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp
ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
[root@rhel7-server services]# ls /usr/lib/firewalld/services
amanda-client.xml http.xml libvirt.xml pmwebapis.xml ssh.xml
bacula-client.xml imaps.xml mdns.xml pmwebapi.xml telnet.xml
bacula.xml ipp-client.xml mountd.xml
pop3s.xml tftp-client.xml
dhcpv6-client.xml ipp.xml ms-wbt.xml postgresql.xml tftp.xml
dhcpv6.xml ipsec.xml mysql.xml proxy-dhcp.xml transmission-client.xml
dhcp.xml kerberos.xml nfs.xml radius.xml vnc-server.xml
dns.xml kpasswd.xml ntp.xml rpc-bind.xml wbem-https.xml
ftp.xml ldaps.xml openvpn.xml samba-client.xml
high-availability.xml ldap.xml pmcd.xml samba.xml
https.xml libvirt-tls.xml pmproxy.xml
smtp.xml
In
terms of firewalld service is combination/list of ports and/or protocol entries
and/or source and destination addresses. Optionally netfilter helper modules
can be added and also a IPv4 and IPv6 destination address.
The
use of predefined services makes it easier for the user to enable and disable access
to a service.
FILES:
[root@rhel7-server ~]# ls /usr/lib/firewalld/
icmptypes services
zones
[root@rhel7-server ~]# ls /etc/firewalld/
firewalld.conf firewalld.conf.old icmptypes
lockdown-whitelist.xml services zones
/usr/lib/firewalld/
default
directory where default configuration files related to firewalld are stored. Or
it contains the default and fallback configuration provided by firewalld for
icmptypes, services and zones.
/etc/firewalld/
Stores
changes done by us, means rules customized by user related to zones/services
are stored here and these files always have an upper hand on default
configuration files. Means custom files always override the default config
files.
Default
configuration file is /etc/firewalld/firewalld.conf, it provides the
base configuration for firewalld. If it is absent or if /etc/firewalld is
missing, the firewalld internal defaults will be used.
FIREWALLD RULES CONFIGURATION STATE:
Can be either runtime/immediate
or permanent.
Runtime/Immediate:
Means
what I am doing is applied immediately and will be in action just after hitting
Enter, but will not sustain any stop/restart/reload of firewalld service or
system reboot. A firewalld reload will replace the runtime configuration by the
permanent configuration.
Example:
Adding
ftp and restarted firewalld service, it’s gone because it was runtime.
[root@rhel7-server ~]# firewall-cmd --zone=work --add-service=ftp
success
[root@rhel7-server ~]# firewall-cmd --zone=work --list-services
dhcpv6-client
ftp ipp-client ssh
[root@rhel7-server ~]# systemctl restart firewalld
[root@rhel7-server ~]# firewall-cmd --zone=work --list-services
dhcpv6-client
ipp-client ssh
Permanent:
The
permanent configuration is stored in configuration files and will be loaded and
become new runtime configuration with every machine boot or service
reload/restart.
Rules
can be added as permanent by using --permanent flag with firewall-cmd.
Example:
# firewall-cmd --permanent --zone=work --add-service=ftp
success
[root@rhel7-server ~]# firewall-cmd --zone=work --list-services
dhcpv6-client
ipp-client ssh
[root@rhel7-server ~]# systemctl restart firewalld
[root@rhel7-server ~]# firewall-cmd --zone=work --list-services
dhcpv6-client
ftp ipp-client ssh
No comments:
Post a Comment