Using Zones in Firewalld to Block Outbound Access

[yildizabdullah]

I want to provide limited access to a machine which runs CentOS Linux release 7.9.2009.

For this purpose, I changed the default zone to a new zone called custom and applied a configuration as follows:

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <service name="ssh"/>
  <port protocol="tcp" port="5901"/>
  <port protocol="tcp" port="5902"/>
  <port protocol="tcp" port="5903"/>
  <rule family="ipv4">
    <source address="192.168.2.15"/>
    <drop/>
  </rule>
</zone>

With this configuration, users still have access to the other computers or web. Is it also possible to block such kind of connections in Firewalld?

[jlehtone]

FirewallD is primarily about inbound traffic. You can see all the rules it has loaded into kernel with:

Code: Select all

iptables -S
iptables -t nat -S
iptables -t mangle -S

FirewallD does have rich rules and direct rules for things that it does not support natively.
However, if you know what you are doing, then iptables.service or nftables.service is better than firewalld.service.

[yildizabdullah]

Thank you for your support.

I use iptables in CentOS 6 to block outbound traffic. I thought firewalld takes over iptables in CentOS 7. Can I use iptables and firewalld together in CentOS 7?

[jlehtone]

The active rules are in kernel's memory.
That memory ("netfilter" and/or "nf-tables" subsystems) is modified with a tool ('iptables', or 'nft' for the nf-tables).
A service does use tool to load ruleset (from file) into kernel at boot (and later).

The three services (firewalld, nftables, and iptables) are mutually exclusive.

For iptables.service we did create desired ruleset in kernel with tool iptables, and then stored that ruleset to file.

The FirewallD is more a front-end, UI, that we "talk to" and it does use the iptables tool as back-end.

[yildizabdullah]

I see. Thank you. I installed iptables and now I can control the traffic.

[yildizabdullah]

I noticed that after installing iptables.service,

Code: Select all

firewall-cmd --get-default-zone

returns

FirewallD is not running

Is it an expected thing?

[TrevorH]

You should not have firewall* installed at all if you are using iptables.

[jlehtone]

The postinstall script of package 'iptables-services' does do some "systemctl preset".
I'd guess that those "presets" change what services can run.
(Plain "yum install" does not stop firewalld; I guess the effect would show on next restart.)


One can enforce that an installed service does cannot run by masking it:
systemctl mask firewalld.service

(It is possible to start a disabled service, but the mask blocks even that.)

[yildizabdullah]

The postinstall script of package 'iptables-services' does do some "systemctl preset".
I'd guess that those "presets" change what services can run.
(Plain "yum install" does not stop firewalld; I guess the effect would show on next restart.)


One can enforce that an installed service does cannot run by masking it:
systemctl mask firewalld.service

(It is possible to start a disabled service, but the mask blocks even that.)

I haven't restarted the system after

Code: Select all

yum install

nor run

Code: Select all

systemctl mask firewalld.service

.

Is there any side effect of leaving the state of the firewalld.service as it is?

[jlehtone]

Is there any side effect of leaving the state of the firewalld.service as it is?

Do show output of systemctl status firewalld

A masked service points to /dev/null and cannot possibly start. A merely disabled service -- not masked -- could be started by some other process.