Firewalld block outbound or egress traffic?

Support for security such as Firewalls and securing linux
Post Reply
yaplej
Posts: 7
Joined: 2014/10/13 14:21:19

Firewalld block outbound or egress traffic?

Post by yaplej » 2014/10/13 14:35:50

Hello all,

I have been going round with a new CentOS 7 install and trying to harden it. First on my list is block and inbound and outbound connections (allowing only existing/related through). Then I add a explicit allow NEW for each connection I want to permit. This worked great with iptables but with this new firewalld thing I cannot find an very good example on how to achieve the same thing.

Here is my sample of what I am trying to do pulled out of iptables.

Code: Select all

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#Allow some basics.
-A INPUT -p icmp -j ACCEPT
-A INPUT -l lo -j ACCEPT
#Allow existing.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow SSH.
-A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
#Allow DNS.
-A OUTPUT -m state --state NEW -p tcp -d 8.8.8.8 --dport 53 -j ACCEPT
-A OUTPUT -m state --state NEW -p upd -d 8.8.8.8 --dport 53 -j ACCEPT
-A OUTPUT -m state --state NEW -p tcp -d 8.8.4.4 --dport 53 -j ACCEPT
-A OUTPUT -m state --state NEW -p udp -d 8.8.4.4 --dport 53 -j ACCEPT
I cannot seem to find anywhere showing how to do this with firewalld.

stevemowbray
Posts: 519
Joined: 2012/06/26 14:20:47

Re: Firewalld block outbound or egress traffic?

Post by stevemowbray » 2014/10/14 09:12:24

If you are comfortable with iptables I would suggest you just disable firewalld and use iptables.

yaplej
Posts: 7
Joined: 2014/10/13 14:21:19

Re: Firewalld block outbound or egress traffic?

Post by yaplej » 2014/10/14 13:18:27

Sure iptables is pretty easy but I figured I should give the new system an attempt before switching back to old reliable way of doing it. I mean RH would never push users to something new thats not been totally hashed out and tested... right? ;)

Post Reply