I have been going round with a new CentOS 7 install and trying to harden it. First on my list is block and inbound and outbound connections (allowing only existing/related through). Then I add a explicit allow NEW for each connection I want to permit. This worked great with iptables but with this new firewalld thing I cannot find an very good example on how to achieve the same thing.
Here is my sample of what I am trying to do pulled out of iptables.
Code: Select all
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#Allow some basics.
-A INPUT -p icmp -j ACCEPT
-A INPUT -l lo -j ACCEPT
#Allow existing.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow SSH.
-A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
#Allow DNS.
-A OUTPUT -m state --state NEW -p tcp -d 8.8.8.8 --dport 53 -j ACCEPT
-A OUTPUT -m state --state NEW -p upd -d 8.8.8.8 --dport 53 -j ACCEPT
-A OUTPUT -m state --state NEW -p tcp -d 8.8.4.4 --dport 53 -j ACCEPT
-A OUTPUT -m state --state NEW -p udp -d 8.8.4.4 --dport 53 -j ACCEPT