firewalld - DNS/SSH issues

Support for security such as Firewalls and securing linux
Post Reply
fishface
Posts: 27
Joined: 2016/08/02 15:47:42

firewalld - DNS/SSH issues

Post by fishface » 2017/11/20 15:51:57

I have a host with a single interface and all that is required is a small set of IPs to login via SSH, and to serve DNS queries, this host runs a local BIND config. I have the same configuration (BIND etc) running on CentoOS6 using iptables without issue, what I'm trying to is migrate from 6 to 7 and of course firewalld.

For SSH I have rich rules and it works fine, I had to use rich rules due to the small sub-set of IPS being used. I then added dns to the services, but it doesn't work, when I tail the named xfer-in log no records and being transferred (the original CentOS6 sever get the zone transfers immediately), however, if I disable firewalld on the new CentOS7 hosts the transfer does work, so it is obviously a firewalld issue, or more exact, me not doing something.

Below is the zone listing, I cannot see where I'm going wrong.

Code: Select all

{root@host1 ~]# firewall-cmd --list-all-zones
Custom0Internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources: 
  services: dns
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="10.1.250.137" service name="ssh" accept
	rule family="ipv4" source address="10.1.202.14" service name="ssh" accept
	rule family="ipv4" source address="10.100.0.134" service name="ssh" accept
	rule family="ipv4" source address="10.100.0.67" service name="ssh" accept
	rule family="ipv4" source address="10.1.250.151" service name="ssh" accept
	rule family="ipv4" source address="10.1.250.162" service name="ssh" accept
	rule family="ipv4" source address="204.99.50.100" service name="ssh" accept
	
[

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewalld - DNS/SSH issues

Post by TrevorH » 2017/11/20 15:58:52

You can also yum remove firewall\* and yum install iptables-services and revert to the old style, tried and tested (and working!) iptables.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

fishface
Posts: 27
Joined: 2016/08/02 15:47:42

Re: firewalld - DNS/SSH issues

Post by fishface » 2017/11/20 16:18:51

:D. I have considered that, and I may do it, I always seem to butting into problems with firewalld. But I thought I really need to get to know firewalld, as there is a strong chance that RedHat will eventually force it upon us, as that is their plan in the long run.

I have a very nice iptables ruleset that works great, very locked down and is a tight as a "ducks whats-it", the default policy is to drop everything in and out, and then left just what we need. This also complies with the Tenable security audits which looks for a DROP policy.

Our IT Security recently ran their latest templates for RHE7/CentOS7 and all the RHEL7 and CentOS7 boxes failed because the Tenable script cannot correctly interpret firewalld built iptables! :x

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewalld - DNS/SSH issues

Post by TrevorH » 2017/11/20 16:23:25

IMO firewalld is a solution in search of a problem. It appears to be a mouse designed by committee. It doesn't ever seem to solve the problems it set out to solve. Any firewall that sets up nearly 500 lines of iptables rules to allow only connections on port 22 needs to die in fire.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

fishface
Posts: 27
Joined: 2016/08/02 15:47:42

Re: firewalld - DNS/SSH issues

Post by fishface » 2017/11/21 14:47:15

I gave up with firewalld for now, and I had it all working within a few minutes using traditional iptables.

Also, with firewalld, I ran into issues using ipset, I know there were bugs reported in April with firewalld and ipset, all of this is leaving a nasty taste in my mouth, but hey, I'm told this is progress!

Post Reply