Proper configuration of FirewallD

Support for security such as Firewalls and securing linux
HigH_HawK
Posts: 6
Joined: 2018/08/30 09:18:22

Proper configuration of FirewallD

Post by HigH_HawK » 2018/08/30 09:41:12

Hi community

I am currently setting up a small storage server and need to add some security to it via the firewall. Before I set this up, I created a little concept, to make it easier for me understand in the future but I seem to misunderstand the zone configuration of FirewallD and need some help with it. (I read the man page as well as so many websites I found via Google but it just does not want to go in my head)

What do I want to do?
I have two NICs and one VNIC (VLAN) on my machine. NIC1 is supposed to deal with external connections from specific source IPs only, NIC2 and VNIC (VLAN) should only be accessible within the network via a VRack.

I want to drop every connection coming from the outside, apart the ones coming from my sources.

What have I done so far?
I setup two zones "public" (NIC1) and "internal" (NIC2 and VNIC) as I went by their name. I set the target of the "public" zone to drop and added two source IPs because I thought, that if people try to connect to the public IP and not coming from one of the sources, they should get a connection refused, meaning being dropped. For some reason when I login into my server, I still get the message that there were xx amount of failed tries and when I check the /var/log/secure log file, I can see that people tried to connect via ssh with different usernames.

What am I doing wrong?

This is how my zones look (changed the IP and the port for security reasons)

"public"

Code: Select all

public (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: NIC1
  sources: 123.45.678.9/32 9.876.54.321/32
  services: ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
	rule protocol value="icmp" accept
"internal"

Code: Select all

internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: NIC2 VNIC (VLAN)
  sources:
  services: ssh
  ports: 1234/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

HigH_HawK
Posts: 6
Joined: 2018/08/30 09:18:22

Re: Proper configuration of FirewallD

Post by HigH_HawK » 2018/09/03 14:33:11

Hi community,

is there no one who could help me out here? I'm grateful for any help I could get in this matter.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Proper configuration of FirewallD

Post by TrevorH » 2018/09/03 14:39:32

This sort of thing is easy with iptables-services.

Can you tell I hate firewalld?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

HigH_HawK
Posts: 6
Joined: 2018/08/30 09:18:22

Re: Proper configuration of FirewallD

Post by HigH_HawK » 2018/09/03 16:02:50

I kind of agree with you after fiddling around with this firewalld for quite some time now. The funny thing is, that I had my rules setup in iptables and only noticed that firewalld was still active and after my colleague has done a --reload, all my rules were gone. So I had to stick with firewalld, since they don't want to change the firewall software in the productive system.

If someone else had any luck or maybe could explain the zone setup a little, that would be awesome. If there's no one, I will have to plan a downtime to setup iptables-services and add all my required rules.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Proper configuration of FirewallD

Post by hunter86_bg » 2018/09/03 16:40:54

sources: 123.45.678.9/32 9.876.54.321/32
I hope this is not actually allowed by firewalld, but a typo error whe you wrote in the forum.
Last edited by hunter86_bg on 2018/09/03 16:47:41, edited 1 time in total.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Proper configuration of FirewallD

Post by hunter86_bg » 2018/09/03 16:46:08

services: ssh
This one allows ssh on public.
If you want to drop everythin, there is a specific 'drop' zone.
If you want to keep the public run:

Code: Select all

firewall-cmd --zone public --remove-service=ssh --permanent && firewall-cmd --reload

HigH_HawK
Posts: 6
Joined: 2018/08/30 09:18:22

Re: Proper configuration of FirewallD

Post by HigH_HawK » 2018/09/04 07:28:19

hunter86_bg wrote:
2018/09/03 16:40:54
sources: 123.45.678.9/32 9.876.54.321/32
I hope this is not actually allowed by firewalld, but a typo error whe you wrote in the forum.
Hi, I'm not sure what you mean?
hunter86_bg wrote:
2018/09/03 16:46:08
services: ssh
This one allows ssh on public.
If you want to drop everythin, there is a specific 'drop' zone.
If you want to keep the public run:

Code: Select all

firewall-cmd --zone public --remove-service=ssh --permanent && firewall-cmd --reload
I know that but that's the issue, since I need to be able to access the server via SSH and if I remove the service I won't be able to connect to the server anymore, unless the sources work properly.

I did have a look at the "drop" zone but as I said, I can't really get my head around it.

Do I add all NICs to the "drop" zone, make it default and just use public and internal as shown above?

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Proper configuration of FirewallD

Post by hunter86_bg » 2018/09/04 12:32:24

Hi, I'm not sure what you mean?
sources: 123.45.678.9/32 9.876.54.321/32

There are rich rules, so you can allow ssh from specific ip(range).
Also firewalld has '--timeout' option that can be used for testing.

HigH_HawK
Posts: 6
Joined: 2018/08/30 09:18:22

Re: Proper configuration of FirewallD

Post by HigH_HawK » 2018/09/04 13:51:56

hunter86_bg wrote:
2018/09/04 12:32:24
sources: 123.45.678.9/32 9.876.54.321/32
There are rich rules, so you can allow ssh from specific ip(range).
Also firewalld has '--timeout' option that can be used for testing.
This was just to show that this is a IP address. I could have done xx.xx.xx.xx, sorry for the confusion.

I did remove the "ssh" service and added two more rich rules to allow ssh from two source IP addresses. It looks like this now:

Code: Select all

public (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: NIC1
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
	rule protocol value="icmp" accept
	rule family="ipv4" source address="xx.xx.xx.xx/32" service name="ssh" accept
	rule family="ipv4" source address="xx.xx.xx.xx/32" service name="ssh" accept
The target of this zone is still "DROP", which should do what I need, or am I mistaken?

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Proper configuration of FirewallD

Post by hunter86_bg » 2018/09/04 17:29:38

It should , but it's safe to test from an ip that is not defined in the rich rules.
And don't forget the

Code: Select all

firewall-cmd --reload

Post Reply