understanding firewalld custom zone

Support for security such as Firewalls and securing linux
Post Reply
ron7000
Posts: 68
Joined: 2019/01/15 20:00:28

understanding firewalld custom zone

Post by ron7000 » 2019/05/15 20:55:02

reading RHEL security guide (and the web) for working with the firewall in rhel/centos 7.6 ...
  • everything should be done with the firewall-cmd command... mostly, I found system-config-firewall gui which only works if the firewall is NOT running and firewall_config gui which only works IF the firewall is running. I am not a fan of either gui.
  • I see under /lib/firewalld/zones/ the xml files for public, internal, work... all those zones you could choose from if using the gui. The contents of public.xml contain just

    Code: Select all

    <?xml version="1.0" encoding="utf-8"?>
    <zone>
      <short>Public</short>
      <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
      <service name="ssh"/>
      <service name="dhcpv6-client"/>
    </zone>
    
  • for a given zone, is everything contained in this zone.xml file ? by that I mean if my zone = public and I do the correct syntax of firewall-cmd --permanent add port 5500 tcp/udp so tigervnc works because using the gui it only adds port 5900 for vncserver would this entry then get written to /lib/firewalld/zones/public.xml? If not then where?
  • I found firewall-cmd --permanent --new-zone=ron and that creates /etc/firewalld/zones/ron.xml. I like being able to create my own zone explicitly so I know what I would have... I want to have ssh, samba, ports 5500tcp/udp along with 5900-5910tcp plus some miscellaneous tcp port numbers for license servers I have running. Would all that then show up in the /etc/firewalld/zones/ron.xml file, if not then where?
Where is it specified that SSH is port 22tcp when it does <service name="ssh"/> in the xml file?

I want to create a custom zone that will be applied to eth0 the only network connection to the server and be active/enabled whenever the computer boots. I want to know and easily be able to see exactly what ports are allowed. How would this be done?

ron7000
Posts: 68
Joined: 2019/01/15 20:00:28

Re: understanding firewalld custom zone

Post by ron7000 » 2019/05/15 21:03:34

ok so i found /lib/firewalld/services/ssh.xml with contents of

Code: Select all

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="22"/>
</service>
along with however many .xml files mapping all the service names to port numbers

ron7000
Posts: 68
Joined: 2019/01/15 20:00:28

Re: understanding firewalld custom zone

Post by ron7000 » 2019/05/15 21:43:17

so far what I think i know...
  • 1. /etc/firewalld/firewalld.conf has DefaultZone=public. Edit this file and change default zone to whatever.xml. In doing so, that whatever.xml file needs to be present in /etc/firewalld/zones ?
    2. In my custom /etc/firewalld/zones/myzone.xml can I have everything just listed in this one file? Or does it need to reference service names that are xml files under /lib/firewalld/services/ or /etc/firewalld/services ? Which location takes precedence, I assume under /etc/firewalld/services/ since by default it is an empty folder?
    3. Can I cut out lines in the services files and just put them in /etc/firewalld/zones/myzone.xml ? For example samba.xml has

    Code: Select all

    <?xml version="1.0" encoding="utf-8"?>
    <service>
      <short>Samba</short>
      <description>This option allows you to access and participate in Windows file and printer sharing networks. You need the samba package installed for this option to be useful.</description>
      <port protocol="udp" port="137"/>
      <port protocol="udp" port="138"/>
      <port protocol="tcp" port="139"/>
      <port protocol="tcp" port="445"/>
      <module name="nf_conntrack_netbios_ns"/>
    </service>
    
    Can I just cut out

    Code: Select all

      <port protocol="udp" port="137"/>
      <port protocol="udp" port="138"/>
      <port protocol="tcp" port="139"/>
      <port protocol="tcp" port="445"/>
    
    and do that for every port I want to allow? with the firewall does it simply boil down to what port/tcp and port/udp is specified to be allowed through?

aks
Posts: 2711
Joined: 2014/09/20 11:22:14

Re: understanding firewalld custom zone

Post by aks » 2019/05/16 17:29:02

everything should be done with the firewall-cmd command.
Largely, yes. You can actually go around and edit the files, but things can get in the way, like umask, SE or even a new version of CentOS.
/lib/firewalld/zones/
That's where the default ones are.
for a given zone, is everything contained in this zone.xml file
That's my understanding.
get written to /lib/firewalld/zones/public.xml? If not then where?
No, to /etc/firewalld/..... The idea is to keep the "default" and the "custom" separate.
Would all that then show up in the /etc/firewalld/zones/ron.xml file
That's my understanding.
Where is it specified that SSH is port 22tcp when it does <service name="ssh"/> in the xml file?
/etc/services (and friends).

/etc/firewalld/firewalld.conf has DefaultZone=public. Edit this file and change default zone to whatever.xml. In doing so, that whatever.xml file needs to be present in /etc/firewalld/zones

At the moment. You're better off going through "supported" interfaces, like using:
firewall-cmd --set-default-zone=ron
In my custom /etc/firewalld/zones/myzone.xml can I have everything just listed in this one file?
Yes
Or does it need to reference service names that are xml files under /lib/firewalld/services/ or /etc/firewalld/services
If you say port, it means port (not service to port mapping). If you say service, it *may* have to look it up in the services.
Can I just cut out
Well it's XML, so you probably need to confirm the XML schema, but in principle, yes

User avatar
jlehtone
Posts: 2142
Joined: 2007/12/11 08:17:33
Location: Finland

Re: understanding firewalld custom zone

Post by jlehtone » 2019/05/17 07:28:35

Documentation. Yes, you can create a zone that has port udp/7531 open, but a casual reader (like you a year later) can't see why. The alternative is that the zone includes a service and in the definition (and name) of that (custom) service you describe what the udp/7531 is for.

Similarly, if the zone has multiple ports open, that does not tell whether they are related or not. When the zone has services, you can find out that one service uses three ports, but the other just one. If you want to later disable access to Samba, do you prefer to remember all bits in zone config that belong to Samba, or would you rather remove one service entry from the zone?


Yes, you can flatten configuration to one monolith file, but I see no gains in that. Quite contrary.

ron7000
Posts: 68
Joined: 2019/01/15 20:00:28

Re: understanding firewalld custom zone

Post by ron7000 » 2019/05/20 15:08:05

thanks, I see your point about you can flatten configuration to one monolith file.

I need a simple firewall setup, where I want
  • SSH and SAMBA open all the time
  • usually VNC open all the time - using paid for vnc encryption software that needs specific ports
  • sometimes NFS will be used to nfs share a folder between like servers on a LAN {work setting}
  • network being a LAN, everything has a static IP so no dhcp {possibility of doing dhcp}
  • specific ports depending on what flexlm licensing is being served.
was thinking of having to reference only one file would be easier, because my firewall requirements are simple, and in that one custom zone file you would see primarily port numbers with a description for each.

Post Reply