Firewalld : A New Interface to Your Netfilter Stack

1
firewalld:firewalld:
A New Interface to Your NetfilterA New Interface to Your Netfilter
StackStack
Training Department,Advance Information & Communication TechnologyTraining Department,Advance Information & Communication Technology
Research,Sharif UniversityResearch,Sharif University
December 2017December 2017
Mahmoud Shiri VaraminiMahmoud Shiri Varamini
shirivaramini@gmail.comshirivaramini@gmail.com

Agenda
• First off:Why do we need this?First off:Why do we need this?
• firewalld is dynamic firewallfirewalld is dynamic firewall
• ReferenceReference
• QuestionsQuestions

3
First Off:First Off:
Why Do We Need This?Why Do We Need This?

Configuring Default State
●
How do you set the default state for the firewall?
Manually edit /etc/sysconfig/iptables
iptables-save > /etc/sysconfig/iptables
Depending on /etc/sysconfig/iptables-config
service iptables save
●
Write a custom script?
●
How do you manipulate the default state with a shell script?
●
What if the current firewall state is not what you want for the default?

Ports and Addresses

IPv6 has been coming “any day now” since 1998
Or was it 2004, or was it 2012, or .....
●
Whenever it shows up, do we, as systems admins, care?
If I want ssh accessible, do I care if it is IPv4 or IPv6?
If I do care, do I know I care?
If I open port 80, should I have to sort out IPv4 or IPv6 addresses?
●
You can use iptables or ip6tables but they are a bit different.

So What Is The State?
●
How would you check to see if the running state is the default state?
●
How would you check to see if a given port is open?
●
How would you make sure your IPv4 and IPv6 rules match?

firewalld's purpose is to solve these
problems!!!!

8
Firewalld is Dynamic FirewallFirewalld is Dynamic Firewall

Netfilter and firewalld concepts
●
The Linux kernel includes a powerful network filtering subsystem. Netfilter
subsystem allows kernel modules to inspect every packet traversing the
system.
●
Incoming , outgoing, or forwarded network packet can be inspected, modified,
dropped, or rejected in a programmatic way, before reaching components in
user space.

lnteracting with Netfilter
●
It is theoretically possible for system administrators to write their own kernel
modules to interact with netfilter, this is typically not done.
In Red Hat Enterprise Linux 6 releases, iptables was the main method of
interacting with the kernel netfilter subsystem.
●
iptables command is:
Low-level tool
Can be challenging to correctly manage firewalls
Only adjusts IPv4 firewall rules. Other utilities,such as ip6tables for IPv6 and
ebtables for software bridges

lntroducing Firewalld
●
In Red Hat Enterprise Linux 7 a new method of interacting with netfilter has
been introduced: firewalld.
●
firewalld is a system daemon that:
Can configure and monitor the system firewall rules
Applications can talk to firewalld to request ports to be opened using the Dbus
messaging system
Both covers IPv4, IPv6, and potentially ebtables settings is installed from the
firewalld package. This package is part of a base install , but not part of a
minimal install
Simplifies firewall management by classifying all network traffic into zones.

lntroducing Firewalld
●
Every packet that comes into the system will first be checked for its source
address. lf that source address is tied to a specific zone, the rules for that zone
will be parsed. lf the source address is not tied to a zone, the zone for the
incoming network interface will be used.
●
lf the network interface is not associated with a zone for some reason, th e
default zone will be Used. The public zone is used by default, but this can be
changed by a system administrator.

Pre-defined Zones
Zone name Default configuration
trusted Allow all incoming traffic.
home Reject incoming traffic unless related to outgoing traffic or matching
the ssh, mdns, ipp - client, samba - client , o r dhcpv6 - client
pre-defined services.
internal Reject incoming traffic unless re lated to outgoing traffic or matching
the ssh, mdns, ipp - client , samba - client , or dhcpv6 - client
pre-defined services (same as the home zone to start with).
work Reject incoming traffic unless related to outgoing traffic or matching
the ssh, ip-client , or dhcpv6-client pre-defined services.
public Reject incoming traffic unless related to outgoing traffic or matching
the ssh or dhcpv6-client pre-defined services. The default zone for
newly-added network interfaces.

Pre-defined Zones
For a list of all available pre-defined zones and their intended uses, consult the
firewalld zones(5) manual page.
Zone name Default configuration
external Reject incoming traffic unless related to outgoing traffic or matching
the ssh p re-defined service. Outgoing IPv4 traffic forwarded through
this zone is masqueraded to look like it originated from the IPv4
address of the outgoing network interface.
dmz Reject incoming traffic unless re lated to outgoing traffic or matching
the ssh pre-defined service.
block Reject all incoming traffic unless re lated to outgoing traffic.
drop Drop all in coming traffic unless related to outgoing traffic (do not even
respond with ICMP errors).

Configure Firewall Settings
●
There are three main ways for system administrators to interact with firewalld:
By directly editing configuration files in /etc/firewalld/
By using the graphical firewall-config tool
By using firewall-cmd from the command line
●
Apart from the regular zones and services syntax that firewalld offers,
administrators have two other options for adding firewall rules: direct rules and
rich rules.

Rich Rules Concepts
●
Firewalld rich rules give administrators an expressive language in which to
express custom firewall rules that are not covered by the basic firewalld syntax;
for example, to only allow connections to a service from a single IP address,
instead of a IP addresses routed through a zone.
●
Rich rules can be used to express basic allowed any rules, but can a l so be
used to configure logging, both to syslog and auditd, as wel l as port forwards,
masq uerading, a n d rate l i m iting.

Rich Rules Examples
●
firewall -cmd --permanent --zone=classroom --add --rich-rule= 'rule
family=ipv4 source address=192.168.0.11/32 reject '
Reject all traffic from the IP address 192.168.0.11 in the classroom zone.When
using source or destination with an address option, the family= option of rule
must be set to either ipv4 or ipv6.
●
firewall -cmd --permanent --zone=vnc --add -rich-rule=' rule family=ipv4
source address=192.168.1.0/24 port port=7900-7905 protocol=tcp accept'
Accept all TCP packets on ports 7900, up to and including port 7905, in the vnc
zone for the 192.168.1.0/24 subnet.

Rich Rules Examples
firewall-cmd --add-rich-rule= ' rule service name=ftp limit value=2/m
accept '
Allow two new connections to ftp per minute in the default zone.Note that this
change is only made in the runtime configuration.
firewall -cmd --permanent --add-rich-rule=' rule protocol value=esp drop'
Drop all incoming IPsec esp protocol packets from anywhere in the default zone.

Logging With Rich Rules
●
When debugging, or monitoring, a firewall , it can be useful to have a log of
accepted or rejected connections. firewalld can accomplish this in two ways:
by logging to syslog, or by sending messages to the kernel audit subsystem,
managed by auditd.
●
In both cases, logging can be rate limited. Rate limiting ensures that system log
files do not fill up with messages at a rate such that the system cannot keep up,
or fills all its disk space.

Logging With Rich Rules
The basic syntax for logging to syslog using rich rules is:
log [ prefix= " <PREFIX TEXT> " [ level=<LOGLEVEL> ] [ limit value="
<RATE/DURATION>"]
Where <LOGLEVEL> is one of emerg ,alert ,crit ,error,warning ,notice ,info ,or
debug.
<DURATION> can be one of s for seconds ,m for minutes ,h for hours, or d for
days. For example ,limit value=3/m will limit the log messages to a maximum of
three per minute.
The basic syntax for logging to the audit subsystem is:
audit [ limit value= "<RATE/DURATION>" ]
Rate limiting is configured in the same way as for syslog logging.

Logging Examples
firewall-cmd --permanent --zone=work --add-rich-rule= ' rule service
name="ssh" log prefix="ssh" level="notice" limit value="3/m" accept
Accept new connections to ssh from the work zone, log new connections to
syslog at the notice level , and with a maximum of three message per minute.
firewalld.richlanguage(5), firewall-cmd(1), and firewalld.direct(5) man pages.

Setting a Persistent Rule
Persistent rules are not activated automatically.You must reload the daemon
config
systemctl reload firewalld
firewall-cmd --reload
Let's enable apache access in the permanent rules:
firewall-cmd --permanent --zone=public –add-service=http
firewall-cmd --permanent --zone=public --add-service=https
Let's enable mysql access in the permanent rules:
firewall-cmd --permanent --zone=public –add-service=mysql
Let's enable port 8000/tcp in the permanent rules:
firewall-cmd --permanent --zone=public –add-port=8000/tcp
Firewall-cmd acts on your “default” zone if you omit the --zone=

Setting a Temporary Rule
Temporary rules are not saved but they are active RIGHT NOW.
Let's enable apache access in the temporary rules:
firewall-cmd --zone=public –add-service=http
firewall-cmd --zone=public --add-service=https
Let's enable mysql access in the temporary rules:
firewall-cmd --zone=public –add-service=mysql
Let's enable port 8000/tcp in the permanent rules:
firewall-cmd --zone=public –add-port=8000/tcp
Firewall-cmd acts on your “default” zone if you omit the --zone=

Note How I Didn't Set IP
Information?
FirewallD is IPv4 and IPv6 aware.
Unless you specify an IP stack, it assumes you mean IPv4 and IPv6
You don't have to directly manage the IPv6 space unless you actually want to

Using Zones To Simplify Rules
You can make your own zone or use the provided Ones
firewall-cmd --permanent --new-zone=example
Let's make the example zone meet the following rules:
All hosts in 192.168.20.0/24 can see my NFSv4 shares, access my iscsi luns,
and use my apache server. No one else can.
firewall-cmd --permanent –zone=example --add-source=192.168.20.0/24
firewall-cmd --permanent --zone=example --add-service=nfs --add-
service=iscsi --add-service=http --add-service=https
firewall-cmd --reload

But my rules are “messy”!
It is OK!
Sometimes the simple looking rules are too simple looking:
Allow new IPv4 and IPv6 connections for service ftp and log 1 per minute using
the audit subsystem.
firewall-cmd --zone=example --add-rich-rule='rule service name="ftp" audit
limit value="1/m" accept'
Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol
tcp to 1::2:3:4:7 on port 4012
firewall-cmd --add-rich-rule='rule family="ipv6" source
address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012"
protocol="tcp" port="4011"'

Reading The Status
To get the running status
firewall-cmd --list-all-zones
Or
firewall-cmd --zone=example --list-all
Just the information on this zone Or you could try:
firewall-cmd --zone=example --list-services

For More Information
firewalld comes with a very extensive set of manpages.
firewall-cmd (1) - firewalld command line client
firewall-config (1) - firewalld GUI configuration tool
firewall-offline-cmd (1) - firewalld offline command line client
sfirewalld (1) - Dynamic Firewall Manager
firewalld.conf (5) - firewalld configuration file
firewalld.dbus (5) - firewalld D-Bus interface description
firewalld.direct (5) - firewalld direct configuration file
firewalld.icmptype (5) - firewalld icmptype configuration files
firewalld.lockdown-whitelist (5) - firewalld lockdown whitelist configuration file
firewalld.richlanguage (5) - Rich Language Documentation
firewalld.service (5) - firewalld service configuration files
firewalld.zone (5) - firewalld zone configuration files
firewalld.zones (5) - firewalld zones

Firewalld : A New Interface to Your Netfilter Stack

More Related Content

What's hot (20)

Similar to Firewalld : A New Interface to Your Netfilter Stack (20)

Recently uploaded (20)

Firewalld : A New Interface to Your Netfilter Stack

Editor's Notes