Difference between revisions of "RHEL Firewalld Notes"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
| Line 1: | Line 1: | ||
==Purpose== | ==Purpose== | ||
General notes to self on firewalld configurations. Most of the time my servers are simple enough that I do not need to make changes to zones and what not. | General notes to self on firewalld configurations. Most of the time my servers are simple enough that I do not need to make changes to zones and what not. | ||
| + | ==Create Groups== | ||
| + | <ref>https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_firewalld</ref>Easier to manage groups than to create a bunch of individual rules. | ||
| + | <pre> | ||
| + | sudo firewall-cmd --permanent --new-ipset=sftp_group --type=hash:net | ||
| + | sudo firewall-cmd --permanent --ipset=sftp_group --add-entry=xxx.xxx.xxx.xxx | ||
| + | sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source ipset=sftp_group service name=ssh accept' | ||
| + | </pre> | ||
==Rich Rules== | ==Rich Rules== | ||
From my notes working with Amazon Linux 2. The following will allow http/s from all, drop ssh from all, but allow ssh from a subnet and IP that I source from.<ref>https://www.rootusers.com/how-to-use-firewalld-rich-rules-and-zones-for-filtering-and-nat/</ref> | From my notes working with Amazon Linux 2. The following will allow http/s from all, drop ssh from all, but allow ssh from a subnet and IP that I source from.<ref>https://www.rootusers.com/how-to-use-firewalld-rich-rules-and-zones-for-filtering-and-nat/</ref> | ||
Revision as of 08:47, 18 October 2019
Contents
Purpose
General notes to self on firewalld configurations. Most of the time my servers are simple enough that I do not need to make changes to zones and what not.
Create Groups
[1]Easier to manage groups than to create a bunch of individual rules.
sudo firewall-cmd --permanent --new-ipset=sftp_group --type=hash:net sudo firewall-cmd --permanent --ipset=sftp_group --add-entry=xxx.xxx.xxx.xxx sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source ipset=sftp_group service name=ssh accept'
Rich Rules
From my notes working with Amazon Linux 2. The following will allow http/s from all, drop ssh from all, but allow ssh from a subnet and IP that I source from.[2]
sudo systemctl start firewalld sudo systemctl enable firewalld sudo firewall-cmd --permanent --add-service=http sudo firewall-cmd --permanent --add-service=https sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=xxx.xxx.xxx.0/24 service name=ssh accept' sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=xxx.xxx.xxx.xxx service name=ssh accept' sudo firewall-cmd --permanent --remove-service=ssh sudo firewall-cmd --reload
Here is an example of allowing a specific port, in this case I wanted nxfilter to receive netflow data from a specific host.
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port=2055 protocol=udp source address=xxx.xxx.xxx.xxx accept'
Zones
firewall-cmd --permanent --zone=dmz --change-interface=eth0 firewall-cmd --permanent --zone=dmz --remove-service=ssh firewall-cmd --permanent --zone=dmz --add-service=http firewall-cmd --permanent --zone=dmz --add-source=xxx.xxx.xxx.xxx firewall-cmd --reload
- ↑ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_firewalld
- ↑ https://www.rootusers.com/how-to-use-firewalld-rich-rules-and-zones-for-filtering-and-nat/
- ↑ https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7
- ↑ https://serverfault.com/questions/798051/firewalld-allow-connections-only-from-certain-ip-addresses
