Difference between revisions of "RHEL Firewalld Notes"

From Michael's Information Zone
Jump to navigation Jump to search
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
 
==Purpose==
 
==Purpose==
 
General notes to self on firewalld configurations. Most of the time my servers are simple enough that I do not need to make changes to zones and what not.
 
General notes to self on firewalld configurations. Most of the time my servers are simple enough that I do not need to make changes to zones and what not.
 +
==Create Groups==
 +
<ref>https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_firewalld</ref>Easier to manage groups than to create a bunch of individual rules.
 +
<pre>
 +
sudo firewall-cmd --permanent --new-ipset=sftp_group --type=hash:net
 +
sudo firewall-cmd --permanent --ipset=sftp_group --add-entry=xxx.xxx.xxx.xxx
 +
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source ipset=sftp_group service name=ssh accept'
 +
</pre>
 
==Rich Rules==
 
==Rich Rules==
 
From my notes working with Amazon Linux 2. The following will allow http/s from all, drop ssh from all, but allow ssh from a subnet and IP that I source from.<ref>https://www.rootusers.com/how-to-use-firewalld-rich-rules-and-zones-for-filtering-and-nat/</ref>
 
From my notes working with Amazon Linux 2. The following will allow http/s from all, drop ssh from all, but allow ssh from a subnet and IP that I source from.<ref>https://www.rootusers.com/how-to-use-firewalld-rich-rules-and-zones-for-filtering-and-nat/</ref>
Line 26: Line 33:
 
firewall-cmd --permanent --zone=dmz --add-source=xxx.xxx.xxx.xxx
 
firewall-cmd --permanent --zone=dmz --add-source=xxx.xxx.xxx.xxx
 
firewall-cmd --reload
 
firewall-cmd --reload
 +
</pre>
 +
==Block All ICMP on the Public Zone==
 +
<pre>
 +
firewall-cmd --zone=public --add-icmp-block={address-unreachable,bad-header,beyond-scope,communication-prohibited,destination-unreachable,echo-reply,echo-request,failed-policy,fragmentation-needed,host-precedence-violation,host-prohibited,host-redirect,host-unknown,host-unreachable,ip-header-bad,neighbour-advertisement,neighbour-solicitation,network-prohibited,network-redirect,network-unknown,network-unreachable,no-route,packet-too-big,parameter-problem,port-unreachable,precedence-cutoff,protocol-unreachable,redirect,reject-route,required-option-missing,router-advertisement,router-solicitation,source-quench,source-route-failed,time-exceeded,timestamp-reply,timestamp-request,tos-host-redirect,tos-host-unreachable,tos-network-redirect,tos-network-unreachable,ttl-zero-during-reassembly,ttl-zero-during-transit,unknown-header-type,unknown-option}
 
</pre>
 
</pre>

Latest revision as of 16:54, 20 March 2022

Purpose

General notes to self on firewalld configurations. Most of the time my servers are simple enough that I do not need to make changes to zones and what not.

Create Groups

[1]Easier to manage groups than to create a bunch of individual rules.

sudo firewall-cmd --permanent --new-ipset=sftp_group --type=hash:net
sudo firewall-cmd --permanent --ipset=sftp_group --add-entry=xxx.xxx.xxx.xxx
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source ipset=sftp_group service name=ssh accept'

Rich Rules

From my notes working with Amazon Linux 2. The following will allow http/s from all, drop ssh from all, but allow ssh from a subnet and IP that I source from.[2]

sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=xxx.xxx.xxx.0/24 service name=ssh accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=xxx.xxx.xxx.xxx service name=ssh accept'
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload

Here is an example of allowing a specific port, in this case I wanted nxfilter to receive netflow data from a specific host.

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port=2055 protocol=udp source address=xxx.xxx.xxx.xxx accept'

Zones

[3][4]

firewall-cmd --permanent --zone=dmz --change-interface=eth0
firewall-cmd --permanent --zone=dmz --remove-service=ssh
firewall-cmd --permanent --zone=dmz --add-service=http
firewall-cmd --permanent --zone=dmz --add-source=xxx.xxx.xxx.xxx
firewall-cmd --reload

Block All ICMP on the Public Zone

firewall-cmd --zone=public --add-icmp-block={address-unreachable,bad-header,beyond-scope,communication-prohibited,destination-unreachable,echo-reply,echo-request,failed-policy,fragmentation-needed,host-precedence-violation,host-prohibited,host-redirect,host-unknown,host-unreachable,ip-header-bad,neighbour-advertisement,neighbour-solicitation,network-prohibited,network-redirect,network-unknown,network-unreachable,no-route,packet-too-big,parameter-problem,port-unreachable,precedence-cutoff,protocol-unreachable,redirect,reject-route,required-option-missing,router-advertisement,router-solicitation,source-quench,source-route-failed,time-exceeded,timestamp-reply,timestamp-request,tos-host-redirect,tos-host-unreachable,tos-network-redirect,tos-network-unreachable,ttl-zero-during-reassembly,ttl-zero-during-transit,unknown-header-type,unknown-option}