====== firewalld ====== suggested exercises. some suggestions are bare suggestions - no explanation at all 8-) ==== change default zone ==== ---- ==== add/remove a service from a zone ==== ---- ==== create/delete a new service ==== ---- ==== configure a zone to reject/drop a service ====


# firewall-cmd --zone=trusted --add-rich-rule='rule service name="iperf3" reject'

success # firewall-cmd --zone=trusted --add-rich-rule='rule service name="iperf3" reject' --permanent success # cat /etc/firewalld/zones/trusted.xml ---- ==== remove service reject/drop from a zone ====


# firewall-cmd --zone=trusted --remove-rich-rule='rule service name="iperf3" reject' --permanent

success # firewall-cmd --zone=trusted --remove-rich-rule='rule service name="iperf3" reject' success # cat /etc/firewalld/zones/trusted.xml ---- ==== reject/drop an ip address ==== # firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" drop' success # firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" drop' --permanent success # cat /etc/firewalld/zones/trusted.xml $ iperf3 -c virtone.hmib.infn.it iperf3: error - unable to connect to server: Connection timed out # firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" drop' --permanent success # firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" drop' success # firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" reject' success # firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" reject' --permanent success # cat /etc/firewalld/zones/trusted.xml $ iperf3 -c virtone.hmib.infn.it iperf3: error - unable to connect to server: Connection refused # firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" reject' --permanent success # firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" reject' success ---- ==== create an ipset ==== ---- ==== reject/drop globally a single ip address; defining a global black list ====


# firewall-cmd --get-ipset-types

hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net # firewall-cmd --new-ipset=whitelist --type=hash:ip --family=inet usage: see firewall-cmd man page Option can be used only with --permanent. # firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip --family=inet success # firewall-cmd --permanent --info-ipset=blacklist blacklist type: hash:ip options: family=inet entries: # firewall-cmd --permanent --ipset=blacklist --add-entry=192.168.100.70 success # firewall-cmd --permanent --info-ipset=blacklist #### occhio alle ipset con il permanent... blacklist type: hash:ip options: family=inet entries: 192.168.100.70 # firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m set --match-set blacklist src -j REJECT success # firewall-cmd --direct --get-all-rules ipv4 filter INPUT 1 -m tcp -p tcp --source 193.206.156.10/32 --dport 5202 -j ACCEPT ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable ipv6 filter INPUT 1 -m tcp -p tcp --source 2001:760:4211::100 --dport 5201 -j ACCEPT # firewall-cmd --reload success # firewall-cmd --direct --get-all-rules ipv4 filter INPUT 1 -m tcp -p tcp --source 193.206.156.10/32 --dport 5202 -j ACCEPT ipv4 filter INPUT 2 -m set --match-set blacklist src -j REJECT ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable ipv6 filter INPUT 1 -m tcp -p tcp --source 2001:760:4211::100 --dport 5201 -j ACCEPT # iptables -t filter -L INPUT_direct Chain INPUT_direct (1 references) target prot opt source destination REJECT tcp -- anywhere anywhere multiport dports ssh match-set fail2ban-sshd src reject-with icmp-port-unreachable ACCEPT tcp -- ssire.mib.infn.it anywhere tcp dpt:targus-getdata2 REJECT all -- anywhere anywhere match-set blacklist src reject-with icmp-port-unreachable ---- ==== defining a blacklist binding an ipset as a source to a zone ====


# firewall-cmd --zone=block --add-source=ipset:blacklist 
success

# firewall-cmd --info-zone=block (active)
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: ipset:blacklist
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

# firewall-cmd --ipset=blacklist --add-entry=192.168.100.70
success

# firewall-cmd --info-ipset=blacklist
blacklist
  type: hash:ip
  options: family=inet
  entries: 192.168.100.70

# firewall-cmd --get-active-zones 
trusted
  interfaces: em2
work
  interfaces: em1
netperf
  sources: 212.189.204.0/24
block
  sources: ipset:blacklist
mgmt
  sources: 193.206.156.10/32 193.206.156.143/32 212.189.204.240/28

---- ==== reject/drop globally a network ==== ---- ==== define a network global black list ==== ---- ==== create a firewall configuration ==== requirements * a management zone with access restricted to a few hosts * a zone providing auth services (ldap, kerberos) to a list of hosts/networks * a public zone providing http/https services * a global blacklist ---- ==== create a masquerading firewall ==== ---- ==== blacklist a port (or a host) in the trusted zone ==== ----