====== firewalld ======
suggested exercises. some suggestions are bare suggestions - no explanation at all 8-)
==== change default zone ====
----
==== add/remove a service from a zone ====
----
==== create/delete a new service ====
----
==== configure a zone to reject/drop a service ====
# firewall-cmd --zone=trusted --add-rich-rule='rule service name="iperf3" reject'
success
# firewall-cmd --zone=trusted --add-rich-rule='rule service name="iperf3" reject' --permanent
success
# cat /etc/firewalld/zones/trusted.xml
----
==== remove service reject/drop from a zone ====
# firewall-cmd --zone=trusted --remove-rich-rule='rule service name="iperf3" reject' --permanent
success
# firewall-cmd --zone=trusted --remove-rich-rule='rule service name="iperf3" reject'
success
# cat /etc/firewalld/zones/trusted.xml
----
==== reject/drop an ip address ====
# firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" drop'
success
# firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" drop' --permanent
success
# cat /etc/firewalld/zones/trusted.xml
$ iperf3 -c virtone.hmib.infn.it
iperf3: error - unable to connect to server: Connection timed out
# firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" drop' --permanent
success
# firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" drop'
success
# firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" reject'
success
# firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" reject' --permanent
success
# cat /etc/firewalld/zones/trusted.xml
$ iperf3 -c virtone.hmib.infn.it
iperf3: error - unable to connect to server: Connection refused
# firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" reject' --permanent
success
# firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" reject'
success
----
==== create an ipset ====
----
==== reject/drop globally a single ip address; defining a global black list ====
# firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
# firewall-cmd --new-ipset=whitelist --type=hash:ip --family=inet
usage: see firewall-cmd man page
Option can be used only with --permanent.
# firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip --family=inet
success
# firewall-cmd --permanent --info-ipset=blacklist
blacklist
type: hash:ip
options: family=inet
entries:
# firewall-cmd --permanent --ipset=blacklist --add-entry=192.168.100.70
success
# firewall-cmd --permanent --info-ipset=blacklist
#### occhio alle ipset con il permanent...
blacklist
type: hash:ip
options: family=inet
entries: 192.168.100.70
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m set --match-set blacklist src -j REJECT
success
# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -m tcp -p tcp --source 193.206.156.10/32 --dport 5202 -j ACCEPT
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv6 filter INPUT 1 -m tcp -p tcp --source 2001:760:4211::100 --dport 5201 -j ACCEPT
# firewall-cmd --reload
success
# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 1 -m tcp -p tcp --source 193.206.156.10/32 --dport 5202 -j ACCEPT
ipv4 filter INPUT 2 -m set --match-set blacklist src -j REJECT
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv6 filter INPUT 1 -m tcp -p tcp --source 2001:760:4211::100 --dport 5201 -j ACCEPT
# iptables -t filter -L INPUT_direct
Chain INPUT_direct (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere multiport dports ssh match-set fail2ban-sshd src reject-with icmp-port-unreachable
ACCEPT tcp -- ssire.mib.infn.it anywhere tcp dpt:targus-getdata2
REJECT all -- anywhere anywhere match-set blacklist src reject-with icmp-port-unreachable
----
==== defining a blacklist binding an ipset as a source to a zone ====
# firewall-cmd --zone=block --add-source=ipset:blacklist
success
# firewall-cmd --info-zone=block (active)
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources: ipset:blacklist
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --ipset=blacklist --add-entry=192.168.100.70
success
# firewall-cmd --info-ipset=blacklist
blacklist
type: hash:ip
options: family=inet
entries: 192.168.100.70
# firewall-cmd --get-active-zones
trusted
interfaces: em2
work
interfaces: em1
netperf
sources: 212.189.204.0/24
block
sources: ipset:blacklist
mgmt
sources: 193.206.156.10/32 193.206.156.143/32 212.189.204.240/28
----
==== reject/drop globally a network ====
----
==== define a network global black list ====
----
==== create a firewall configuration ====
requirements
* a management zone with access restricted to a few hosts
* a zone providing auth services (ldap, kerberos) to a list of hosts/networks
* a public zone providing http/https services
* a global blacklist
----
==== create a masquerading firewall ====
----
==== blacklist a port (or a host) in the trusted zone ====
----