User Tools

Site Tools


Sidebar

cn:ccr:formazione:centos7:2018-11:firewalld

firewalld

suggested exercises. some suggestions are bare suggestions - no explanation at all 8-)

change default zone


add/remove a service from a zone


create/delete a new service


configure a zone to reject/drop a service

# firewall-cmd --zone=trusted --add-rich-rule='rule service name="iperf3" reject'
success
# firewall-cmd --zone=trusted --add-rich-rule='rule service name="iperf3" reject' --permanent
success
# cat /etc/firewalld/zones/trusted.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <rule>
    <service name="iperf3"/>
    <reject/>
  </rule>
</zone>

remove service reject/drop from a zone

# firewall-cmd --zone=trusted --remove-rich-rule='rule service name="iperf3" reject' --permanent
success
# firewall-cmd --zone=trusted --remove-rich-rule='rule service name="iperf3" reject'
success
# cat /etc/firewalld/zones/trusted.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
</zone>

reject/drop an ip address

# firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" drop'
success
# firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" drop' --permanent
success
# cat /etc/firewalld/zones/trusted.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <rule family="ipv4">
    <source address="192.168.100.70"/>
    <drop/>
  </rule>
</zone>
$ iperf3 -c  virtone.hmib.infn.it 
iperf3: error - unable to connect to server: Connection timed out
# firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" drop' --permanent
success
# firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" drop'
success
# firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" reject'
success
# firewall-cmd --zone=trusted --add-rich-rule='rule family="ipv4" source address="192.168.100.70" reject' --permanent
success
# cat /etc/firewalld/zones/trusted.xml<?xml version="1.0" encoding="utf-8"?>
<zone>
  <rule family="ipv4">
    <source address="192.168.100.70"/>
    <reject/>
  </rule>
</zone>
$ iperf3 -c  virtone.hmib.infn.it 
iperf3: error - unable to connect to server: Connection refused
# firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" reject' --permanent
success
# firewall-cmd --zone=trusted --remove-rich-rule='rule family="ipv4" source address="192.168.100.70" reject'
success

create an ipset


reject/drop globally a single ip address; defining a global black list

# firewall-cmd --get-ipset-types 
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
# firewall-cmd --new-ipset=whitelist --type=hash:ip --family=inet
usage: see firewall-cmd man page
Option can be used only with --permanent.
# firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip --family=inet
success
# firewall-cmd --permanent --info-ipset=blacklist
blacklist
  type: hash:ip
  options: family=inet
  entries: 
# firewall-cmd --permanent --ipset=blacklist --add-entry=192.168.100.70
success
# firewall-cmd --permanent --info-ipset=blacklist

#### occhio alle ipset con il permanent…

blacklist
  type: hash:ip
  options: family=inet
  entries: 192.168.100.70
# firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m set --match-set blacklist src -j REJECT
success
# firewall-cmd  --direct --get-all-rules
ipv4 filter INPUT 1 -m tcp -p tcp --source 193.206.156.10/32 --dport 5202 -j ACCEPT
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv6 filter INPUT 1 -m tcp -p tcp --source 2001:760:4211::100 --dport 5201 -j ACCEPT
# firewall-cmd --reload
success
# firewall-cmd  --direct --get-all-rules
ipv4 filter INPUT 1 -m tcp -p tcp --source 193.206.156.10/32 --dport 5202 -j ACCEPT
ipv4 filter INPUT 2 -m set --match-set blacklist src -j REJECT
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh -m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachable
ipv6 filter INPUT 1 -m tcp -p tcp --source 2001:760:4211::100 --dport 5201 -j ACCEPT
# iptables -t filter -L INPUT_direct
Chain INPUT_direct (1 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             multiport dports ssh match-set fail2ban-sshd src reject-with icmp-port-unreachable
ACCEPT     tcp  --  ssire.mib.infn.it    anywhere             tcp dpt:targus-getdata2
REJECT     all  --  anywhere             anywhere             match-set blacklist src reject-with icmp-port-unreachable

defining a blacklist binding an ipset as a source to a zone

# firewall-cmd --zone=block --add-source=ipset:blacklist 
success

# firewall-cmd --info-zone=block (active)
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces: 
  sources: ipset:blacklist
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

# firewall-cmd --ipset=blacklist --add-entry=192.168.100.70
success

# firewall-cmd --info-ipset=blacklist
blacklist
  type: hash:ip
  options: family=inet
  entries: 192.168.100.70

# firewall-cmd --get-active-zones 
trusted
  interfaces: em2
work
  interfaces: em1
netperf
  sources: 212.189.204.0/24
block
  sources: ipset:blacklist
mgmt
  sources: 193.206.156.10/32 193.206.156.143/32 212.189.204.240/28

reject/drop globally a network


define a network global black list


create a firewall configuration

requirements

  • a management zone with access restricted to a few hosts
  • a zone providing auth services (ldap, kerberos) to a list of hosts/networks
  • a public zone providing http/https services
  • a global blacklist

create a masquerading firewall


blacklist a port (or a host) in the trusted zone


cn/ccr/formazione/centos7/2018-11/firewalld.txt · Last modified: 2018/11/29 10:41 by carbone@infn.it