Objectives
- Understand what firewall are and why are they useful
- Know the tools to control the firewall
- Be familiar with firewalld and firewall-cmd program
- Know how to work with zones, sources, services and ports
What is a Firewall
Is a program that monitors and controls data packages for both incoming and outgoing network connections, allowing or denying communication according given configurations.
These can be either hardware or software based tools, that can be found in the network routers as individual computers.
Earlier firewalls (back from 1980's) were package based filters, which allow or deny communication flows.
Newer firewall versions are also considering the connection state of the communication, wether it is an already stablish connection or a new one or none of them at all. DOS attack can bombard this sort of firewalls in order to overwhelm it.
The third generation of firewalls are called application layer firewalls, aware of the kind of application and protocol the connection is using. They can block anything that is not part of the normal flow.
Firewall configuration tools
In order to configure our firewalls we can use either
- Low level tools
- iptables
- firewall-cmd
- ufw
- Graphical Interfaces
- system-config-firewall
- firewall-config
- gufw
- yast
Firewalld
Is a dynamic firewall manager which utilize network/firewall zones which have defined different level of trusts for network interfaces or connections. This supports both IPv4 and IPv6 protocols.
It separates both runtime and persisten configurations.
The configuration files are kept under
/etc/firewalld
And
/usr/lib/firewalld
The configuration under /etc/firewalld override those in other directories.
Firewalld is a replace tool for iptables, both tools must not run at the same time!
To see more information about firewalld
$ firewall-cmd --help
Service Status
Enable disable firewall
$ sudo systemctl [enable/disable] firewalld
Start - Stop firewall
$ sudo systemctl [start/stop] firewalld
Firewall status
$ sudo systemctl status firewalld
or
$ sudo firewall-cmd --state
Turn on ip forwarding
$ sudo sysctl net.ipv4.ip_forward=1 root $ echo 1 > /proc/sys/net/ipv4/ip_forward
Making the change persistent
Add this line to file /etc/sysctl.conf
net.ipv4.ip_forward=1
Then reboot or type
$ sudo sysctl -p
Zones
- drop
- All incoming packets are dropped with no reply. Only outgoing connections are permitted
- block
- All incoming network connections are rejected. Only permitted connections are from within the system
- public
- Do not trust any computers on the network only those particularly allowed are permitted
- external
- Used when masquerading is being used, such as in routers. Trust levels the same as in public
- dmz
- Demilitarized Zone, used when access to some services are to be allowed to the public. Only particular incoming connections are allowed
- work
- Trust connected nodes to be not harmful. Only certain incoming connections are allowed
- home
- You mostly trust the other network nodes, but still select which incoming connections are allowed
- internal
- Similar to the work zone
- trusted
- All network connections are allowed
Zone Management
Get default zone
$ sudo firewall-cmd --get-default-zone
Obtain a list of zones currently being used
$ sudo firewall-cmd --get-active-zones
List all available zones
$ sudo firewall-cmd --get-zones
To change the default zone to trusted and then change it back
$ sudo firewall-cmd --set-default-zone=trusted $ sudo firewall-cmd --set-default-zone=public
To assign an interface temporarily to a particular zone
$ sudo firewall-cmd --zone=internal --change-interface=eno1
To do so permanently
$ sudo firewall-cmd --permanent --zone=internal --change-interface=eno1
To get the zone information asociated to a particular interface
$ sudo firewall-cmd --get-zone-of-interface=eno1
To get all the details about a particular zone
$ sudo firewall-cmd --zone=public --list-all
Source Management
A packet is associated with a zone if
- it comes from a source address already bound to the zone
- it comes from an interface bound to the zone
Any packet not fitting the above criteria is assigned to the default zone (usually public)
To assign a source to a zone (permanently)
$ sudo firewall-cmd --permanent --zone=trusted --add-source=192.168.1.0/34
This means that anyone with an IP address of 192.168.1.x will be added to the trusted zone
We can use the --remove-source option or --change-source to change the zone assigned to a particular source
To list the sources bound to a zone
$ sudo firewall-cmd --permanent --zone=trusted --list-sources
If we do not use the --permanet option the changes will be temporarily
Service and Port Management
To see all services available
$ sudo firewall-cmd --get-services
Or to see those currently accessible in a particular zone
$ sudo firewall-cmd --list-services --zone=public
To add a service to a zone
$ sudo firewall-cmd --permanent --zone=home --add-service=dhcp $ sudo firewall-cmd --reload
The reload command is needed to make the change effective. It is also possible to add new services by editing the files in
/etc/firewalld/services
Port management is very similar to service management
$ sudo firewall-cmd --zone=home --add-port=21/tcp $ sudo firewall-cmd --zone=home --list-ports
Also we can look at /etc/services
$ grep "21/tcp" /etc/services
