ICMP block via firewall-config
by Mark Sobell
Working on my writeup, I do not understand how firewall-config implements
ICMP blocks.
How would I use firewall-config to implement the same rule as the following
command implements?
# firewall-cmd --permanent --add-icmp-block=echo-request
Thanks!
Mark
10 years, 6 months
Review?
by Mark Sobell
I am writing a brief introduction to firewalld for my next book. Anyone on
the list interested in reviewing and commenting on the writeup? Thanks!
Mark
10 years, 6 months
New to firewalld
by John Griffiths
I thought I had the idea of how to add an IP to be dropped like iptables
but after some further reading, I am not sure.
I add IPs to iptables that I find are trying to hack into or abuse the
system by using a script to examine log files and compile a list of IPs
and add them to iptables. Of course that requires a restart of iptables
for the new rules to take effect.
I thought I could add the IPs to the DROP zone as sources. That
apparently is not what I should do. That leaves me with what I should do
and can it be done.
I have over 8000 host IPs that I drop using:
-A INPUT -s 222.221.2.210 -j DROP
-A INPUT -s 222.221.12.13 -j DROP
-A INPUT -s 222.221.12.104 -j DROP
-A INPUT -s 222.221.88.88 -j DROP
How do I drop connections to hosts that have abused the privilege of
connecting to a service?
I was using
for i in `grep DROP iptables | awk '{print $4}' | sort -n -t. -k1,1
-k2,2 -k3,3 -k4,4`
do
firewall-cmd --permanent --zone=drop --add-source=${i}/32
done
That is extremely slow by the way since two files are written for each
add. Took a long time to add 8000+ records. It would be nice to have a
batch mode to do multiple inserts.
The public zone is still default. The network interface is in zone home
and my VPN connection is in zone work.
Any guidance is greatly appreciated.
John
10 years, 7 months
Re: Firewalld D-BUS documentation
by Jiri Popelka
On 08/16/2013 11:34 AM, Victor Rafael Escobar Olmos wrote:
> Recently I've been reading firewalld manpages as well as many other online
> resources documented by it (fedora's wiki, etc).
>
> When I try to browse the D-BUS interface I can't find any specific
> information anywhere, even if it's directly referenced from other manpages.
> For example in my local fedora installation when I type man firewalld.dbus
> it produces no results and the same for the online man pages which have
> broken links; example:
> http://linuxmanpages.net/manpages/fedora19/man5/firewalld.dbus.5.html
>
> Is it somewhere documentation about this API or at least the real API?
There's no D-Bus interface documentation at the moment, but you can use
# gdbus introspect --system --dest org.fedoraproject.FirewallD1
--object-path /org/fedoraproject/FirewallD1
to to see interfaces and properties.
--
Jiri
10 years, 7 months
RE: nm-connection-editor, firewalld, VPN and zones
by Matthieu Codron
after more tests, it appears that the zone is partialy applied:
$ nmcli -f NAME,DEVICES,ZONE con status
NOM PÉRIPHÉRIQUES ZONE
WIFI wlp3s0 home
VPN wlp3s0 work
but
$ firewall-cmd --get-active-zones
home
interfaces: wlp3s0
when port 9000 is open in zone work only, telnet on port 9000 from the
other side of the vpn answers "no route to host"
when port 9000 is open in zone home only, telnet on port 9000 from the
other side of the vpn answers "no route to host"
when port 9000 is open in zone public (which is the default zone) only,
telnet on port 9000 from the other side of the vpn is ok
as if VPN was in fact in default zone…
10 years, 7 months
nm-connection-editor, firewalld, VPN and zones
by Matthieu Codron
Hi,
I'm using Fedora Core 19, with Gnome.
I'd like add my professionnal vpn into "Work" zone.
I've edited concerned vpn config with nm-connection-editor and updated
the zone to match Work.
So the configuration is now as follows :
* I'm connected to the internet using a Wifi connection.
* This Wifi connection is in "Home" zone
* this is confirmed by
$ ifconfig
[…]
wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet X.X.X.X netmask 255.255.255.0 broadcast X.X.X.X
[…]
$ firewall-cmd --get-active-zones
home
interfaces: wlp3s0
* I then start my vpn connection
* This connection is not made part of the "Work" zone
$ ifconfig
[…]
wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet X.X.X.X netmask 255.255.255.0 broadcast X.X.X.X
[…]
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet X.X.X.X netmask 255.255.255.255 destination X.X.X.X
[…]
$ firewall-cmd --get-active-zones
home
interfaces: wlp3s0
Is there a way I can link this vpn with "Work" zone
Note: I tried adding tun0 interface in zone "Work" in the fiirewall
configuration, but then, all vpn connections are linked with this zone,
but when I am at work, I want my personal vpn to be linked with "Home"
zone…
Thanks for your help
Matthieu
10 years, 7 months