how to block incoming and outgoing connections with IP?
by Patrick Hinkley
Given an IP address, how can I prevent any connection both to and from that IP? If there are multiple methods, please describe the pros and cons of each.
I've found a lot of contradictory and confusing information about this online and in the documentation.
Thanks for any help!
8 years, 7 months
Getting started with firewalld puppet module
by Robin Bowes
Hi,
I quite like the look of the firewalld puppet module and plan to give it a
whirl on a couple of CentOS 7 boxes.
What I'd find really useful would be an example puppet manifest that uses
the module to replicate the default, out-of-the-box CentOS firewall
settings. I could then take that and modify it as required.
Any chance?
R.
9 years, 3 months
Setup Nat loopback under firewall-cmd
by Игорь Шевченко
Hello, can you help me setup nat loopback with firewall-cmd?
Network work fine, but local pc could not connect to web server over
external interface.
Firewall settings:
#firewall-cmd --zone=external --list-all
external (active)
interfaces: eth0
sources:
services: ssh
ports:
masquerade: yes
forward-ports: port=80:proto=tcp:toport=80:toaddr=192.168.1.6
icmp-blocks:
rich rules:
#firewall-cmd --zone=internal --list-all
internal (default, active)
interfaces: eth1
sources:
services: dhcp dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Network onto picture in attachment.
--
Regards, Igor Shevchenko.
mailto://valens254@gmail.com
9 years, 3 months
re Switching from raw iptables to firewalld
by Williamson Grant
For simple ports etc I am using service xml files
For our previous iptables rules. I am using /etc/firewalld/direct.xml
check out man firewalld.direct.
9 years, 3 months
firewalld-0.3.13
by Jiri Popelka
Hi all,
almost 2 months after previous release, lo and behold, 0.3.13
https://fedorahosted.org/released/firewalld/firewalld-0.3.13.tar.bz2
sha1sum: afc1ba1f386bdf7c4a6d651c32aea129329ecdf6
This is mainly a bug-fix release, nothing big.
Changelog
firewalld:
- ipXtables: use -w or -w2 if supported (RHBZ#1151067)
- DROP INVALID packets (RHBZ#1169837)
- don't use ipv6header for protocol matching. (RHBZ#1065565)
- remove passthroughs in reverse order (RHBZ#1167100)
- fix config.service.removeDestination() (RHBZ#1164584)
firewall-config:
- fix typo in menu
- fix crash when removing zone
configuration:
- new services: tinc, vdsm, mosh, iscsi-target, rsyncd
- ship and install XML Schema files. (#8)
updated man pages:
- firewalld.dbus, firewalld.direct, firewalld, firewall-cmd
Enjoy
--
Jiri
9 years, 3 months
Switching from raw iptables to firewalld
by Jason Frisvold
Greetings,
I'm working on setting up a shiny new CentOS 7.0 box and trying to wrap
my head around firewalld. Generally speaking, firewalld is pretty
straightforward for simple allow/deny, but I can't figure out how to
handle the more complex rules I've been using. I'm hoping someone can
point me in the right direction.
For starters, how do I create a simple spoofing filter? For my current
firewalls, I check source and destination addresses, rejecting anything
that isn't valid. For instance, reject anything sourced from RFC-1918
space that isn't in use in the network, reject anything destined for
broadcast addresses, multicast, etc.
Next up, checking flags. Is this possible with firewalld? Part of my
source address checking includes checks for invalid flags. For
instance, TCP stealth scan checking :
# All of the bits are clear
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags ALL NONE -j log-tcp-state
# Both SYN and FIN are set
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j
log-tcp-state
# Both SYN and RST are set
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags SYN,RST SYN,RST -j
log-tcp-state
# Both FIN and RST are set
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags FIN,RST FIN,RST -j
log-tcp-state
# FIN bit set, but no ACK
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags ACK,FIN FIN -j
log-tcp-state
# PSH bit set, but no ACK
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags ACK,PSH PSH -j
log-tcp-state
# URG bit set, but no ACK
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags ACK,URG URG -j
log-tcp-state
And finally, ordering. I currently use individual chains for
organization of rulesets. Management chains cover all of the rules
allowing management tools access to the server, chains for source and
destination checks, and a special chain for dropping known
spammer/attacker IPs. Again, it doesn't appear that firewalld handles
this yet. Am I missing something?
I'd like to use firewalld if that's the intended standard, but I don't
want to compromise the ruleset I've built to do so. Can firewalld
handle what I want to throw at it. or should I stick with iptables for now?
Thanks,
--
---------------------------
Jason 'XenoPhage' Frisvold
xenophage(a)godshell.com
---------------------------
"Any sufficiently advanced magic is indistinguishable from technology.\"
- Niven's Inverse of Clarke's Third Law
9 years, 3 months