On 10/13/2014 03:47 PM, Jiri Popelka wrote:
On 10/07/2014 04:35 PM, Jan Lieskovsky wrote:
> Hello folks,
>
> we develop security guidance / compliance related tools and content
> for Red Hat Enterprise Linux. Recently within the effort to port old(er)
> iptables sections from Red Hat Enterprise Linux 6 to Red Hat Enterprise
> Linux 7 we encountered the following firewalld related question.
>
> Please have a look at sample guidance document at:
> [1]
https://jlieskov.fedorapeople.org/rhel6-guide.html
>
> In the section "2.5.7. iptables and ip6tables", under rule:
> "2.5.7.2.a. Set Default iptables Policy for Incoming Packets" there's
> the following requirement:
>
> <quote>
> To set the default policy to DROP (instead of ACCEPT) for the
> built-in INPUT chain which processes incoming packets, add or
> correct the following line in /etc/sysconfig/iptables:
>
> :INPUT DROP [0:0]
> </quote>
>
> The question is how to ensure the iptables rule of the exact meaning
> is applied on the system by using firewalld related tools? In other
> words is there a way via firewalld tools how to change default policy
> type from "ACCEPT" to e.g. "DROP" for some particular filter
chain
> (e.g. "INPUT")? [*]
No there's no such way, it's wired to "ACCEPT" internally.
But I have 2 ideas how to solve this.
Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't
change anything as all 'remaining' packets are matched with
-A INPUT -j REJECT --reject-with icmp-host-prohibited
With this in mind I think that recommending users to set default policy
to DROP doesn't have much sense because all 'remaining' packets are
rejected anyway (with the '-A INPUT -j REJECT'), i.e. no packet get's to
the point of DROP policy being applied on it.
Actually in firewalld we already have a very simple way how to apply
restrictive policy, it's called 'drop' zone.
If you set firewalld's default zone to 'drop' all new (i.e. not
initiated by this machine) incoming/forwarding traffic will be dropped
by default, which is IMHO exactly what that 'security guide' wants to
achieve.
One can do that either by setting
'DefaultZone=drop' in /etc/firewalld/firewalld.conf
and restarting firewalld.
Or with
$ firewall-cmd --set-default-zone=drop
which will apply the change immediately and also permanently.
--
Jiri