On Tue, Nov 06, 2018 at 10:49:28PM +0100, Hans-Peter Jansen wrote:
On Dienstag, 6. November 2018 19:24:09 Hans-Peter Jansen wrote:
On Samstag, 27. Oktober 2018 20:29:54 Oleg Cherkasov wrote:
On 27.10.2018 18:07, Kenneth Porter wrote:
--On Saturday, October 27, 2018 4:19 PM +0200 Hans-Peter Jansen hpj@urpla.net wrote:
This might be interesting to be used within a fail2ban procedure later on.
While at it, what is the best practice to limit access to such a port like 15060/udp to a couple of sources?
Use an ipset rule. It's easy to add and remove lots of IP addresses without changing the firewall. fail2ban can also use ipsets within firewalld. I suggest asking on the fail2ban mailing list to see if someone has a suitable jail definition.
Honestly I did not know firewalld has support for ipset. If so then ipset indeed the better way to handle malicious IPs. Here is the brief tutorial from firewalld:
Thank you, Kenneth and Oleg, for your hints.
Unfortunately, I still haven't figured out, how to limit a certain service to a couple of source addresses, namely I would like to accept connections on 15060/udp from internal and selected external sources only: e.g. 172.16.123.0/24 and 213.167.161.0/26. It might be possible with ipsets, but no example shows, how to use that as a white list with the destination port requirement.
I think, I got it:
$ firewall-cmd --permanent --new-zone=voip $ firewall-cmd --permanent --zone=voip --add-source=172.16.123.0/24 $ firewall-cmd --permanent --zone=voip --add-source=213.167.161.0/26 $ firewall-cmd --permanent --zone=voip --add-source=213.167.162.0/26 $ firewall-cmd --permanent --zone=voip --add-port=15060/udp $ firewall-cmd --permanent --zone=voip --add-port=10000-10099/udp $ firewall-cmd --zone=voip --permanent --list-all voip (active) target: default icmp-block-inversion: no interfaces: sources: 172.16.123.0/24 213.167.161.0/26 213.167.162.0/26 services: ports: 15060/udp 10000-10099/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
What I still not grok is the relationship between the different zones, and how overlapping and non-overlapping rules are handled?!?
Overlapping zones by sources is undefined. You should avoid creating zones with overlapping "sources".
Interfaces may only be bound to a _single_ zone.
Because: $ firewall-cmd --get-active-zones voip ...
but I'm still able to use ssh, although it is defined in zone "external"
The incoming connection is probably falling through to the "default" (external) zone. You can avoid this by setting the policy (--set-target) of the "voip" to something like "reject" or "drop".
If you're SSHing from an IP _not_ in the sources list for the "voip" zone, then it makes sense that SSH is allowed (no other zone matches).
$ firewall-cmd --zone=external --permanent --list-all external target: default icmp-block-inversion: no interfaces: sources: services: http ports: 4559/tcp 22/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: address-unreachable bad-header beyond-scope communication- prohibited destination-unreachable echo-reply failed-policy fragmentation- needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad network-prohibited network-redirect network- unknown network-unreachable no-route packet-too-big parameter-problem port- unreachable precedence-cutoff protocol-unreachable reject-route required- option-missing source-route-failed time-exceeded timestamp-reply timestamp- request tos-host-redirect tos-host-unreachable tos-network-redirect tos- network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option rich rules:
I can disable/enable nginx: $ firewall-cmd --zone=external --remove-service=http $ firewall-cmd --zone=external --add-service=http
but a command like: $ firewall-cmd --remove-service=http You're performing an operation over default zone ('external'), but your connections/interfaces are in zone 'voip' (see --get-active-zones) You most likely need to use --zone=voip option.
success
After a reboot, things clear up (a bit):
$ firewall-cmd --get-active-zones external interfaces: eth0 voip sources: 172.16.123.0/24 213.167.161.0/26 213.167.162.0/26
but how does firewalld knows, which zones are active? In case of voip, this is controlled from the sources okay, but in case of external, the interface isn't defined in the zone, nor in the interface script (no NetworkManager).
To rephrase my question: what triggers the activeness?
There are various ways a zone becomes active: - The zone is the default zone - The zone has "sources" - If an interface is managed by NetworkManager and assigned to the zone and is "up" and has an IP address - If an interface is NOT managed by NetworkManager, but is added to the zone
Sorry for these dump questions, but I really try to make up some consistent idea of the inner logical connections, that appear to be important to me, in order to avoid to have applied rules at the wrong places (zones), or, even badder, doesn't have them applied at all!
So, please bear with me, Pete