On 10/07/2014 04:35 PM, Jan Lieskovsky wrote:
Hello folks,
we develop security guidance / compliance related tools and content
for Red Hat Enterprise Linux. Recently within the effort to port old(er)
iptables sections from Red Hat Enterprise Linux 6 to Red Hat Enterprise
Linux 7 we encountered the following firewalld related question.
Please have a look at sample guidance document at:
[1]
https://jlieskov.fedorapeople.org/rhel6-guide.html
In the section "2.5.7. iptables and ip6tables", under rule:
"2.5.7.2.a. Set Default iptables Policy for Incoming Packets" there's
the following requirement:
<quote>
To set the default policy to DROP (instead of ACCEPT) for the
built-in INPUT chain which processes incoming packets, add or
correct the following line in /etc/sysconfig/iptables:
:INPUT DROP [0:0]
</quote>
The question is how to ensure the iptables rule of the exact meaning
is applied on the system by using firewalld related tools? In other
words is there a way via firewalld tools how to change default policy
type from "ACCEPT" to e.g. "DROP" for some particular filter chain
(e.g. "INPUT")? [*]
No there's no such way, it's wired to "ACCEPT" internally.
But I have 2 ideas how to solve this.
Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't
change anything as all 'remaining' packets are matched with
-A INPUT -j REJECT --reject-with icmp-host-prohibited
anyway.
Or add a "policy" support to 'direct' interface. Something like
$ firewall-cmd [--permanent] --direct --add-policy { ipv4 | ipv6 | eb }
table chain target
which would run 'iptables -P -t table chain target'
Thomas, ideas/objections ?
--
Jiri