Hello folks,
I participate on developing SCAP content: [1] http://scap.nist.gov/
within the SCAP Security Guide project: [2] https://fedorahosted.org/scap-security-guide/
Within that [2] project we develop security compliance guidance for Red Hat products (content for RHEL-6, RHEL-7, Fedora already exist, content for products like OpenStack, RHEVM3, JBossEAP5 needs care yet).
Within the process of identification, which parts of existing RHEL-6 content would require modification when trying to port it to RHEL-7 we identified firewalld as one of the components, that might require our attention.
FWIW regarding firewall configuration the system administrators situation slightly changed when considering RHEL-6 and RHEL-7. For the very least, in RHEL-6 there was system-config-firewall tool, which in RHEL-7 the firewall can be managed in two ways (when not counting direct iptables command usage): * via system-config-firewall or * via firewalld.
From the very introductory article: [3] http://www.oracle-base.com/articles/linux/linux-firewall-firewalld.php
each of these (system-config-firewall & firewalld) constitute different approaches to the system's firewall administration / management. Starting from differing config files (/etc/sysconfig/iptables, /etc/sysconfig/ip6tables for s-c-f vs the XML format based configuration files in /usr/lib/firewalld/services -- the services XML templates, and actually honoured configuration present in /etc/firewalld/services), through the concept of zones, firewalld introduced a different view at system's firewall administration / management.
Consider the use case: -----------------------
What we have now are iptables rules defined in the form acceptable / generated by s-c-f (for RHEL-6). But when checking RHEL-7 system to be security compliant wrt to firewall settings we will also need to check the newly added config location (/etc/firewalld/services) if it contains the corresponding rules expressed in the form as accepted / expected by firewalld.
Have searched the firewalld manual pages deeper and noticed firewalld package provides firewall-offline-cmd for cases like this (when the firewalld service isn't running) to migrate older s-c-f rules to newer firewalld syntax.
Actually moved yet further, and tried firewall-offline-cmd --direct --add-rule case.
Suppose the old rule (from /etc/sysconfig/iptables for IPv4) has the form of (for simplicity):
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
then the corresponding firewall-offline-cmd command syntax that came out from reading of the manual pages for me is as follows:
# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Execution of this command succeeded & appropriate /etc/firewalld/direct.xml entry was created.
Wanted to ask regarding the priority parameter ("0" in the above example) -- is it a way how to specify "order / place" into which the rule would be added into the XML file? IOW using 0 again second time would mean the second rule would be inserted before the already existing rule (e.g. the behaviour of -I iptables option) or when using priority 1 it would be appended instead at the end of the filter table & INPUT chain of it (e.g. the behaviour would correspond to -A iptables option)?
Another question being -- also noticed firewalld provides concept of "richlanguage" which allows (at least from what I got) the administrator to define the rules in the iptables-like syntax. Since it's not mentioned in the manual page, does richlanguage support concept of "match extensions", e.g. for example:
-m iprange | -m limit | -m state | -m time | -m account ..
as known / supported by iptables? If yes, what would be the syntax to formulate these in the richlanguage syntax? To mention some examples, suppose the following two rules:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range 192.168.0.1-192.168.0.10 -j ACCEPT
Is there a way how to express them via firewalld's richlanguage constructs or would the usage of firewall-offline-cmd --direct --add-rule be necessary?
Is it possible to commonly express what kind of former iptables rules are possible to express via richlanguage & what kind of rules require use of firewall-offline-cmd tool?
Thank you in advance for your time & reply.
Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team