On Tue, Nov 06, 2018 at 10:49:28PM +0100, Hans-Peter Jansen wrote:
On Dienstag, 6. November 2018 19:24:09 Hans-Peter Jansen wrote:
> On Samstag, 27. Oktober 2018 20:29:54 Oleg Cherkasov wrote:
>
> > On 27.10.2018 18:07, Kenneth Porter wrote:
> >
> >
> > > --On Saturday, October 27, 2018 4:19 PM +0200 Hans-Peter Jansen
> > > <hpj(a)urpla.net> wrote:
> > >
> > >
> > >
> > >> This might be interesting to be used within a fail2ban procedure
later
> > >> on.
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> While at it, what is the best practice to limit access to such a port
> > >> like 15060/udp to a couple of sources?
> > >
> > >
> > >
> > > Use an ipset rule. It's easy to add and remove lots of IP addresses
> > > without changing the firewall. fail2ban can also use ipsets within
> > > firewalld. I suggest asking on the fail2ban mailing list to see if
> > > someone has a suitable jail definition.
> >
> >
> >
> > Honestly I did not know firewalld has support for ipset. If so then
> > ipset indeed the better way to handle malicious IPs. Here is the brief
> > tutorial from firewalld:
> >
> >
https://firewalld.org/2015/12/ipset-support
>
>
> Thank you, Kenneth and Oleg, for your hints.
>
> Unfortunately, I still haven't figured out, how to limit a certain service
> to a couple of source addresses, namely I would like to accept
> connections on 15060/udp from internal and selected external sources only:
> e.g. 172.16.123.0/24 and 213.167.161.0/26. It might be possible with
> ipsets, but no example shows, how to use that as a white list with the
> destination port requirement.
>
I think, I got it:
$ firewall-cmd --permanent --new-zone=voip
$ firewall-cmd --permanent --zone=voip --add-source=172.16.123.0/24
$ firewall-cmd --permanent --zone=voip --add-source=213.167.161.0/26
$ firewall-cmd --permanent --zone=voip --add-source=213.167.162.0/26
$ firewall-cmd --permanent --zone=voip --add-port=15060/udp
$ firewall-cmd --permanent --zone=voip --add-port=10000-10099/udp
$ firewall-cmd --zone=voip --permanent --list-all
voip (active)
target: default
icmp-block-inversion: no
interfaces:
sources: 172.16.123.0/24 213.167.161.0/26 213.167.162.0/26
services:
ports: 15060/udp 10000-10099/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
What I still not grok is the relationship between the different zones, and how
overlapping and non-overlapping rules are handled?!?
Overlapping zones by sources is undefined. You should avoid creating
zones with overlapping "sources".
Interfaces may only be bound to a _single_ zone.
Because:
$ firewall-cmd --get-active-zones
voip
...
but I'm still able to use ssh, although it is defined in zone "external"
The incoming connection is probably falling through to the "default"
(external) zone. You can avoid this by setting the policy (--set-target)
of the "voip" to something like "reject" or "drop".
If you're SSHing from an IP _not_ in the sources list for the "voip"
zone, then it makes sense that SSH is allowed (no other zone matches).
$ firewall-cmd --zone=external --permanent --list-all
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: http
ports: 4559/tcp 22/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: address-unreachable bad-header beyond-scope communication-
prohibited destination-unreachable echo-reply failed-policy fragmentation-
needed host-precedence-violation host-prohibited host-redirect host-unknown
host-unreachable ip-header-bad network-prohibited network-redirect network-
unknown network-unreachable no-route packet-too-big parameter-problem port-
unreachable precedence-cutoff protocol-unreachable reject-route required-
option-missing source-route-failed time-exceeded timestamp-reply timestamp-
request tos-host-redirect tos-host-unreachable tos-network-redirect tos-
network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit
unknown-header-type unknown-option
rich rules:
I can disable/enable nginx:
$ firewall-cmd --zone=external --remove-service=http
$ firewall-cmd --zone=external --add-service=http
but a command like:
$ firewall-cmd --remove-service=http
You're performing an operation over default zone ('external'),
but your connections/interfaces are in zone 'voip' (see --get-active-zones)
You most likely need to use --zone=voip option.
success
After a reboot, things clear up (a bit):
$ firewall-cmd --get-active-zones
external
interfaces: eth0
voip
sources: 172.16.123.0/24 213.167.161.0/26 213.167.162.0/26
but how does firewalld knows, which zones are active? In case of voip, this is
controlled from the sources okay, but in case of external, the interface isn't
defined in the zone, nor in the interface script (no NetworkManager).
To rephrase my question: what triggers the activeness?
There are various ways a zone becomes active:
- The zone is the default zone
- The zone has "sources"
- If an interface is managed by NetworkManager and assigned to the
zone and is "up" and has an IP address
- If an interface is NOT managed by NetworkManager, but is added to
the zone
> Sorry for these dump questions, but I really try to make up some consistent
> idea of the inner logical connections, that appear to be important to me, in
> order to avoid to have applied rules at the wrong places (zones), or, even
> badder, doesn't have them applied at all!
>
> So, please bear with me,
> Pete