Firewalld way how to change default policy type from ACCEPT to something else for a particular chain
9:35 a.m.
Hello folks,
we develop security guidance / compliance related tools and content
for Red Hat Enterprise Linux. Recently within the effort to port old(er)
iptables sections from Red Hat Enterprise Linux 6 to Red Hat Enterprise
Linux 7 we encountered the following firewalld related question.
Please have a look at sample guidance document at:
[1] https://jlieskov.fedorapeople.org/rhel6-guide.html
In the section "2.5.7. iptables and ip6tables", under rule:
"2.5.7.2.a. Set Default iptables Policy for Incoming Packets" there's
the following requirement:
<quote>
To set the default policy to DROP (instead of ACCEPT) for the
built-in INPUT chain which processes incoming packets, add or
correct the following line in /etc/sysconfig/iptables:
:INPUT DROP [0:0]
</quote>
The question is how to ensure the iptables rule of the exact meaning
is applied on the system by using firewalld related tools? In other
words is there a way via firewalld tools how to change default policy
type from "ACCEPT" to e.g. "DROP" for some particular filter chain
(e.g. "INPUT")? [*]
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
[*] We are aware that firewalld uses different configuration file
than /etc/sysconfig/iptables & can handle that. But the question
is how to change the default policy type from 'ACCEPT' to something
else.
8:47 a.m.
On 10/07/2014 04:35 PM, Jan Lieskovsky wrote:
Hello folks,
we develop security guidance / compliance related tools and content
for Red Hat Enterprise Linux. Recently within the effort to port old(er)
iptables sections from Red Hat Enterprise Linux 6 to Red Hat Enterprise
Linux 7 we encountered the following firewalld related question.
Please have a look at sample guidance document at:
[1] https://jlieskov.fedorapeople.org/rhel6-guide.html
In the section "2.5.7. iptables and ip6tables", under rule:
"2.5.7.2.a. Set Default iptables Policy for Incoming Packets" there's
the following requirement:
<quote>
To set the default policy to DROP (instead of ACCEPT) for the
built-in INPUT chain which processes incoming packets, add or
correct the following line in /etc/sysconfig/iptables:
:INPUT DROP [0:0]
</quote>
The question is how to ensure the iptables rule of the exact meaning
is applied on the system by using firewalld related tools? In other
words is there a way via firewalld tools how to change default policy
type from "ACCEPT" to e.g. "DROP" for some particular filter chain
(e.g. "INPUT")? [*]
No there's no such way, it's wired to "ACCEPT" internally.
But I have 2 ideas how to solve this.
Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't
change anything as all 'remaining' packets are matched with
-A INPUT -j REJECT --reject-with icmp-host-prohibited
anyway.
Or add a "policy" support to 'direct' interface. Something like
$ firewall-cmd [--permanent] --direct --add-policy { ipv4 | ipv6 | eb }
table chain target
which would run 'iptables -P -t table chain target'
Thomas, ideas/objections ?
--
Jiri
10:03 a.m.
On 10/13/2014 03:47 PM, Jiri Popelka wrote:
On 10/07/2014 04:35 PM, Jan Lieskovsky wrote:
> Hello folks,
>
> we develop security guidance / compliance related tools and content
> for Red Hat Enterprise Linux. Recently within the effort to port old(er)
> iptables sections from Red Hat Enterprise Linux 6 to Red Hat Enterprise
> Linux 7 we encountered the following firewalld related question.
>
> Please have a look at sample guidance document at:
> [1] https://jlieskov.fedorapeople.org/rhel6-guide.html
>
> In the section "2.5.7. iptables and ip6tables", under rule:
> "2.5.7.2.a. Set Default iptables Policy for Incoming Packets" there's
> the following requirement:
>
> <quote>
> To set the default policy to DROP (instead of ACCEPT) for the
> built-in INPUT chain which processes incoming packets, add or
> correct the following line in /etc/sysconfig/iptables:
>
> :INPUT DROP [0:0]
> </quote>
>
> The question is how to ensure the iptables rule of the exact meaning
> is applied on the system by using firewalld related tools? In other
> words is there a way via firewalld tools how to change default policy
> type from "ACCEPT" to e.g. "DROP" for some particular filter
chain
> (e.g. "INPUT")? [*]
No there's no such way, it's wired to "ACCEPT" internally.
But I have 2 ideas how to solve this.
Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't
change anything as all 'remaining' packets are matched with
-A INPUT -j REJECT --reject-with icmp-host-prohibited
anyway.
Or add a "policy" support to 'direct' interface. Something like
$ firewall-cmd [--permanent] --direct --add-policy { ipv4 | ipv6 | eb }
table chain target
which would run 'iptables -P -t table chain target'
Thomas, ideas/objections ?
I think it would be good to have one global setting in the firewalld
config file to define the default policy for all default chains in all
tables.
Having a policy per chain and table is too much in my opinion.
--
Jiri
Regards,
Thomas
10:41 a.m.
On 10/13/2014 05:03 PM, Thomas Woerner wrote:
On 10/13/2014 03:47 PM, Jiri Popelka wrote:
> Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't
> change anything as all 'remaining' packets are matched with
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> anyway.
>
> Or add a "policy" support to 'direct' interface. Something like
> $ firewall-cmd [--permanent] --direct --add-policy { ipv4 | ipv6 | eb }
> table chain target
> which would run 'iptables -P -t table chain target'
I think it would be good to have one global setting in the firewalld
config file to define the default policy for all default chains in all
tables.
Setting policies of all chains of all tables to DROP is IMHO *too*
restrictive. That would AFAICT drop *all* traffic (for example in raw or
mangle table) and it's not what the 'security guide' suggests - it
suggests to set DROP policy of filter/INPUT only.
Anyway I think using firewalld's 'drop' zone is what we want here, as I
already suggested in another answer.
--
Jiri
12:24 p.m.
On 10/13/2014 05:41 PM, Jiri Popelka wrote:
On 10/13/2014 05:03 PM, Thomas Woerner wrote:
> On 10/13/2014 03:47 PM, Jiri Popelka wrote:
>> Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't
>> change anything as all 'remaining' packets are matched with
>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>> anyway.
>>
>> Or add a "policy" support to 'direct' interface. Something
like
>> $ firewall-cmd [--permanent] --direct --add-policy { ipv4 | ipv6 | eb }
>> table chain target
>> which would run 'iptables -P -t table chain target'
> I think it would be good to have one global setting in the firewalld
> config file to define the default policy for all default chains in all
> tables.
Setting policies of all chains of all tables to DROP is IMHO *too*
restrictive. That would AFAICT drop *all* traffic (for example in raw or
mangle table) and it's not what the 'security guide' suggests - it
suggests to set DROP policy of filter/INPUT only.
Yes, that is right - it is too restrictive. Setting the policy in the
filter/INPUT and filter/FORWARD only should be o.k..
Anyway I think using firewalld's 'drop' zone is what we
want here, as I
already suggested in another answer.
Yes.
--
Jiri
Thomas
10:33 a.m.
On 10/13/2014 03:47 PM, Jiri Popelka wrote:
On 10/07/2014 04:35 PM, Jan Lieskovsky wrote:
> Hello folks,
>
> we develop security guidance / compliance related tools and content
> for Red Hat Enterprise Linux. Recently within the effort to port old(er)
> iptables sections from Red Hat Enterprise Linux 6 to Red Hat Enterprise
> Linux 7 we encountered the following firewalld related question.
>
> Please have a look at sample guidance document at:
> [1] https://jlieskov.fedorapeople.org/rhel6-guide.html
>
> In the section "2.5.7. iptables and ip6tables", under rule:
> "2.5.7.2.a. Set Default iptables Policy for Incoming Packets" there's
> the following requirement:
>
> <quote>
> To set the default policy to DROP (instead of ACCEPT) for the
> built-in INPUT chain which processes incoming packets, add or
> correct the following line in /etc/sysconfig/iptables:
>
> :INPUT DROP [0:0]
> </quote>
>
> The question is how to ensure the iptables rule of the exact meaning
> is applied on the system by using firewalld related tools? In other
> words is there a way via firewalld tools how to change default policy
> type from "ACCEPT" to e.g. "DROP" for some particular filter
chain
> (e.g. "INPUT")? [*]
No there's no such way, it's wired to "ACCEPT" internally.
But I have 2 ideas how to solve this.
Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't
change anything as all 'remaining' packets are matched with
-A INPUT -j REJECT --reject-with icmp-host-prohibited
With this in mind I think that recommending users to set default policy
to DROP doesn't have much sense because all 'remaining' packets are
rejected anyway (with the '-A INPUT -j REJECT'), i.e. no packet get's to
the point of DROP policy being applied on it.
Actually in firewalld we already have a very simple way how to apply
restrictive policy, it's called 'drop' zone.
If you set firewalld's default zone to 'drop' all new (i.e. not
initiated by this machine) incoming/forwarding traffic will be dropped
by default, which is IMHO exactly what that 'security guide' wants to
achieve.
One can do that either by setting
'DefaultZone=drop' in /etc/firewalld/firewalld.conf
and restarting firewalld.
Or with
$ firewall-cmd --set-default-zone=drop
which will apply the change immediately and also permanently.
--
Jiri
3487
days inactive
3493
days old
firewalld-users@lists.fedorahosted.org
5 comments
3 participants
participants (3)
-
Jan Lieskovsky -
Jiri Popelka -
Thomas Woerner