9:55 p.m.
Hello,
I am setting up firewalld on CentOS 7 and an not yet familiar with the process for setting
rules. I would like to blanket deny internet access for all applications and processes. I
would then add specific whitelist access rules for a small number of applications that
require access.
Can someone point me to a write up on how to set up rules like this?
LMHmedchem
9:31 a.m.
New subject: how to set applications and processes for whitelist only
internet access
On Thu, Feb 13, 2020 at 03:55:15AM -0000, Lmh Medchem wrote:
Hello,
I am setting up firewalld on CentOS 7 and an not yet familiar with the
process for setting rules. I would like to blanket deny internet
access for all applications and processes. I would then add specific
whitelist access rules for a small number of applications that require
access.
Out of the box, all connections are part of the "default" zone (usually
public zone). This allows the following incoming services; ssh,
dhcpv6-client. Everything else is blocked.
Can someone point me to a write up on how to set up rules like this?
You can get a deny ALL by default by changing the default zone to
something like block or drop.
e.g.
firewall-cmd --set-default-zone=block
Keep in mind this will block ALL traffic until you explicitly add
services/ports/etc. So you won't be able to ssh into the host. Best to
do it when physically sitting at the host.
Hope that helps.
Eric.
3:47 p.m.
Thanks for the information. This is a workstation, so there should not be any traffic
other than the browser, email client, and updates from the package manager. There should
be no incoming connections allowed. The only allowed outgoing connections should be from
firefox, seamonkey, and the package manager. This is how all of my windows computers are
configured. There are specific exceptions like the print spooler being allowed to connect
to the network printer at it's specific local network IP.
I have made the drop zone the default and all of the services are checked as being part of
the drop zone. This has made no difference in connectivity for any application that I can
detect. From the documentation, this appears to only affect incoming connections. This
firewall doesn't appear to support the functionality of blocking or allowing
individual programs to access the internet.
Is that correct?
LMHmedchem
12:09 p.m.
New subject: how to set applications and processes for whitelist only
internet access
On Thu, Feb 13, 2020 at 09:47:13PM -0000, Lmh Medchem wrote:
Thanks for the information. This is a workstation, so there should
not
be any traffic other than the browser, email client, and updates from
the package manager. There should be no incoming connections allowed.
The only allowed outgoing connections should be from firefox,
seamonkey, and the package manager. This is how all of my windows
computers are configured. There are specific exceptions like the print
spooler being allowed to connect to the network printer at it's
specific local network IP.
I have made the drop zone the default and all of the services are
checked as being part of the drop zone. This has made no difference in
connectivity for any application that I can detect. From the
documentation, this appears to only affect incoming connections. This
firewall doesn't appear to support the functionality of blocking or
allowing individual programs to access the internet.
Is that correct?
You are correct. firewalld does not have native support for OUTPUT
filtering. Work is in progress [1]. In the mean time you could use
--direct rules - see the firewall-cmd man page.
[1] https://github.com/orgs/firewalld/projects/1#card-25963208
1528
days inactive
1533
days old
firewalld-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Eric Garver -
Lmh Medchem