5:36 p.m.
Hello,
I'm new to firewalld, adapting my env for SLE15 release.
I have a set of zones based on source which selectively open services. They
all use target default.
I want to enable LogDenied but I wish to filter out some sources (that
frequently scans for open ports).
Also, I want to limit the amount of LogDenied msg per time (to avoid DoS
caused by logs).
I tested these solutions:
1) Issue direct passthough commands to insert the filter just before log
reject rule. I need to previously know the
rulenum position that is before log reject rule;
2) Add 0.0.0.0/0 to a zone foo and use it as the default zone. Default zone
is then used as a drop/reject only zone. Configure logs as needed using
rich rules in drop/reject only zone.
I think that this breaks the logic what default zone is.
The problems I face:
a) LogDenied is opaque. You cannot change it but with direct passthough.
Maybe it could be configured as a "special zone";
b) Direct passthough depends on a variable rulenum that can change
depending on env setup. I cannot use relative positions like "before the
last two rules";
c) Rich rules cannot be used to log connections that did not match (not
allowed) in the zone as IN_<zone>_log comes before IN_<zone>_reject and
IN_<zone>_accept chains.
(OK, I could reimplement the opposite of all rules that accepts connections
but it would be too complex to manage)
Is there a better solution for all this? A trick with rich rules?
Maybe it would be nice if LogDenied would be a dedicated target chain in
INPUT/FORWARD (i.e.: IN_public_log_denied) or even a generic
IN_public_missed (for connections that did not match any rule inside this
chain, independently from LogDenied value). This way I could insert with
direct passthough rules into this chain for default zone just before
logging (from zone_reject or final_reject).
Regards,
--
Luiz Angelo Daros de Luca
luizluca(a)gmail.com
8:19 a.m.
On Mon, Feb 26, 2018 at 11:36:08PM +0000, Luiz Angelo Daros de Luca wrote:
Hello,
I'm new to firewalld, adapting my env for SLE15 release.
I have a set of zones based on source which selectively open services. They
all use target default.
I want to enable LogDenied but I wish to filter out some sources (that
frequently scans for open ports).
Also, I want to limit the amount of LogDenied msg per time (to avoid DoS
caused by logs).
I don't think there is a good way to do this.
I'm kind of surprised LogDenied doesn't have a rate limit. Feel free to
open a RFE on github.
I tested these solutions:
1) Issue direct passthough commands to insert the filter just before log
reject rule. I need to previously know the
rulenum position that is before log reject rule;
2) Add 0.0.0.0/0 to a zone foo and use it as the default zone. Default zone
is then used as a drop/reject only zone. Configure logs as needed using
rich rules in drop/reject only zone.
I think that this breaks the logic what default zone is.
The problems I face:
a) LogDenied is opaque. You cannot change it but with direct passthough.
Maybe it could be configured as a "special zone";
b) Direct passthough depends on a variable rulenum that can change
depending on env setup. I cannot use relative positions like "before the
last two rules";
c) Rich rules cannot be used to log connections that did not match (not
allowed) in the zone as IN_<zone>_log comes before IN_<zone>_reject and
IN_<zone>_accept chains.
(OK, I could reimplement the opposite of all rules that accepts connections
but it would be too complex to manage)
Is there a better solution for all this? A trick with rich rules?
Maybe it would be nice if LogDenied would be a dedicated target chain in
INPUT/FORWARD (i.e.: IN_public_log_denied) or even a generic
IN_public_missed (for connections that did not match any rule inside this
chain, independently from LogDenied value). This way I could insert with
direct passthough rules into this chain for default zone just before
logging (from zone_reject or final_reject).
If you use the default target you should be able to use an --direct
--passthrough to reliably insert a rule at the end of the zone. e.g.
# firewall-cmd --permanent --direct --passthrough ipv4 -A IN_public \
-j LOG --log-prefix "MY PREFIX: "
But this does not affect things explicitly dropped in IN_public_deny.
Sorry I don't have better answers.
Eric.
11:55 a.m.
Thanks Eric,
Using default target and appending IN_public seems to work.
I just need to make it final, not allowing iptables to return to main chain
(INPUT).
I opened a new issue:
https://github.com/firewalld/firewalld/issues/300
Maybe zone target could be a rich rule?
Regards,
Em ter, 27 de fev de 2018 às 11:19, Eric Garver <egarver(a)redhat.com>
escreveu:
On Mon, Feb 26, 2018 at 11:36:08PM +0000, Luiz Angelo Daros de Luca
wrote:
> Hello,
>
> I'm new to firewalld, adapting my env for SLE15 release.
>
> I have a set of zones based on source which selectively open services.
They
> all use target default.
>
> I want to enable LogDenied but I wish to filter out some sources (that
> frequently scans for open ports).
> Also, I want to limit the amount of LogDenied msg per time (to avoid DoS
> caused by logs).
I don't think there is a good way to do this.
I'm kind of surprised LogDenied doesn't have a rate limit. Feel free to
open a RFE on github.
>
> I tested these solutions:
>
> 1) Issue direct passthough commands to insert the filter just before log
> reject rule. I need to previously know the
> rulenum position that is before log reject rule;
> 2) Add 0.0.0.0/0 to a zone foo and use it as the default zone. Default
zone
> is then used as a drop/reject only zone. Configure logs as needed using
> rich rules in drop/reject only zone.
> I think that this breaks the logic what default zone is.
>
> The problems I face:
> a) LogDenied is opaque. You cannot change it but with direct passthough.
> Maybe it could be configured as a "special zone";
> b) Direct passthough depends on a variable rulenum that can change
> depending on env setup. I cannot use relative positions like "before the
> last two rules";
> c) Rich rules cannot be used to log connections that did not match (not
> allowed) in the zone as IN_<zone>_log comes before IN_<zone>_reject and
> IN_<zone>_accept chains.
> (OK, I could reimplement the opposite of all rules that accepts
connections
> but it would be too complex to manage)
>
> Is there a better solution for all this? A trick with rich rules?
>
> Maybe it would be nice if LogDenied would be a dedicated target chain in
> INPUT/FORWARD (i.e.: IN_public_log_denied) or even a generic
> IN_public_missed (for connections that did not match any rule inside this
> chain, independently from LogDenied value). This way I could insert with
> direct passthough rules into this chain for default zone just before
> logging (from zone_reject or final_reject).
If you use the default target you should be able to use an --direct
--passthrough to reliably insert a rule at the end of the zone. e.g.
# firewall-cmd --permanent --direct --passthrough ipv4 -A IN_public \
-j LOG --log-prefix "MY PREFIX: "
But this does not affect things explicitly dropped in IN_public_deny.
Sorry I don't have better answers.
Eric.
--
Luiz Angelo Daros de Luca
luizluca(a)gmail.com
12:49 p.m.
On Tue, Feb 27, 2018 at 05:55:58PM +0000, Luiz Angelo Daros de Luca wrote:
Thanks Eric,
Using default target and appending IN_public seems to work.
I just need to make it final, not allowing iptables to return to main chain
(INPUT).
I opened a new issue:
https://github.com/firewalld/firewalld/issues/300
Maybe zone target could be a rich rule?
I like that a idea. I'll think on it a bit more.
Thanks for writing the RFE.
Eric.
2250
days inactive
2251
days old
firewalld-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Eric Garver -
Luiz Angelo Daros de Luca