On Nov 28, 2014, at 21:41, Jason Frisvold
I'm working on setting up a shiny new CentOS 7.0 box and trying to wrap
my head around firewalld. Generally speaking, firewalld is pretty
straightforward for simple allow/deny, but I can't figure out how to
handle the more complex rules I've been using. I'm hoping someone can
point me in the right direction.
For starters, how do I create a simple spoofing filter? For my current
firewalls, I check source and destination addresses, rejecting anything
that isn't valid. For instance, reject anything sourced from RFC-1918
space that isn't in use in the network, reject anything destined for
broadcast addresses, multicast, etc.
Next up, checking flags. Is this possible with firewalld? Part of my
source address checking includes checks for invalid flags. For
instance, TCP stealth scan checking :
# All of the bits are clear
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags ALL NONE -j log-tcp-state
# Both SYN and FIN are set
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j
# Both SYN and RST are set
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags SYN,RST SYN,RST -j
# Both FIN and RST are set
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags FIN,RST FIN,RST -j
# FIN bit set, but no ACK
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags ACK,FIN FIN -j
# PSH bit set, but no ACK
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags ACK,PSH PSH -j
# URG bit set, but no ACK
$IPTABLES -A tcp-state-flags -p tcp --tcp-flags ACK,URG URG -j
And finally, ordering. I currently use individual chains for
organization of rulesets. Management chains cover all of the rules
allowing management tools access to the server, chains for source and
destination checks, and a special chain for dropping known
spammer/attacker IPs. Again, it doesn't appear that firewalld handles
this yet. Am I missing something?
I'd like to use firewalld if that's the intended standard, but I don't
want to compromise the ruleset I've built to do so. Can firewalld
handle what I want to throw at it. or should I stick with iptables for now?
Jason 'XenoPhage' Frisvold
"Any sufficiently advanced magic is indistinguishable from technology.\"
- Niven's Inverse of Clarke's Third Law
firewalld-users mailing list