Appreciated hints about expected exact firewall-offline-cmd --direct --add-rule / --query-rule syntax (mainly about the priority field) or corresponding richlanguage syntax
5:39 a.m.
Hello folks,
I participate on developing SCAP content:
[1] http://scap.nist.gov/
within the SCAP Security Guide project:
[2] https://fedorahosted.org/scap-security-guide/
Within that [2] project we develop security compliance guidance for Red Hat
products (content for RHEL-6, RHEL-7, Fedora already exist, content for products
like OpenStack, RHEVM3, JBossEAP5 needs care yet).
Within the process of identification, which parts of existing RHEL-6 content
would require modification when trying to port it to RHEL-7 we identified firewalld
as one of the components, that might require our attention.
FWIW regarding firewall configuration the system administrators situation slightly
changed when considering RHEL-6 and RHEL-7. For the very least, in RHEL-6 there was
system-config-firewall tool, which in RHEL-7 the firewall can be managed in two ways
(when not counting direct iptables command usage):
* via system-config-firewall or
* via firewalld.
From the very introductory article:
[3] http://www.oracle-base.com/articles/linux/linux-firewall-firewalld.php
each of these (system-config-firewall & firewalld) constitute different approaches
to the system's firewall administration / management. Starting from differing
config files (/etc/sysconfig/iptables, /etc/sysconfig/ip6tables for s-c-f vs
the XML format based configuration files in /usr/lib/firewalld/services -- the
services XML templates, and actually honoured configuration present in
/etc/firewalld/services), through the concept of zones, firewalld introduced a
different view at system's firewall administration / management.
Consider the use case:
-----------------------
What we have now are iptables rules defined in the form acceptable / generated
by s-c-f (for RHEL-6). But when checking RHEL-7 system to be security compliant
wrt to firewall settings we will also need to check the newly added config location
(/etc/firewalld/services) if it contains the corresponding rules expressed in the
form as accepted / expected by firewalld.
Have searched the firewalld manual pages deeper and noticed firewalld package
provides firewall-offline-cmd for cases like this (when the firewalld service isn't
running) to migrate older s-c-f rules to newer firewalld syntax.
Actually moved yet further, and tried firewall-offline-cmd --direct --add-rule
case.
Suppose the old rule (from /etc/sysconfig/iptables for IPv4) has the form of
(for simplicity):
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
then the corresponding firewall-offline-cmd command syntax that came out from
reading of the manual pages for me is as follows:
# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state
NEW -m tcp --dport 22 -j ACCEPT
Execution of this command succeeded & appropriate /etc/firewalld/direct.xml entry
was created.
Wanted to ask regarding the priority parameter ("0" in the above example) -- is
it
a way how to specify "order / place" into which the rule would be added into
the
XML file? IOW using 0 again second time would mean the second rule would be inserted
before the already existing rule (e.g. the behaviour of -I iptables option) or when
using priority 1 it would be appended instead at the end of the filter table & INPUT
chain of it (e.g. the behaviour would correspond to -A iptables option)?
Another question being -- also noticed firewalld provides concept of
"richlanguage"
which allows (at least from what I got) the administrator to define the rules in
the iptables-like syntax. Since it's not mentioned in the manual page, does
richlanguage
support concept of "match extensions", e.g. for example:
-m iprange | -m limit | -m state | -m time | -m account ..
as known / supported by iptables? If yes, what would be the syntax to formulate these
in the richlanguage syntax? To mention some examples, suppose the following two
rules:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10
-j ACCEPT
iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range 192.168.0.1-192.168.0.10
-j ACCEPT
Is there a way how to express them via firewalld's richlanguage constructs or would
the usage of firewall-offline-cmd --direct --add-rule be necessary?
Is it possible to commonly express what kind of former iptables rules are possible
to express via richlanguage & what kind of rules require use of firewall-offline-cmd
tool?
Thank you in advance for your time & reply.
Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
11:43 a.m.
On 08/27/2014 12:39 PM, Jan Lieskovsky wrote:
Hello folks,
Hi iankko,
For the very least, in RHEL-6 there was
system-config-firewall tool, which in RHEL-7 the firewall can be managed in two ways
(when not counting direct iptables command usage):
* via system-config-firewall or
* via firewalld.
More precisely, counterpart to system-config-firewall (GUI) in RHEL-6 is
firewall-config in RHEL-7. And counterpart to RHEL-7 firewalld (service)
are iptables/ip6tables services (not the commands) in RHEL-6.
Have searched the firewalld manual pages deeper and noticed
firewalld package
provides firewall-offline-cmd for cases like this (when the firewalld service isn't
running) to migrate older s-c-f rules to newer firewalld syntax.
Actually moved yet further, and tried firewall-offline-cmd --direct --add-rule
case.
Slow down a little ;-)
The firewall-offline-cmd man page says, that:
"If no options are given, configuration from
/etc/sysconfig/system-config-firewall will be migrated."
The s-c-firewall creates /etc/sysconfig/iptables (configuration for
iptables service) and also stores the configuration in
/etc/sysconfig/system-config-firewall.
So if your firewall configuration was created solely with
system-config-firewall you can simply run firewall-offline-cmd without
arguments and it should migrate the firewall configuration to a
/etc/firewalld/zones/<default_zone>.xml (where <default_zone> is taken
from /etc/firewalld/firewalld.conf)
Suppose the old rule (from /etc/sysconfig/iptables for IPv4) has
the form of
(for simplicity):
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
then the corresponding firewall-offline-cmd command syntax that came out from
reading of the manual pages for me is as follows:
# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state
--state NEW -m tcp --dport 22 -j ACCEPT
Execution of this command succeeded & appropriate /etc/firewalld/direct.xml entry
was created.
Wanted to ask regarding the priority parameter ("0" in the above example) -- is
it
a way how to specify "order / place" into which the rule would be added into
the
XML file? IOW using 0 again second time would mean the second rule would be inserted
before the already existing rule (e.g. the behaviour of -I iptables option) or when
using priority 1 it would be appended instead at the end of the filter table & INPUT
chain of it (e.g. the behaviour would correspond to -A iptables option)?
It doesn't specify how they will in the XML file, but the order how
they'll appear in iptables. Try to add some rules and check
iptables-save output and you'll see.
firewalld.direct(5) says:
"The priority is used to order rules. Priority 0 means add rule on top
of the chain, with a higher priority the rule will be added further
down. Rules with the same priority are on the same level
and the order of these rules is not fixed and may change. If you want to
make sure that a rule will be added after another one, use a low
priority for the first and a higher for the following."
Another question being -- also noticed firewalld provides concept of
"richlanguage"
which allows (at least from what I got) the administrator to define the rules in
the iptables-like syntax. Since it's not mentioned in the manual page, does
richlanguage
support concept of "match extensions", e.g. for example:
-m iprange | -m limit | -m state | -m time | -m account ..
No AFAIK.
as known / supported by iptables? If yes, what would be the syntax to
formulate these
in the richlanguage syntax? To mention some examples, suppose the following two
rules:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst
10 -j ACCEPT
iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range 192.168.0.1-192.168.0.10
-j ACCEPT
Is there a way how to express them via firewalld's richlanguage constructs or would
the usage of firewall-offline-cmd --direct --add-rule be necessary?
The later one I'm afraid.
Is it possible to commonly express what kind of former iptables rules
are possible
to express via richlanguage & what kind of rules require use of firewall-offline-cmd
tool?
http://fedoraproject.org/wiki/Features/FirewalldRichLanguage#Examples
might give you some overview.
--
Jiri
9:55 a.m.
Hello Jiri,
thank you for your reply.
----- Original Message -----
From: "Jiri Popelka" <jpopelka(a)redhat.com>
To: "Firewalld users discussion list"
<firewalld-users(a)lists.fedorahosted.org>, "Jan Lieskovsky"
<jlieskov(a)redhat.com>
Sent: Friday, August 29, 2014 6:43:29 PM
Subject: Re: Appreciated hints about expected exact firewall-offline-cmd --direct
--add-rule / --query-rule syntax
(mainly about the priority field) or corresponding richlanguage syntax
On 08/27/2014 12:39 PM, Jan Lieskovsky wrote:
> Hello folks,
Hi iankko,
> For the very least, in RHEL-6 there was
> system-config-firewall tool, which in RHEL-7 the firewall can be managed in
> two ways
> (when not counting direct iptables command usage):
> * via system-config-firewall or
> * via firewalld.
More precisely, counterpart to system-config-firewall (GUI) in RHEL-6 is
firewall-config in RHEL-7. And counterpart to RHEL-7 firewalld (service)
are iptables/ip6tables services (not the commands) in RHEL-6.
> Have searched the firewalld manual pages deeper and noticed firewalld
> package
> provides firewall-offline-cmd for cases like this (when the firewalld
> service isn't
> running) to migrate older s-c-f rules to newer firewalld syntax.
>
> Actually moved yet further, and tried firewall-offline-cmd --direct
> --add-rule
> case.
Slow down a little ;-)
The firewall-offline-cmd man page says, that:
"If no options are given, configuration from
/etc/sysconfig/system-config-firewall will be migrated."
Ok, so not /etc/sysconfig/iptables directly, but /etc/sysconfig/s-c-f instead.
The s-c-firewall creates /etc/sysconfig/iptables (configuration for
iptables service) and also stores the configuration in
/etc/sysconfig/system-config-firewall.
So if your firewall configuration was created solely with
system-config-firewall you can simply run firewall-offline-cmd without
arguments and it should migrate the firewall configuration to a
/etc/firewalld/zones/<default_zone>.xml (where <default_zone> is taken
from /etc/firewalld/firewalld.conf)
So maybe the question then is how to create that original configuration
for system-config-firewall utility first. Suppose a request for presence
of a rule (in /etc/sysconfig/iptables) of the form of:
*filter
:INPUT DROP [0:0]
to drop all incoming traffic. How would this requirement be achieved
in system-config-firewall (and subsequently in firewall-config) UI?
I have noticed, that since 'public' zone is the default one (from
/etc/firewalld/firewalld.conf) and when there aren't any <service>
elements in the /etc/firewalld/zones/public.xml under the <short>
and <description> elements all incoming connections are prohibited.
As suggested by the first reply in:
https://ask.fedoraproject.org/en/question/49976/does-firewalld-block-outg...
> Suppose the old rule (from /etc/sysconfig/iptables for IPv4) has the
> form of
> (for simplicity):
>
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>
> then the corresponding firewall-offline-cmd command syntax that came out
> from
> reading of the manual pages for me is as follows:
>
> # firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp
> -m state --state NEW -m tcp --dport 22 -j ACCEPT
>
> Execution of this command succeeded & appropriate /etc/firewalld/direct.xml
> entry
> was created.
>
> Wanted to ask regarding the priority parameter ("0" in the above example)
> -- is it
> a way how to specify "order / place" into which the rule would be added
> into the
> XML file? IOW using 0 again second time would mean the second rule would be
> inserted
> before the already existing rule (e.g. the behaviour of -I iptables option)
> or when
> using priority 1 it would be appended instead at the end of the filter
> table & INPUT
> chain of it (e.g. the behaviour would correspond to -A iptables option)?
It doesn't specify how they will in the XML file, but the order how
they'll appear in iptables. Try to add some rules and check
iptables-save output and you'll see.
firewalld.direct(5) says:
"The priority is used to order rules. Priority 0 means add rule on top
of the chain, with a higher priority the rule will be added further
down. Rules with the same priority are on the same level
and the order of these rules is not fixed and may change. If you want to
make sure that a rule will be added after another one, use a low
priority for the first and a higher for the following."
> Another question being -- also noticed firewalld provides concept of
> "richlanguage"
> which allows (at least from what I got) the administrator to define the
> rules in
> the iptables-like syntax. Since it's not mentioned in the manual page, does
> richlanguage
> support concept of "match extensions", e.g. for example:
>
> -m iprange | -m limit | -m state | -m time | -m account ..
No AFAIK.
> as known / supported by iptables? If yes, what would be the syntax to
> formulate these
> in the richlanguage syntax? To mention some examples, suppose the following
> two
> rules:
>
> iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s
> --limit-burst 10 -j ACCEPT
> iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range
> 192.168.0.1-192.168.0.10 -j ACCEPT
>
> Is there a way how to express them via firewalld's richlanguage constructs
> or would
> the usage of firewall-offline-cmd --direct --add-rule be necessary?
The later one I'm afraid.
If that's the case, how the firewall-offline-cmd form should look like for
the above INPUT DROP [0:0] rule? Having the 'public' zone selected, clicking
on "Rich Rules" tab, clicking "Add" button, an "Rich Rule"
dialog is displayed.
The family would be "ipv4", Action "drop". But when trying to specify
"[0:0]"
the format it's not allowed to be added into source address, and there also isn't
Filter element in the 'Element' drop down widget / select box. The only thing
that's possible to select seem to be to use 'tcp' protocol & forget about
chain.
Can you suggest which source address should be used in this case? Or if no source
address is provided, does it imply all incoming packets (packets coming from whatever
source address) will be dropped? -- btw. from testing, the latter seems to be the case.
So having the:
*filter
:INPUT DROP [0:0]
old iptables form requirement, the solution wrt to equivalent firewalld configuration
seems to be check either for:
* get default zone from /etc/firewalld/firewalld.conf, then check *.xml file of that
zone of it doesn't contain some listed <service> elements, or
* check for presence of richrule rule of the form of:
<rule family="ipv4">
<protocol value="tcp"/>
</drop>
</rule>
in the zone XML file for the default zone.
Can you confirm this?
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Technologies Team
> Is it possible to commonly express what kind of former iptables rules are
> possible
> to express via richlanguage & what kind of rules require use of
> firewall-offline-cmd
> tool?
http://fedoraproject.org/wiki/Features/FirewalldRichLanguage#Examples
might give you some overview.
--
Jiri
7:28 a.m.
On 09/11/2014 04:55 PM, Jan Lieskovsky wrote:
So maybe the question then is how to create that original
configuration
for system-config-firewall utility first. Suppose a request for presence
of a rule (in /etc/sysconfig/iptables) of the form of:
*filter
:INPUT DROP [0:0]
to drop all incoming traffic. How would this requirement be achieved
in system-config-firewall (and subsequently in firewall-config) UI?
I don't think this is possible in s-c-firewall, but I might be wrong.
With firewalld it's as easy as setting Target to DROP, which is what
drop zone does (in firewalld-config switch to Permanent, click 'Edit
Zone' and see Target).
I have noticed, that since 'public' zone is the default one
(from
/etc/firewalld/firewalld.conf) and when there aren't any <service>
elements in the /etc/firewalld/zones/public.xml under the <short>
and <description> elements all incoming connections are prohibited.
That's correct, yes, but it allows incoming ICMP messages. If you want
to prohibit everything, change target to DROP/%%REJECT%% (see target
description in firewalld.zone man page) or use drop/block zone.
>> as known / supported by iptables? If yes, what would be the
syntax to
>> formulate these
>> in the richlanguage syntax? To mention some examples, suppose the following
>> two
>> rules:
>>
>> iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s
>> --limit-burst 10 -j ACCEPT
>> iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range
>> 192.168.0.1-192.168.0.10 -j ACCEPT
>>
>> Is there a way how to express them via firewalld's richlanguage constructs
>> or would
>> the usage of firewall-offline-cmd --direct --add-rule be necessary?
>
> The later one I'm afraid.
If that's the case, how the firewall-offline-cmd form should look like for
the above INPUT DROP [0:0] rule? Having the 'public' zone selected, clicking
on "Rich Rules" tab, clicking "Add" button, an "Rich Rule"
dialog is displayed.
The family would be "ipv4", Action "drop". But when trying to specify
"[0:0]"
the format it's not allowed to be added into source address, and there also
isn't
Filter element in the 'Element' drop down widget / select box. The only thing
that's possible to select seem to be to use 'tcp' protocol & forget about
chain.
Can you suggest which source address should be used in this case? Or if no source
address is provided, does it imply all incoming packets (packets coming from whatever
source address) will be dropped? -- btw. from testing, the latter seems to be the case.
So having the:
*filter
:INPUT DROP [0:0]
old iptables form requirement, the solution wrt to equivalent firewalld configuration
seems to be check either for:
* get default zone from /etc/firewalld/firewalld.conf, then check *.xml file of that
zone of it doesn't contain some listed <service> elements, or
* check for presence of richrule rule of the form of:
<rule family="ipv4">
<protocol value="tcp"/>
</drop>
</rule>
in the zone XML file for the default zone.
Can you confirm this?
Jan, I'm afraid I don't understand what you're trying to achieve.
I think it'd be much easier if we can talk about this off-list, just
ping me when you're ready.
--
Jiri
3508
days inactive
3528
days old
firewalld-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Jan Lieskovsky -
Jiri Popelka