Hello folks,
I participate on developing SCAP content: [1] http://scap.nist.gov/
within the SCAP Security Guide project: [2] https://fedorahosted.org/scap-security-guide/
Within that [2] project we develop security compliance guidance for Red Hat products (content for RHEL-6, RHEL-7, Fedora already exist, content for products like OpenStack, RHEVM3, JBossEAP5 needs care yet).
Within the process of identification, which parts of existing RHEL-6 content would require modification when trying to port it to RHEL-7 we identified firewalld as one of the components, that might require our attention.
FWIW regarding firewall configuration the system administrators situation slightly changed when considering RHEL-6 and RHEL-7. For the very least, in RHEL-6 there was system-config-firewall tool, which in RHEL-7 the firewall can be managed in two ways (when not counting direct iptables command usage): * via system-config-firewall or * via firewalld.
From the very introductory article: [3] http://www.oracle-base.com/articles/linux/linux-firewall-firewalld.php
each of these (system-config-firewall & firewalld) constitute different approaches to the system's firewall administration / management. Starting from differing config files (/etc/sysconfig/iptables, /etc/sysconfig/ip6tables for s-c-f vs the XML format based configuration files in /usr/lib/firewalld/services -- the services XML templates, and actually honoured configuration present in /etc/firewalld/services), through the concept of zones, firewalld introduced a different view at system's firewall administration / management.
Consider the use case: -----------------------
What we have now are iptables rules defined in the form acceptable / generated by s-c-f (for RHEL-6). But when checking RHEL-7 system to be security compliant wrt to firewall settings we will also need to check the newly added config location (/etc/firewalld/services) if it contains the corresponding rules expressed in the form as accepted / expected by firewalld.
Have searched the firewalld manual pages deeper and noticed firewalld package provides firewall-offline-cmd for cases like this (when the firewalld service isn't running) to migrate older s-c-f rules to newer firewalld syntax.
Actually moved yet further, and tried firewall-offline-cmd --direct --add-rule case.
Suppose the old rule (from /etc/sysconfig/iptables for IPv4) has the form of (for simplicity):
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
then the corresponding firewall-offline-cmd command syntax that came out from reading of the manual pages for me is as follows:
# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Execution of this command succeeded & appropriate /etc/firewalld/direct.xml entry was created.
Wanted to ask regarding the priority parameter ("0" in the above example) -- is it a way how to specify "order / place" into which the rule would be added into the XML file? IOW using 0 again second time would mean the second rule would be inserted before the already existing rule (e.g. the behaviour of -I iptables option) or when using priority 1 it would be appended instead at the end of the filter table & INPUT chain of it (e.g. the behaviour would correspond to -A iptables option)?
Another question being -- also noticed firewalld provides concept of "richlanguage" which allows (at least from what I got) the administrator to define the rules in the iptables-like syntax. Since it's not mentioned in the manual page, does richlanguage support concept of "match extensions", e.g. for example:
-m iprange | -m limit | -m state | -m time | -m account ..
as known / supported by iptables? If yes, what would be the syntax to formulate these in the richlanguage syntax? To mention some examples, suppose the following two rules:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range 192.168.0.1-192.168.0.10 -j ACCEPT
Is there a way how to express them via firewalld's richlanguage constructs or would the usage of firewall-offline-cmd --direct --add-rule be necessary?
Is it possible to commonly express what kind of former iptables rules are possible to express via richlanguage & what kind of rules require use of firewall-offline-cmd tool?
Thank you in advance for your time & reply.
Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
On 08/27/2014 12:39 PM, Jan Lieskovsky wrote:
Hello folks,
Hi iankko,
For the very least, in RHEL-6 there was system-config-firewall tool, which in RHEL-7 the firewall can be managed in two ways (when not counting direct iptables command usage):
- via system-config-firewall or
- via firewalld.
More precisely, counterpart to system-config-firewall (GUI) in RHEL-6 is firewall-config in RHEL-7. And counterpart to RHEL-7 firewalld (service) are iptables/ip6tables services (not the commands) in RHEL-6.
Have searched the firewalld manual pages deeper and noticed firewalld package provides firewall-offline-cmd for cases like this (when the firewalld service isn't running) to migrate older s-c-f rules to newer firewalld syntax.
Actually moved yet further, and tried firewall-offline-cmd --direct --add-rule case.
Slow down a little ;-) The firewall-offline-cmd man page says, that: "If no options are given, configuration from /etc/sysconfig/system-config-firewall will be migrated."
The s-c-firewall creates /etc/sysconfig/iptables (configuration for iptables service) and also stores the configuration in /etc/sysconfig/system-config-firewall. So if your firewall configuration was created solely with system-config-firewall you can simply run firewall-offline-cmd without arguments and it should migrate the firewall configuration to a /etc/firewalld/zones/<default_zone>.xml (where <default_zone> is taken from /etc/firewalld/firewalld.conf)
Suppose the old rule (from /etc/sysconfig/iptables for IPv4) has the form of (for simplicity):
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
then the corresponding firewall-offline-cmd command syntax that came out from reading of the manual pages for me is as follows:
# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Execution of this command succeeded & appropriate /etc/firewalld/direct.xml entry was created.
Wanted to ask regarding the priority parameter ("0" in the above example) -- is it a way how to specify "order / place" into which the rule would be added into the XML file? IOW using 0 again second time would mean the second rule would be inserted before the already existing rule (e.g. the behaviour of -I iptables option) or when using priority 1 it would be appended instead at the end of the filter table & INPUT chain of it (e.g. the behaviour would correspond to -A iptables option)?
It doesn't specify how they will in the XML file, but the order how they'll appear in iptables. Try to add some rules and check iptables-save output and you'll see.
firewalld.direct(5) says: "The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher priority the rule will be added further down. Rules with the same priority are on the same level and the order of these rules is not fixed and may change. If you want to make sure that a rule will be added after another one, use a low priority for the first and a higher for the following."
Another question being -- also noticed firewalld provides concept of "richlanguage" which allows (at least from what I got) the administrator to define the rules in the iptables-like syntax. Since it's not mentioned in the manual page, does richlanguage support concept of "match extensions", e.g. for example:
-m iprange | -m limit | -m state | -m time | -m account ..
No AFAIK.
as known / supported by iptables? If yes, what would be the syntax to formulate these in the richlanguage syntax? To mention some examples, suppose the following two rules:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range 192.168.0.1-192.168.0.10 -j ACCEPT
Is there a way how to express them via firewalld's richlanguage constructs or would the usage of firewall-offline-cmd --direct --add-rule be necessary?
The later one I'm afraid.
Is it possible to commonly express what kind of former iptables rules are possible to express via richlanguage & what kind of rules require use of firewall-offline-cmd tool?
http://fedoraproject.org/wiki/Features/FirewalldRichLanguage#Examples might give you some overview.
-- Jiri
Hello Jiri,
thank you for your reply.
----- Original Message -----
From: "Jiri Popelka" jpopelka@redhat.com To: "Firewalld users discussion list" firewalld-users@lists.fedorahosted.org, "Jan Lieskovsky" jlieskov@redhat.com Sent: Friday, August 29, 2014 6:43:29 PM Subject: Re: Appreciated hints about expected exact firewall-offline-cmd --direct --add-rule / --query-rule syntax (mainly about the priority field) or corresponding richlanguage syntax
On 08/27/2014 12:39 PM, Jan Lieskovsky wrote:
Hello folks,
Hi iankko,
For the very least, in RHEL-6 there was system-config-firewall tool, which in RHEL-7 the firewall can be managed in two ways (when not counting direct iptables command usage):
- via system-config-firewall or
- via firewalld.
More precisely, counterpart to system-config-firewall (GUI) in RHEL-6 is firewall-config in RHEL-7. And counterpart to RHEL-7 firewalld (service) are iptables/ip6tables services (not the commands) in RHEL-6.
Have searched the firewalld manual pages deeper and noticed firewalld package provides firewall-offline-cmd for cases like this (when the firewalld service isn't running) to migrate older s-c-f rules to newer firewalld syntax.
Actually moved yet further, and tried firewall-offline-cmd --direct --add-rule case.
Slow down a little ;-) The firewall-offline-cmd man page says, that: "If no options are given, configuration from /etc/sysconfig/system-config-firewall will be migrated."
Ok, so not /etc/sysconfig/iptables directly, but /etc/sysconfig/s-c-f instead.
The s-c-firewall creates /etc/sysconfig/iptables (configuration for iptables service) and also stores the configuration in /etc/sysconfig/system-config-firewall. So if your firewall configuration was created solely with system-config-firewall you can simply run firewall-offline-cmd without arguments and it should migrate the firewall configuration to a /etc/firewalld/zones/<default_zone>.xml (where <default_zone> is taken from /etc/firewalld/firewalld.conf)
So maybe the question then is how to create that original configuration for system-config-firewall utility first. Suppose a request for presence of a rule (in /etc/sysconfig/iptables) of the form of:
*filter :INPUT DROP [0:0]
to drop all incoming traffic. How would this requirement be achieved in system-config-firewall (and subsequently in firewall-config) UI?
I have noticed, that since 'public' zone is the default one (from /etc/firewalld/firewalld.conf) and when there aren't any <service> elements in the /etc/firewalld/zones/public.xml under the <short> and <description> elements all incoming connections are prohibited.
As suggested by the first reply in: https://ask.fedoraproject.org/en/question/49976/does-firewalld-block-outgoin...
Suppose the old rule (from /etc/sysconfig/iptables for IPv4) has the form of (for simplicity):
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
then the corresponding firewall-offline-cmd command syntax that came out from reading of the manual pages for me is as follows:
# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Execution of this command succeeded & appropriate /etc/firewalld/direct.xml entry was created.
Wanted to ask regarding the priority parameter ("0" in the above example) -- is it a way how to specify "order / place" into which the rule would be added into the XML file? IOW using 0 again second time would mean the second rule would be inserted before the already existing rule (e.g. the behaviour of -I iptables option) or when using priority 1 it would be appended instead at the end of the filter table & INPUT chain of it (e.g. the behaviour would correspond to -A iptables option)?
It doesn't specify how they will in the XML file, but the order how they'll appear in iptables. Try to add some rules and check iptables-save output and you'll see.
firewalld.direct(5) says: "The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher priority the rule will be added further down. Rules with the same priority are on the same level and the order of these rules is not fixed and may change. If you want to make sure that a rule will be added after another one, use a low priority for the first and a higher for the following."
Another question being -- also noticed firewalld provides concept of "richlanguage" which allows (at least from what I got) the administrator to define the rules in the iptables-like syntax. Since it's not mentioned in the manual page, does richlanguage support concept of "match extensions", e.g. for example:
-m iprange | -m limit | -m state | -m time | -m account ..
No AFAIK.
as known / supported by iptables? If yes, what would be the syntax to formulate these in the richlanguage syntax? To mention some examples, suppose the following two rules:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range 192.168.0.1-192.168.0.10 -j ACCEPT
Is there a way how to express them via firewalld's richlanguage constructs or would the usage of firewall-offline-cmd --direct --add-rule be necessary?
The later one I'm afraid.
If that's the case, how the firewall-offline-cmd form should look like for the above INPUT DROP [0:0] rule? Having the 'public' zone selected, clicking on "Rich Rules" tab, clicking "Add" button, an "Rich Rule" dialog is displayed.
The family would be "ipv4", Action "drop". But when trying to specify "[0:0]" the format it's not allowed to be added into source address, and there also isn't Filter element in the 'Element' drop down widget / select box. The only thing that's possible to select seem to be to use 'tcp' protocol & forget about chain.
Can you suggest which source address should be used in this case? Or if no source address is provided, does it imply all incoming packets (packets coming from whatever source address) will be dropped? -- btw. from testing, the latter seems to be the case.
So having the:
*filter :INPUT DROP [0:0]
old iptables form requirement, the solution wrt to equivalent firewalld configuration seems to be check either for:
* get default zone from /etc/firewalld/firewalld.conf, then check *.xml file of that zone of it doesn't contain some listed <service> elements, or
* check for presence of richrule rule of the form of:
<rule family="ipv4"> <protocol value="tcp"/> </drop> </rule>
in the zone XML file for the default zone.
Can you confirm this?
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
Is it possible to commonly express what kind of former iptables rules are possible to express via richlanguage & what kind of rules require use of firewall-offline-cmd tool?
http://fedoraproject.org/wiki/Features/FirewalldRichLanguage#Examples might give you some overview.
-- Jiri
On 09/11/2014 04:55 PM, Jan Lieskovsky wrote:
So maybe the question then is how to create that original configuration for system-config-firewall utility first. Suppose a request for presence of a rule (in /etc/sysconfig/iptables) of the form of:
*filter :INPUT DROP [0:0]
to drop all incoming traffic. How would this requirement be achieved in system-config-firewall (and subsequently in firewall-config) UI?
I don't think this is possible in s-c-firewall, but I might be wrong. With firewalld it's as easy as setting Target to DROP, which is what drop zone does (in firewalld-config switch to Permanent, click 'Edit Zone' and see Target).
I have noticed, that since 'public' zone is the default one (from /etc/firewalld/firewalld.conf) and when there aren't any <service> elements in the /etc/firewalld/zones/public.xml under the <short> and <description> elements all incoming connections are prohibited.
That's correct, yes, but it allows incoming ICMP messages. If you want to prohibit everything, change target to DROP/%%REJECT%% (see target description in firewalld.zone man page) or use drop/block zone.
as known / supported by iptables? If yes, what would be the syntax to formulate these in the richlanguage syntax? To mention some examples, suppose the following two rules:
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 10 -j ACCEPT iptables -A INPUT -p tcp --dport 50:55 -m iprange --dst-range 192.168.0.1-192.168.0.10 -j ACCEPT
Is there a way how to express them via firewalld's richlanguage constructs or would the usage of firewall-offline-cmd --direct --add-rule be necessary?
The later one I'm afraid.
If that's the case, how the firewall-offline-cmd form should look like for the above INPUT DROP [0:0] rule? Having the 'public' zone selected, clicking on "Rich Rules" tab, clicking "Add" button, an "Rich Rule" dialog is displayed.
The family would be "ipv4", Action "drop". But when trying to specify "[0:0]" the format it's not allowed to be added into source address, and there also isn't Filter element in the 'Element' drop down widget / select box. The only thing that's possible to select seem to be to use 'tcp' protocol & forget about chain.
Can you suggest which source address should be used in this case? Or if no source address is provided, does it imply all incoming packets (packets coming from whatever source address) will be dropped? -- btw. from testing, the latter seems to be the case.
So having the:
*filter :INPUT DROP [0:0]
old iptables form requirement, the solution wrt to equivalent firewalld configuration seems to be check either for:
get default zone from /etc/firewalld/firewalld.conf, then check *.xml file of that zone of it doesn't contain some listed <service> elements, or
check for presence of richrule rule of the form of:
<rule family="ipv4"> <protocol value="tcp"/> </drop> </rule>
in the zone XML file for the default zone.
Can you confirm this?
Jan, I'm afraid I don't understand what you're trying to achieve. I think it'd be much easier if we can talk about this off-list, just ping me when you're ready.
-- Jiri
firewalld-users@lists.fedorahosted.org