Red Hat Enterprise Linux Implementation

Firewall Configuration

Module Topics

netfilter
firewalld
Predefined Zones
Predefined Services
Firewall Configuration Methods
firewall-config
firewall-cmd

`netfilter`

Linux kernel includes netfilter subsystem
Allows kernel modules to inspect incoming, outgoing and forwarded packets
Can modify, drop, or reject packets in programmatic way before reaching user space components
Main building block for firewall on Red Hat Enterprise Linux 7
Other programs interact with netfilter, such as:
- iptables
- ip6tables for IPv6
- ebtables for software bridges

Transcript:

The Linux kernel includes a powerful network filtering subsystem, netfilter. The netfilter subsystem allows kernel modules to inspect every packet traversing the system. This means any incoming, outgoing, or forwarded network packet can be inspected, modified, dropped, or rejected in a programmatic way, before reaching components in user space. This is the main building block for building a firewall on a Red Hat Enterprise Linux 7 machine.

Although it is theoretically possible for system administrators to write their own kernel modules to interact with netfilter, this is typically not done. Instead, other programs are used to interact with netfilter. One of the most common and well-known of these programs is iptables. In previous Red Hat Enterprise Linux releases, iptables was the main method of interacting with the kernel netfilter subsystem. The iptables command is a low-level tool, and it can be challenging to correctly manage firewalls with that tool. In addition, it only adjusts IPv4 firewall rules. Other utilities, such as ip6tables for IPv6 and ebtables for software bridges, need to be used for more complete firewall coverage.

`firewalld`

New method of interacting with netfilter
System daemon can configure and monitor system firewall rules
Applications can request ports to be opened using DBus messaging system
- Feature can be disabled or locked down
Covers IPv4, IPv6, and potentially ebtables settings
Install package part of basic install
- Not part of minimal install
Classifies and diverts network traffic into zones
- Zones have own firewall rules
- Zones have own list of ports and services to be opened or closed
Can use NetworkManager for machines that regularly change networks
- Customize zone rules for each connection

Transcript:

In Red Hat Enterprise Linux 7 a new method of interacting with netfilter has been introduced: firewalld. firewalld is a system daemon that can configure and monitor the system firewall rules. Applications can talk to firewalld to request ports to be opened using the DBus messaging system, a feature which can be disabled or locked down). It both covers IPv4, IPv6, and potentially ebtables settings. The firewalld daemon is installed from the firewalld package. This package is part of a base install, but not part of a minimal install.

firewalld simplifies firewall management by classifying all network traffic into zones. Based on criteria such as the source IP address of a packet or the incoming network interface, traffic is then diverted into the firewall rules for the appropriate zone. Each zone can have its own list of ports and services to be opened or closed.

For laptops or other machines that regularly change networks, NetworkManager can be used to automatically set the firewall zone for a connection. The zones can be customized with rules appropriate for particular connections. This is especially useful when traveling between home, work, and public wireless networks. A user might want their system’s sshd service to be reachable when connected to their home and corporate networks, but not when connected to the public wireless network in the local coffee shop.

`firewalld`

firewalld checks source address of every incoming packet
- If source address is tied to specific zone, zone’s rules are parsed
- If source address is not tied to zone, uses zone for incoming network interface
  - If network interface is not tied to a zone, uses default zone
Default zone is not separate zone
- It is another zone specified as default
- public zone is used by default
- System admin can change default zone
Most zones permit traffic which matches specific ports/protocols ("631/udp") or predefined services ("ssh")
- Non-matching traffic is rejected
- Trusted zone is one exception
  - Permits all traffic by default

Transcript:

Every packet that comes into the system will first be checked for its source address. If that source address is tied to a specific zone, the rules for that zone will be parsed. If the source address is not tied to a zone, the zone for the incoming network interface will be used.

If the network interface is not associated with a zone for some reason, the default zone will be used. The default zone is not a separate zone itself; it is one of the other zones. The public zone is used by default, but this can be changed by a system administrator.

Most zones will allow traffic through the firewall which matches a list of particular ports and protocols ("631/udp") or predefined services ("ssh"). If the traffic does not match a permitted port/protocol or service, it will generally be rejected. (The trusted zone, which permits all traffic by default, is one exception to this.)

Predefined Zones

Zone name

Default configuration

trusted

Allow all incoming traffic.

home

Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client predefined services.

internal

Reject incoming traffic unless related to outgoing traffic or matching the ssh, mdns, ipp-client, samba-client, or dhcpv6-client predefined services (same as the home zone to start with).

work

Reject incoming traffic unless related to outgoing traffic or matching the ssh, ipp-client, or dhcpv6-client predefined services.

public

Reject incoming traffic unless related to outgoing traffic or matching the ssh or dhcpv6-client predefined services. The default zone for newly-added network interfaces.

external

Reject incoming traffic unless related to outgoing traffic or matching the ssh predefined service. Outgoing IPv4 traffic forwarded through this zone is masqueraded to look like it originated from the IPv4 address of the outgoing network interface.

dmz

Reject incoming traffic unless related to outgoing traffic or matching the ssh predefined service.

block

Reject all incoming traffic unless related to outgoing traffic.

drop

Drop all incoming traffic unless related to outgoing traffic. Do not even respond with ICMP errors.

Reference

firewalld.zones(5) man page

Predefined Services

Service name

Configuration

ssh

Local SSH server. Traffic to 22/tcp.

dhcpv6-client

Local DHCPv6 client. Traffic to 546/udp on the fe80::/64 IPv6 network.

ipp-client

Local IPP printing. Traffic to 631/udp.

samba-client

Local Windows file and print sharing client. Traffic to 137/udp and 138/udp.

mdns

Multicast DNS (mDNS) local-link name resolution. Traffic to 5353/udp to the 224.0.0.251 (IPv4) or ff02::fb (IPv6) multicast addresses.

To see a complete list of predefined services, use firewall-cmd --get-services
Configuration files that define which services are included in firewalld package are in /usr/lib/firewalld/services
- Format defined by firewalld.zone(5)
System administrators new to firewalld should either:
- Use predefined services
- Explicitly specify port/protocol to permit
To review predefined services and define additional services, use firewall-config graphical tool

Transcript:

firewalld also ships with a number of predefined services. These service definitions can be used to easily permit traffic for particular network services to pass through the firewall. The following table details the configuration of the predefined services used in the default configuration of the firewall zones.

Many other predefined services exist. The firewall-cmd --get-services command will list them. The configuration files that define the ones included in the firewalld package can be found in the /usr/lib/firewalld/services directory, in a format defined by firewalld.zone(5). We will not discuss these files further in this chapter.

For the purposes of this chapter, the easiest options for a system administrator new to firewalld is to either use predefined services or to explicitly specify the port/protocol they wish to permit. The firewall-config graphical tool can also be used to review predefined services and to define additional services.

Firewall Configuration Methods

Directly edit configuration files in /etc/firewalld/
Use graphical firewall-config tool
Use firewall-cmd from command line

`firewall-config`

Graphical tool for altering and inspecting firewalld configuration
- Supports running, in-memory configuration
- Supports persistent, on-disk configuration
Install firewall-config tool from firewall-config package
Launch in two ways:
- From command line as firewall-config
- From Applications menu under Applications → Sundry → Firewall
Prompts unprivileged users for root password to continue

`firewall-config`

Transcript:

On the main screen of firewall-config, a system administrator can select between modifying the current, in-memory configuration, or the persistent, on-disk configuration that will be used after a restart/reload of firewalld. This is achieved with the Configuration drop-down menu. In most cases, system administrators will want to adjust the persistent (Permanent) configuration, and then use the Options → Reload Firewalld menu entry to activate their changes.

To modify a zone, select the zone in the Zone menu on the left. Network interfaces and source IP addresses/ranges can be assigned in the Interfaces and Sources tabs on the right, respectively.

Ports can be opened by either putting a checkmark in front of them in the Services tab, or by adding a new port in the Ports tab for that zone.

If a specific set of ports has to be opened in multiple zones, a system administrator can also define a service for those ports. This can be done in the Services tab at the top of the window.

The default zone for otherwise unspecified connections can be changed under Options → Change Default Zone.

Any changes made in the Permanent configuration will not become active until the next time that the firewalld service unit is restarted or reloaded. Likewise, any changes made in the Runtime configuration will not survive a reload or restart of the firewalld service.

`firewall-cmd`

Command-line client to interact with firewalld
Install with main firewalld package
Can perform same actions as firewall-config

`firewall-cmd`

firewall-cmd commands

Explanation

--get-default-zone

Query the current default zone.

--set-default-zone=<ZONE>

Set the default zone. This changes both the runtime and the permanent configuration.

--get-zones

List all available zones.

--get-active-zones

List all zones currently in use (have an interface or source tied to them), along with their interface and source information.

--add-source=<CIDR> [--zone=<ZONE>]

Route all traffic coming from the IP address or network/netmask <CIDR> to the specified zone. If no --zone= option is provided, the default zone will be used.

--remove-source=<CIDR> [--zone=<ZONE>]

Remove the rule routing all traffic coming from the IP address or network/netmask <CIDR> from the specified zone. If no --zone= option is provided, the default zone will be used.

--add-interface=<INTERFACE> [--zone=<ZONE>]

Route all traffic coming from <INTERFACE> to the specified zone. If no --zone= option is provided, the default zone will be used.

--change-interface=<INTERFACE> [--zone=<ZONE>]

Associate the interface with <ZONE> instead of its current zone. If no --zone= option is provided, the default zone will be used.

--list-all [--zone=<ZONE>]

List all configured interfaces, sources, services, and ports for <ZONE>. If no --zone= option is provided, the default zone will be used.

--list-all-zones

Retrieve all information for all zones. (Interfaces, sources, ports, services, etc.)

--add-service=<SERVICE> [--zone=<ZONE>]

Allow traffic to <SERVICE>. If no --zone= option is provided, the default zone will be used.

--add-port=<PORT/PROTOCOL> [--zone=<ZONE>]

Allow traffic to the <PORT/PROTOCOL> port(s). If no --zone= option is provided, the default zone will be used.

--remove-service=<SERVICE> [--zone=<ZONE>]

Remove <SERVICE> from the allowed list for the zone. If no --zone= option is provided, the default zone will be used.

--remove-port=<PORT/PROTOCOL> [--zone=<ZONE>]

Remove the <PORT/PROTOCOL> port(s) from the allowed list for the zone. If no --zone= option is provided, the default zone will be used.

--reload

Drop the runtime configuration and apply the persistent configuration.

`firewall-cmd`

[root@server1 ~]# firewall-cmd --set-default-zone=dmz
[root@server1 ~]# firewall-cmd --permanent --zone=internal --add-source=192.168.0.0/24
[root@server1 ~]# firewall-cmd --permanent --zone=internal --add-service=mysql
[root@server1 ~]# firewall-cmd --reload

References

Man pages: firewall-cmd(1), firewall-config(1), firewalld(1), firewalld.zone(5) and firewalld.zones(5)

Summary

netfilter
firewalld
Predefined Zones
Predefined Services
Firewall Configuration Methods
firewall-config
firewall-cmd

Module Completion

Nice job!

Click the button below to complete this module of the course: