Wednesday, August 14, 2019

Fedora 30 : First steps with Fedora firewall.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.[1] A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet.[2], see the wikipedia. In this short tutorial about the Fedora firewall subject, I will show you how you can use firewall commands to set it. The install is simple with dnf tool:
[root@desk mythcat]# dnf install firewalld firewall-config 
Let's start with the status of your firewall:
[root@desk mythcat]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
...
You can use start , restart or stop it.

[root@desk mythcat]# systemctl start firewalld
[root@desk mythcat]# systemctl restart firewalld
[root@desk mythcat]# systemctl stop firewalld
Let's see active zones:
[root@desk mythcat]# firewall-cmd --get-active-zones
We can see all active for public zone with:
[root@desk mythcat]# firewall-cmd --zone=public --list-all
We can see all ports for public zone:
[root@desk mythcat]# firewall-cmd --zone=public --list-ports 
These commands are used for add and remove ports:
[root@desk mythcat]# firewall-cmd --permanent --zone=public --add-port=80/tcp
[root@desk mythcat]# firewall-cmd --permanent --zone=public --remove-port=80/tcp
Let's see services:
[root@desk mythcat]# firewall-cmd --get-services 
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client 
bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine cockpit 
condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm 
dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps 
freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability 
http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos 
kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr 
managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql 
nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole 
plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio
 puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client 
samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid 
ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp 
tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http 
wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent 
zabbix-server
Let's add and remove one service named ftp:
[root@desk mythcat]# firewall-cmd --zone=public --add-service=ftp
[root@desk mythcat]# firewall-cmd --zone=public --remove-service=ftp
Let's see all running services:
[root@desk mythcat]# firewall-cmd --zone=public --list-services
If you want to block/unblock any incoming or outgoing connections then use this:
[root@desk mythcat]# firewall-cmd --panic-on
[root@desk mythcat]# firewall-cmd --panic-off 
For example, after you use panic-on then you can check with this:
[root@desk mythcat]# ping google.com -c 1
[root@desk mythcat]# firewall-cmd --query-panic
[root@desk mythcat]# firewall-cmd --panic-off
You can masquerade your IP address with:
[root@desk mythcat]# firewall-cmd --zone=external --query-masquerade
Another example: we can forward all tcp port 80 connections to IP 6.6.6.6 :
[root@desk mythcat]# firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toaddr=6.6.6.6
Let's see ICMP:
[root@desk mythcat]# firewall-cmd --get-icmptypes
address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable 
echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation 
host-prohibited host-redirect host-unknown host-unreachable ip-header-bad 
neighbour-advertisement neighbour-solicitation network-prohibited network-redirect 
network-unknown network-unreachable no-route packet-too-big parameter-problem 
port-unreachable precedence-cutoff protocol-unreachable redirect reject-route 
required-option-missing router-advertisement router-solicitation source-quench 
source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect 
tos-host-unreachable tos-network-redirect tos-network-unreachable 
ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type 
unknown-option
We can use it for block or not the echo:
[root@desk mythcat]# firewall-cmd --zone=external --query-icmp-block=echo-reply
[root@desk mythcat]# firewall-cmd --zone=external --add-icmp-block=echo-reply
[root@desk mythcat]# firewall-cmd --direct --get-rules ipv4 filter IN_public
[root@desk mythcat]# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 
...
I cannot show you a magic rule because this depends by your network and your software. You can use this command to see all into a graphic interface.
[root@desk mythcat]# firewall-config
This will give a good image of your firewall settings.