Managing Server Firewalls

Objectives

• Accept or reject network connections to system services with firewalld rules.

Firewall Architecture Concepts

• Netfilter Framework: Provides packet filtering, network address translation, and port translation. Includes hooks for kernel modules to interact with network packets.
• nftables Framework: Builds on the netfilter framework, replacing the deprecated iptables in Red Hat Enterprise Linux 9, offering improved usability and efficiency.

You can read more here

Netilter Examples

Example 1: Incoming Packet to Local Process

1. Prerouting: A packet arrives at the network device.
2. Routing Decision: The kernel decides it is for a local process.
3. Input: The packet moves through the Input hook.
4. Local Process: The packet is handed over to the local process.

Example 2: Packet to be Forwarded

1. Prerouting: A packet arrives at the network device.
2. Routing Decision: The kernel decides it needs to be forwarded.
3. Forward: The packet moves through the Forward hook.
4. Postrouting: The packet traverses the Postrouting hook.
5. Outgoing Device: The packet is sent out to another network device.

Example 3: Outgoing Packet from Local Process

1. Output: A packet is generated by a local process.
2. Postrouting: The packet traverses the Postrouting hook.
3. Outgoing Device: The packet is sent out to the network.

In the context of Netfilter, a "local process" refers to any application or service running on the same system that is generating or receiving network traffic. Examples of local processes include:

• Web Server (e.g., Apache, Nginx): Serving web pages to clients.
• Database Server (e.g., MySQL, PostgreSQL): Handling database queries.
• SSH Server: Providing remote command-line access to the system.
• Email Server (e.g., Postfix, Sendmail): Handling incoming and outgoing emails.
• Client Applications: Any application that makes outgoing network requests, like a web browser or email client.

Example Flow: Incoming Packet to Web Server

1. Prerouting: Packet received on network device.
2. Routing Decision: Determined to be for the local web server.
3. Input: Packet passed through Input hook.
4. Web Server Process: Packet handed to the web server process to handle the request.

Example Flow: Outgoing Packet from Web Browser

1. Web Browser: Generates a network request.
2. Output: Packet passed through Output hook.
3. Postrouting: Packet processed through Postrouting hook.
4. Network Device: Packet sent out to the network.

The firewalld Service

• Dynamic Firewall Manager: Recommended front end to the nftables framework.
• Zones: Classifies network traffic into zones based on criteria like source IP address or network interface.
• NetworkManager Integration: Automatically sets the firewall zone for a connection, useful for devices frequently changing networks.

firewalld vs netfilter

netfilter is the core kernel framework for packet processing, while firewalld provides a high-level, dynamic, and user-friendly interface to manage these rules.

netfilter:

• Framework: Provides the underlying packet filtering, network address translation, and port translation capabilities within the Linux kernel.
• Hooks: Offers hooks where various kernel modules can register callback functions to process packets.
• Low-Level Control: Allows direct manipulation of packet processing rules.

firewalld:

• Frontend: Acts as a user-friendly front end to the netfilter framework.
• Dynamic Management: Enables dynamic management of firewall rules without restarting.
• Zones: Organizes network traffic into zones with predefined rules, making configuration easier.
• User Interface: Provides both command-line (firewall-cmd) and graphical interfaces.

Refer to here for more on firewalld

Predefined Zones

• Default Zones Configuration:

Zone Name	Default Configuration
trusted	Allow all incoming traffic.
home	Reject incoming traffic unless matching predefined services (e.g., ssh, mdns).
internal	Same as home zone initially.
work	Reject incoming traffic unless matching ssh, ipp-client, or dhcpv6-client.
public	Reject incoming traffic unless matching ssh or dhcpv6-client.
external	Same as public, with outgoing IPv4 traffic masqueraded.
dmz	Reject incoming traffic unless matching ssh.
block	Reject all incoming traffic unless related to outgoing traffic.
drop	Drop all incoming traffic without responding with ICMP errors.

Predefined Services

• Famous network ports

Service Name	Configuration
ssh	Local SSH server. Traffic to 22/tcp.
dhcpv6-client	Local DHCPv6 client. Traffic to 546/udp on fe80::/64 IPv6 network.
ipp-client	Local IPP printing. Traffic to 631/udp.
samba-client	Windows file and print sharing. Traffic to 137/udp and 138/udp.
mdns	Multicast DNS local-link name resolution. Traffic to 5353/udp.
cockpit	Web-based interface for system management. Traffic to 9090 port.

Configuring firewalld

Web Console

1. Log In: Escalate privileges to administrative mode.
2. Navigate: Go to Networking > Firewall.
3. Manage Zones and Services: Add services to zones using the graphical interface.

Command Line (firewall-cmd)

• Common Commands:

Command	Explanation
--get-default-zone	Query the current default zone.
--set-default-zone=ZONE	Set the default zone.
--get-zones	List all available zones.
--get-active-zones	List currently active zones.
--add-source=CIDR [--zone=ZONE]	Route traffic from CIDR to the specified zone.
--remove-source=CIDR [--zone=ZONE]	Remove the rule routing traffic from CIDR.
--add-interface=INTERFACE [--zone=ZONE]	Route traffic from INTERFACE to the specified zone.
--change-interface=INTERFACE [--zone=ZONE]	Change the zone for INTERFACE.
--list-all [--zone=ZONE]	List all configured interfaces, sources, services, and ports for ZONE.
--list-all-zones	Retrieve information for all zones.
--add-service=SERVICE [--zone=ZONE]	Allow traffic to SERVICE.
--add-port=PORT/PROTOCOL [--zone=ZONE]	Allow traffic to PORT/PROTOCOL.
--remove-service=SERVICE [--zone=ZONE]	Remove SERVICE from allowed list.
--remove-port=PORT/PROTOCOL [--zone=ZONE]	Remove PORT/PROTOCOL from allowed list.
--reload	Apply persistent configuration.

Examples:

• Set default zone to dmz:

  firewall-cmd --set-default-zone=dmz
  firewall-cmd --permanent --zone=internal --add-source=192.168.0.0/24
  firewall-cmd --permanent --zone=internal --add-service=mysql
  firewall-cmd --reload
  

• Add incoming traffic from 172.25.25.11 to public zone:

  firewall-cmd --permanent --zone=public --add-source=172.25.25.11/32
  firewall-cmd --reload
  

Questions and Answers

1. What is the primary objective of managing server firewalls?

2. To accept or reject network connections to system services using firewalld rules.

3. What framework does the Linux kernel provide for network traffic operations?

4. The netfilter framework.

5. What replaced the iptables framework in Red Hat Enterprise Linux 9?

6. The nftables framework.

7. What are the advantages of nftables over iptables?

8. Improved usability and more efficient rule sets.

9. How does nftables handle both IPv4 and IPv6 traffic?

10. It uses a single rule set to manage both IPv4 and IPv6 traffic simultaneously.

11. What service is recommended as the front end to the nftables framework?

12. The firewalld service.

13. How does firewalld simplify firewall management?

14. By classifying network traffic into zones.

15. What factors determine a network packet's assigned zone in firewalld?

16. The source IP address or the incoming network interface.

17. How does firewalld handle packets from devices that frequently change networks?

18. NetworkManager can automatically set the firewall zone for a connection.

19. What happens to incoming packets if the source address is not assigned to a specific zone?

    • firewalld associates the packet with the zone for the incoming network interface.

20. What is the default zone in firewalld?

    • The public zone.

21. What zone is the lo loopback interface mapped to in firewalld?

    • The trusted zone.

22. What kind of traffic is allowed in the trusted zone by default?

    • All incoming traffic.

23. What command lists all available zones in firewalld?

    • firewall-cmd --get-zones

24. How do you set the default zone in firewalld?

    • firewall-cmd --set-default-zone=ZONE

25. How do you list all configured interfaces, sources, services, and ports for a specific zone?

    • firewall-cmd --list-all --zone=ZONE

26. What command is used to allow traffic to a specific service in a specific zone?

    • firewall-cmd --add-service=SERVICE --zone=ZONE

27. How do you permanently allow traffic to a specific port in firewalld?

    • firewall-cmd --permanent --add-port=PORT/PROTOCOL

28. What must be done after adding a permanent rule to make it active?

    • Run firewall-cmd --reload.

29. How do you list the current default zone?

    • firewall-cmd --get-default-zone

30. What is a key benefit of using predefined services in firewalld?

    • Simplifies setting firewall rules without needing to research port numbers.

31. How can you manually specify required ports and protocols in firewalld?

    • Using the firewall-cmd command-line tool or the web console graphical interface.

32. How can you review the predefined services in firewalld?

    • firewall-cmd --get-services

33. What is the command to remove a service from the allowed list in a specific zone?

    • firewall-cmd --remove-service=SERVICE --zone=ZONE

34. What command is used to add all incoming traffic from a specific IP address to a specific zone?

    • firewall-cmd --permanent --zone=ZONE --add-source=CIDR