Sunday, January 31, 2016

Oracle Linux - configure firewalld local firewall

When using the latest version of Oracle Linux (at this moment 7) a local firewall is by default activated. The new implementation of the local Linux firewall is no longer iptables, it is currently being done by using firewalld. Using a local firewall on your Oracle Linux machine is a good practice, in some cases when you run a local test system you might not always see the direct need for a local firewall. However, in all production or semi-production situations a firewall should actually be default.

Instead of disabling the firewall when it is blocking something you can better configure the firewall to make it work. In case you run, as an example an nginx webserver, and you try to reach it from the outside you will by default be blocked. The below steps you can use to find the current firewall state and make sure you can access the webserver at a later stage in the right way. The right way in this is, opening port 80 and ensuring the rest is still secured by your firewall.

First you want to check if the firewall is running and this is indeed the issue that you cannot access your nginx webserver. You can check the current state of the firewall with the --state option of the firewall-cmd command as shown below. As you can see the firewall is running.

[root@localhost ~]# firewall-cmd --state
running

Now we know that the firewall is up and running we need to check which zones are currently active and on which interface they are currently active. The firewalld implementation uses zones, the default zone is the public zone. A number of zones are available by default and all have a use. The following zones are by default available in the firewalld implementation:

block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.

public
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.


work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

trusted
All network connections are accepted.

You can check which zones active with the --get-active-zones option. in the below example you will notice that the public zone is active on the enp0s3 interface. The public zone is the default zone that is loaded. For good reasons a limited number of services are activated (open) in the public zone.

[root@localhost ~]# firewall-cmd --get-active-zones
public
  interfaces: enp0s3
[root@localhost ~]#

Now we know that the firewall is active and that a zone is loaded, in our case the public zone on interface enp0s3 we need to check which services and ports are currently active (open). A difference between a service and a port needs to be understood to make sure you have your security tight. A service can contain one or more ports. Where a port is,.. a port. It is important to note that --list-ports will not list the ports that are covered by a service. In the example below we check the services and ports with the associated commands. As you can see no ports are explicitly open and only two services are active (open).

[root@localhost ~]# firewall-cmd --list-services
dhcpv6-client ssh
[root@localhost ~]# firewall-cmd --list-ports
[root@localhost ~]#

We stated that the example case was to open port 80 for http traffic to the nginx webserver running on the box. We can do this by adding port 80. As we want this to be permanent and ensure that this new setting is active after a reboot of the server we add the --permanent option to the command. Below you can see the example of adding and reloading the settings to ensure that port 80 will be open on the public zone.

[root@localhost ~]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]#

When we again check the services and ports we will see that the services are still the same, only two services, we do however now have a explicit mention of port 80 as an open port.

[root@localhost ~]# firewall-cmd --list-services
dhcpv6-client ssh
[root@localhost ~]# firewall-cmd --list-ports
80/tcp

As stated before, you have to remember that also a service is an option. In our case we open port 80 to ensure access to the http server which runs in the form of nginx on our machine. So, instead of adding port 80 explicitly we could also have added the service http instead. Adding the service http is done with the --add-service instead of --add-port option. An example of this is shown below.

[root@localhost ~]# firewall-cmd --zone=public --add-service=http --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]#

If you now check the status of the services and the ports with the commands we used previously you will notice that no ports are mentioned explicitly and http is added as a service (do note, I have removed port 80 which is not part of this blogpost)

[root@localhost ~]# firewall-cmd --list-service
dhcpv6-client http ssh
[root@localhost ~]# firewall-cmd --list-port
[root@localhost ~]#

Even though this is only a simple example of how you can configure firewalld it provides you an insight and starting point to create much more complex configurations when and where needed.
Post a Comment