Page 1 of 1

Firewall-cmd tricky rule

Posted: 2018/10/11 00:49:34
by genexxa
Hi guys,

I don't really know if this is doable but here's what I'm trying to do with firewall-cmd

Here's the scenario. We have ServerA and ServerB. What I'm trying to do is allow traffic between ServerA and ServerB when ServerA initiate the connection. So if ServerB is trying for exmple to ping ServerA it'll be blocked. But if ServerA initiate a connection it would be allowed. I know it's kinda messed up but do you think this is feasible?

Thanks alot.

Re: Firewall-cmd tricky rule

Posted: 2018/10/11 06:54:28
by jlehtone
I do assume that the two servers have firewalld.

Start by asking, What is in the default?
The default is to use the zone 'public'. What is in it?
Effectively these:

Code: Select all

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT_ZONES -g IN_public
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
1. Allow to continue existing connections
2. Allow ICMP (includes ping)
3. Allow ssh
4. Reject the rest

In other words:

Code: Select all

# firewall-cmd --info-zone public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  services: ssh dhcpv6-client
  masquerade: no
  rich rules: 
You want ServerB to accept something more from ServerA
and ServerA to accept nothing new from ServerB

There are several predefined zones:

Code: Select all

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
The 'block' might be what ServerA wants to have. Alternatively, simply remove service 'ssh' from the 'public'.

In ServerB you have to think whether you want to allow anything, or just connections to specific services.
You probably want to treat ServerA differently than the rest of internet.
One can have multiple zones: one for traffic coming from ServerA and another for the rest.
See ... igurations ... _on_source

Re: Firewall-cmd tricky rule

Posted: 2018/10/11 13:18:26
by genexxa
Thanks jlehton.

Here a little bit more details

for the dmz zone all traffic initiated from the outside should be blocked but I would like to accept replies to traffic initiated by our internal server.

Re: Firewall-cmd tricky rule

Posted: 2018/10/12 09:54:56
by jlehtone
Whose firewalls? Are we talking about a router, or the servers?

CentOS default is to:
* allow everything that is going out from this machine
* allow all incoming replies
* reject all new incoming connections (except ssh)

Therefore, (after closing the ssh service's port), "all traffic initiated from the outside" is blocked.
All valid replies are accepted by default.
The control is on which new traffic is allowed.

Same goes for CentOS as router. We have to explicitly allow routing of new connections (that match a rule). Valid replies are routed.