Firewalld zone sources behavior

Support for security such as Firewalls and securing linux
Post Reply
eitancaspi
Posts: 6
Joined: 2020/02/25 20:11:45

Firewalld zone sources behavior

Post by eitancaspi » 2020/02/25 20:15:54

Hi, I'm relatively new to Linux, so please treat me gently ...

I set up CENTOS 7 with all the updates, at a VPS provider.

I work with firewalld, with the firewall-cmd command.

There is no internal network, there is only one server connected to the Internet.

I have one network card attached to one ZONE that is the active one. The default action for this zone, the TARGET, is DROP.

Something is not clear to me about the logic of this FW - whereas if you add SERIVCES, such as ssh, to the ZONE, then access to this port from the world is allowed for everyone.

But if you add a single IP address to the ZONE SOURCES, it's as if we were requesting to block any access to the server from that address, as if it were a BLOCK operations, and it is indeed listed in the firewalld manual - "Binding a source to a zone directory". from this source. "
https://firewalld.org/documentation/man ... l-cmd.html

I know I can solve this, to give server access to all ports and all protocols from one specific source address, using exact RICH RULES, but I thought I might be able to get rid of this need by using the ZONE SOURCES, but it goes the opposite...

Am I doing something wrong? Can anyone enlighten me about the firewalld logic regarding my issue?

Thanks!

WiVM
Posts: 12
Joined: 2015/12/15 08:19:45

Re: Firewalld zone sources behavior

Post by WiVM » 2020/02/26 11:01:42

Hi,

I found this a very useful resource to understand these zones better: https://www.digitalocean.com/community/ ... n-centos-7

Especially the explanation about the zone behavior might be relevant for you.

eitancaspi
Posts: 6
Joined: 2020/02/25 20:11:45

Re: Firewalld zone sources behavior

Post by eitancaspi » 2020/02/26 11:35:30

Thanks, but this article didn't help me. I only have one zone, so it is less relevant, but, I found this https://www.marksei.com/manage-firewalld/, which states:
"
Understanding sources
Interfaces are a good way to direct all the traffic through a set of rule but, sometimes most of the times, that will be too broad. Sources represent IP addresses that can be used to filter or allow packets through the zone. It is important to understand that sources, just like interfaces, are just a mean to decide what zone will the packet be sorted into. Both sources and interfaces do not decide whether to filter or allow a package.
"

I tested it both ways and the above explanation looks correct:
1. Removing all rich rules for the zone, setting the target (meaning the default action) to DROP an adding my IP to the be in the SOURCES - my whole traffic to the server was blocked
2. Removing all rich rules for the zone, setting the target (meaning the default action) to ACCEPT an adding my IP to the be in the SOURCES - my whole traffic to the server was allowed

FYI.

User avatar
jlehtone
Posts: 2589
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld zone sources behavior

Post by jlehtone » 2020/02/26 21:10:19

eitancaspi wrote:
2020/02/26 11:35:30
I only have one zone
No. Your server (should) have two zones:
* Zone A: Your machine. A has your IP in the sources. A has no interface. A allows what you want to allow. You could use 'trusted' for this if you truly want "all in".
* Zone B: Everything else. B is on the interface. B has no sources. B blocks. How about the builtin zones 'block' or 'drop'?

eitancaspi
Posts: 6
Joined: 2020/02/25 20:11:45

Re: Firewalld zone sources behavior

Post by eitancaspi » 2020/02/26 22:04:37

AFAIK only the "public" zone is the active one, and AFAIK only one zone can be the "active" zone at any given time.

User avatar
jlehtone
Posts: 2589
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld zone sources behavior

Post by jlehtone » 2020/02/26 22:19:02

If you were right, then how can I have three active zones:

Code: Select all

# firewall-cmd --get-active-zones
public
  interfaces: eno1 eno1.7 eno1.16 eno1.25 brlan
trusted
  interfaces: bradm
  sources: 192.168.3.0/28 192.168.2.16/29
hardwall
  interfaces: brwan
More elaborate:
https://www.linuxjournal.com/content/un ... igurations

eitancaspi
Posts: 6
Joined: 2020/02/25 20:11:45

Re: Firewalld zone sources behavior

Post by eitancaspi » 2020/02/26 22:32:00

I see your point, per the link you shared - "An active zone is any zone that is configured with an interface and/or a source".

But I have only one interface, which is assigned only to one zone, "public", so I think I have a very simple config.
Why do you think I should/must have two zones?

eitancaspi
Posts: 6
Joined: 2020/02/25 20:11:45

Re: Firewalld zone sources behavior

Post by eitancaspi » 2020/02/26 22:34:19

Your link article says what I said:
"
When a zone processes a packet due to its source or interface, but there is no rule that explicitly handles the packet, the target of the zone determines the behavior:

ACCEPT: accept the packet.

%%REJECT%%: reject the packet, returning a reject reply.

DROP: drop the packet, returning no reply.

default: don't do anything. The zone washes its hands of the problem, and kicks it "upstairs".
"

User avatar
jlehtone
Posts: 2589
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld zone sources behavior

Post by jlehtone » 2020/02/26 23:06:09

Yes.

When a packet arrives, the source zones are checked first, before interface zones. At most one of them can match. If there is matching zone, then the rules of that zone are tested for the packet.

Lets say that you have assigned source X to zone 'public'.
If the packet from X is ssh connection, then public accepts it.
If it is for port 1234, (public has no rule for that), the packet returns from the zone.

After the source zones there are the interface zones. If public did not catch the packet from X, then the zone of the interface gets a shot at it.
Lets say that that zone does not catch it either and has target 'default', just like the public.

The packet is back on chain INPUT. What is the last rule there? REJECT. That is the firewalld's default.


What you want (even though you don't seem to believe it yet) is that you have a source zone that has target ACCEPT, like the builtin 'trusted'. That is what you said that you want. To accept everything from your IP. If a packet comes from your IP, then it will be accepted. Nothing to "fall through".

If the packet is not from your IP, then it will not enter the zone that has IP as source (and no interfaces).
It will enter the zone assigned to the interface. That zone either handles the packet, or lets it fall through back to INPUT, which will REJECT (unless you have modified the config).

eitancaspi
Posts: 6
Joined: 2020/02/25 20:11:45

Re: Firewalld zone sources behavior

Post by eitancaspi » 2020/02/27 09:34:16

Thanks for the detailed explanation.
Well, I didn't try what you offer, but currently it looks too complex for me in order to achieve what I need, at my current network design, but I will remember this for future needs.
Thank you!!

Post Reply

Return to “CentOS 7 - Security Support”