Configuration of firewalld on Centos7

Support for security such as Firewalls and securing linux
Post Reply
gad83
Posts: 3
Joined: 2020/09/30 01:08:12

Configuration of firewalld on Centos7

Post by gad83 » 2020/09/30 01:13:59

I need help configuring my firewalld on Centos.
I think I would like to use a zone for the trusted subnets, a zone for the specific rules, a zone for the local services and finally a deny zone.
This is not a must any logical zoning would be accepted.

Let's call my server: server_one. I would like to have a firewalld configured on my server_one for the following:
1. server_one has services running and listen on ports 10050-10051/tcp 10050-10051/udp 4000/tcp 4080/tcp 4443/tcp 5353/udp.
I need to accept incoming to those ports.
2. trust subnet 10.120.48.0/24
3. trust subnet 10.121.48.0/24
4. trust subnet 10.0.0.0/16 except [ 10.120.0.0/16 and 10.121.0.0/16 ]
5. I have a few other rules on specific ip and ports I would like to add.
But here is one for example I'll extrapolate the rest: accept 10.33.112.0/24 on ports (53,389,88,464/tcp-udp) (22/tcp) and (161,162/udp)
6. drop/deny everything else

Thank you in advance for any help!
Edgar

User avatar
jlehtone
Posts: 3107
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Configuration of firewalld on Centos7

Post by jlehtone » 2020/09/30 10:16:09

The source ranges cannot overlap; there is no "except".

You say that you "trust" ranges:
10.0.0.0/16, 10.120.48.0/24, and 10.121.48.0/24
(Note that 10.120.0.0/16 is not within 10.0.0.0/16, but 10.120.48.0/24 is within 10.120.0.0/16.)

Does the "trust" mean "all ports", like the built-in zone "trusted", or just ports 10050-10051/tcp 10050-10051/udp 4000/tcp 4080/tcp 4443/tcp 5353/udp?

If the latter, then you would add those ports (or better yet, add firewalld services that have those ports) into zone
and add 10.0.0.0/16, 10.120.48.0/24, 10.121.48.0/24 as sources that that zone caters.

The 10.33.112.0/24 would be for a different zone. That zone would have all the ports/services that the 10.33.112.0/24 should access.

If you have address within range, say 10.0.20.30 that must have access to everything that 10.0.0.0/16 can, but also to port 666/tcp,
then you can't have 10.0.0.0/16, but two ranges 10.0.0.0--10.0.20.29 and 10.0.20.31--10.0.255.255 in first zone.
Second zone, for 10.0.20.30, would have same ports/services as the first zone *and* the 666/tcp.

Every interface has a zone. Give them the "drop" zone. Everything that does not match the listed sources will then drop.
man firewall-cmd wrote:Binding a source to a zone means that this zone settings will be used to restrict traffic from this source.

A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number.

gad83
Posts: 3
Joined: 2020/09/30 01:08:12

Re: Configuration of firewalld on Centos7

Post by gad83 » 2020/09/30 13:22:42

Hey @jlehtone

Thanks for the help!

So the way I would like the firewalld to represent the rules is:

1. ports 10050-10051/tcp 10050-10051/udp 4000/tcp 4080/tcp 4443/tcp 5353/udp opened to the trusted subnets
2. trusted subnets are 10.120.48.0/24 , 10.121.48.0/24 , {[/size][10.1.0.0/16 to 10.119.0.0/16] , [10.122.0.0/16 to 10.255.0.0/16]}
3. a few specific ip. addr. with specific ports
4. everything else is drop/deny

Cordially,
Edgar

User avatar
jlehtone
Posts: 3107
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Configuration of firewalld on Centos7

Post by jlehtone » 2020/09/30 14:09:06

Red Hat has documentation about firewalld: https://access.redhat.com/documentation ... a_New_Zone

Note that range 10.1.0.0-10.119.255.255, when expressed as networks is not "simple":

Code: Select all

10.1.0.0/16
10.2.0.0/15
10.4.0.0/14
10.8.0.0/13
10.16.0.0/12
10.32.0.0/11
10.64.0.0/11
10.96.0.0/12
10.112.0.0/13
The ipsets should support ranges, but I've not used them.

gad83
Posts: 3
Joined: 2020/09/30 01:08:12

Re: Configuration of firewalld on Centos7

Post by gad83 » 2020/09/30 18:43:28

I'm looking for a set of firewalld commands to create my security based on the rules I've sent you...

Post Reply

Return to “CentOS 7 - Security Support”