firewalld - what's really going on?

Support for security such as Firewalls and securing linux
Post Reply
kauer
Posts: 16
Joined: 2020/05/03 07:47:30

firewalld - what's really going on?

Post by kauer » 2020/05/03 08:16:44

I'm very new to CentOS8. It was imposed on us for a project, but I'm liking it so far. I've got virtuals running (CentOS8 guests on a CentOS8 KVM+QEMU hypervisor) and it's all looking pretty good.

Now I need to set up suitable packet filters. firewalld seems to be the preferred method. Abstraction is all very well, but I can't figure out, for example, how firewalld is handling established/related or where ICMP is being permitted. firewalld is definitely active and working, because ssh connections work and random other ports don't, plus when I changed the default target in the public zone from reject to drop, the way those random ports were handled changed as expected.

I'm pretty sure it will do everything I need (my needs are few :-) in fact the default public zone is almost exactly what I want, but I don't like not really knowing what's going on down at the packet level.

Most of what I have read suggests that firewalld manages iptables rules "under the hood" and iptables is certainly installed, but "iptables -L" lists no rules - just the default policies for the default chains.

So at the moment, for me, firewalld seems to be a bit of a black box. Can anyone give me a clue where I should look to find out exactly what it is doing?

Thanks, K.

scottro
Forum Moderator
Posts: 2457
Joined: 2007/09/03 21:18:09
Location: NYC
Contact:

Re: firewalld - what's really going on?

Post by scottro » 2020/05/03 10:19:25

Just do a quick google for firewalld tutorial. For example, this one looks (just glanced at it) decent. It's for CentOS-7, but should be fine for CentOS-8 too.

https://www.digitalocean.com/community/ ... n-centos-7

There are plenty of other articles as well.
New users should check the FAQ and Read Me First pages

aks
Posts: 3022
Joined: 2014/09/20 11:22:14

Re: firewalld - what's really going on?

Post by aks » 2020/05/03 10:47:47

CentOS 8 uses nftables (rather than iptables) but it's all the same things in a network sense.

User avatar
jlehtone
Posts: 3044
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewalld - what's really going on?

Post by jlehtone » 2020/05/03 10:48:05

kauer wrote:
2020/05/03 08:16:44
Most of what I have read suggests that firewalld manages iptables rules "under the hood" and iptables is certainly installed, but "iptables -L" lists no rules - just the default policies for the default chains.
That does not apply to CentOS 8.

The iptables tool accesses netfilter in kernel. CentOS 8's kernel does not have netfilter.
CentOS 8's kernel does have nftables. Nftables was added to upstream kernel about five years ago.
The tool access nftables is nft. Nft provides a wrapper tool "iptables" that takes iptables syntax and creates nftables rules.
The wrapper is not 100% complete, so it cannot do everything.

Firewalld in CentOS 8 uses nft as backend, except for direct rules that you write in iptables syntax. Those firewalld injects with the wrapper.

Nftables has tables. Firewalld creates separate tables for rules that it writes with nft and with iptables. The default ruleset is all written with nft.
The "iptables" writes and shows only the tables that mimic the content of netfilter. That is why they look empty.

The firewalld rules are mainly defined via zones.

Code: Select all

man firewalld.zones
man firewall-cmd
In order to see all rules in the kernel, do:

Code: Select all

sudo nft list ruleset
It is possible to discard the Firewalld and write the rules directly. Then you know what you get, but you really have to know what you put.
Those rules can be in iptables-syntax and loaded with iptables.service on boot or in nft-syntax and loaded with nftables.service on boot.

Note though that other services, like libvirtd, docker, and fail2ban, do insert their rules dynamically and co-operation is delicate. (I.e. it does not really work on special cases even with firewalld, on CentOS 7.)

kauer
Posts: 16
Joined: 2020/05/03 07:47:30

Re: firewalld - what's really going on?

Post by kauer » 2020/05/03 11:28:40

Thanks for the pointers. The referenced article (thanks, scottro) was an interesting read, but it doesn't discuss the nitty gritty at all. Thanks, jlehtone, for confirming my theory that while iptables was definitely under the hood in CentOS7, it is definitely NOT what's underneath firewalld in CentOS8.

Doesn't the "nf" in nf_tables stand for "netfilter"?

nft list ruleset certainly seems to produce a lot of promising detail. It does explain how firewalld is handling statefulness ("established, related" stuff), but I can't find a connection between the statefulness in the nft ruleset and the firewalld definitions.

There also doesn't seem to be any connection between the firewalld configuration and the outbound rules in nft. There is so little information about outbound rules and firewalld (read "none that I have found yet") that I am starting to wonder if firewalld even supports outbound rules. Other than as rich or direct rules, which is a bit of a cop-out.

I'm kinda getting the feeling that firewalld is not industrial strength yet. Maybe I just haven't googled hard enough.

Regards, K.

User avatar
jlehtone
Posts: 3044
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewalld - what's really going on?

Post by jlehtone » 2020/05/03 13:38:30

kauer wrote:
2020/05/03 11:28:40
Doesn't the "nf" in nf_tables stand for "netfilter"?
https://www.netfilter.org/
https://wiki.nftables.org/wiki-nftables ... /Main_Page

[EDIT] One more: https://developers.redhat.com/blog/2016 ... -nftables/ [/EDIT]

If you ask me, humans should not name things. Their ontology-fu is weak.
kauer wrote:
2020/05/03 11:28:40
There also doesn't seem to be any connection between the firewalld configuration and the outbound rules in nft. There is so little information about outbound rules and firewalld (read "none that I have found yet") that I am starting to wonder if firewalld even supports outbound rules.
The basic rules seem to be:
1. Allow everything out
2. Allow replies in and through
3. Allow some new stuff in
4. Allow through from/to some zones. Somehow???

Almost everything in firewalld that you can do trivially is about point 3.
Port forwarding (in point 4) has the convenience that your one instruction to firewalld does generate all the necessary nat and filter rules. The abstraction.

The rich rules are not so much cop-out, but then again they are "within zone".

The direct rules are indeed a cop-out; you could almost as well write everything yourself. In fact, a "plain router" can be short (and sweet?) in nftables:
https://wiki.gentoo.org/wiki/Nftables/Examples


If you need a firewall to block most incoming traffic on your desktop or a simple edge router (two subnets and sNAT), then firewalld seems to do. (I've never looked at its GUI.)
If you want to limit outgoing traffic and/or have a "real router" between multiple subnets, then you probably should already know what it takes under the hood and hence can cope without the hood too.

kauer
Posts: 16
Joined: 2020/05/03 07:47:30

Re: firewalld - what's really going on?

Post by kauer » 2020/05/03 14:14:05

If you want to limit outgoing traffic and/or have a "real router" between multiple subnets, then you probably should already know what it takes under the hood and hence can cope without the hood too.
That is becoming obvious :-(

I was hoping to get away without having to learn the not-very-friendly nf_tables configuration syntax. I can see why firewalld is needed to help tame nf_tables. Never thought I would consider iptables more human-friendly that something else :-) Plus I have well-tested working iptables code ready to go.

I guess firewalld will become more useful eventually. It's a nice framework.

Regards, K.

User avatar
TrevorH
Forum Moderator
Posts: 29490
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewalld - what's really going on?

Post by TrevorH » 2020/05/03 14:19:00

I guess firewalld will become more useful eventually. It's a nice framework.
Personally I disagree. It's some of the worst written software that I've ever come across. Its syntax is arcane and follows no rules. It doesn't use anything remotely obvious for any of its commands. It installs a bloated daemon that runs continuously for a task that isn't updated often enough to require something that does that. It's hideously over complicated and generally not fit for purpose.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

kauer
Posts: 16
Joined: 2020/05/03 07:47:30

Re: firewalld - what's really going on?

Post by kauer » 2020/05/03 14:42:37

Whoa! Well, I'm very new to CentOS8 generally and firewalld specifically. I didn't want to put the boot in too far as a newbie.

I found the abstraction reasonably straightforward,but I haven't had to dive too deep yet. BTW are you talking about firewalld or nf_tables? Or both?

Regards, K.

User avatar
jlehtone
Posts: 3044
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewalld - what's really going on?

Post by jlehtone » 2020/05/03 15:04:02

Trevor means the firewalld. CentOS 7 has it too, so there has been some years to learn about it.
kauer wrote:
2020/05/03 14:14:05
Plus I have well-tested working iptables code ready to go.
There is a tool to read your code and write equivalent nft rules:

Code: Select all

man iptables-translate
Found more about the under the hood: https://cilium.io/blog/2018/04/17/why-i ... -iptables/

1. netfilter code is still in the kernel. (RHEL-8 does not supply iptables-legacy. Fedora might.)
2. nftables code reuses some parts of netfilter code.
3. Both might get replaced with bpfilter.

Just imagine future of writing rules in legacy iptables-syntax so that iptables-nft will convert them to nft-syntax and some framework in kernel translates the result into actual BPF programs ...

Post Reply

Return to “CentOS 8 - Security Support”