Firewalld Setup for Home based Computer

Support for security such as Firewalls and securing linux
Post Reply
Grenny
Posts: 3
Joined: 2020/11/26 05:45:02

Firewalld Setup for Home based Computer

Post by Grenny » 2020/11/26 05:55:55

I am wanting to use CentOS 8 for a home based computer (since CentOS 7 has been very stable for me on a non-networked computer) that will use the usual software like Firefox, software updates etc. Understanding iptables is well beyond my amateur ability to understand. Coming from an Ubuntu networked world I have been using UFW (Uncomplicated Firewall). With the command:

Code: Select all

sudo ufw status verbose
I get the following response:

Code: Select all

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
Which I have checked with the Shields Up! website at:

Code: Select all

https://www.grc.com
and have 'achieved a perfect TruStealth rating' with no response from any port.

I would like to reproduce this for my CentOS 8 based home computer. I have read a number of articles (please see citations, below) on configuring firewalld and have come up with the following procedure to get firewalld up and running for maximum protection:

1. Install the firewall, if necessary:

Code: Select all

sudo yum install firewalld
(or should it be:

Code: Select all

sudo dnf install firewalld
?)

2. Start the firewall:

Code: Select all

sudo systemctl unmask firewalld
sudo systemctl start firewalld
3. Test firewall is running:

Code: Select all

sudo firewall-cmd --state
I should get back 'running'

4. The default zone will likely be public:

Code: Select all

sudo firewall-cmd --get-default-zone
5. List the interface that are controlled by the zone

Code: Select all

sudo firewall-cmd --get-active-zones
(assume it returns eth0, my network card)

6. I THINK I would like the default zone to be 'drop' to reproduce the UFW configuration, so I want to change the zone for eth0 to 'drop' permanently :

Code: Select all

sudo firewall-cmd --set-default-zone=drop
7. Enable the firewall on system reboot:

Code: Select all

systemctl enable firewalld
8. Reboot the system and test firewall is running:

Code: Select all

sudo firewall-cmd --state
I should get back 'running'

9. The default zone SHOULD be 'drop':

Code: Select all

sudo firewall-cmd --get-default-zone
10. The details of the default zone 'drop' is shown with:

Code: Select all

firewall-cmd --list-all
And I assume will show this (adapted from the home zone output given by DigialOcean):

Code: Select all

drop
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
I would like to test this on a live CentOS 7 version before committing to CentOS 8 to my hard drive, but I'm assuming these commands would not differ between version 7 and 8.

Can you tell me if these steps are correct? Thank you very much for reading such a long question.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Firewalld Setup for Home based Computer

Post by TrevorH » 2020/11/26 07:42:15

I have never used ufw but I have tried firewalld and I hate it.

You can find ufw in EPEL though...
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld Setup for Home based Computer

Post by jlehtone » 2020/11/26 11:07:15

What is a "Home Computer"?
When it comes to networking, a machine is either directly member of "public" subnet or behind a router that does NAT and filters traffic.
Further, machine is just a member or also routes between subnets. (Firewalld is not suitable for a router.)

If your machine is behind a router that filters, then Shields Up! mostly tells about the router, not about your machine.


Firewalld is installed and enabled in CentOS 8 by default (even in minimal install). All you have to do is to tune the config.
If you do install UFW, then you have to disable firewalld.service.

Three built-in firewalld zones:

Code: Select all

# sudo firewall-cmd --info-zone=drop
drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# sudo firewall-cmd --info-zone=block
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

# sudo firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
Their differences are:

Code: Select all

drop
  target: DROP
  services:

block
  target: %%REJECT%%
  services:

public
  target: default
  services: cockpit dhcpv6-client ssh
Does UFW's "deny" mean "DROP" or "REJECT"?

The DROP target simply discards packets. Anyone trying to open a TCP connection has to wait until TCP timeout before they conclude that the destination does not exist. Full scan by "Shields Up!"-like client can take a very long time.

The REJECT target immediately sends "icmpx type admin-prohibited" to the client so the client can stop waiting. It knows that your machine exists, but is not willing to talk.

The zone 'public' allows some incoming connections (to "services").

The "default" target means that the packets that do not match any rule of the zone are handled by "default rule".

Code: Select all

# sudo nft -a list chain inet firewalld filter_INPUT
table inet firewalld {
        chain filter_INPUT { # handle 104
                type filter hook input priority filter + 10; policy accept;
                ct state { established, related } accept # handle 108
                ct status dnat accept # handle 109
                iifname "lo" accept # handle 110
                jump filter_INPUT_ZONES_SOURCE # handle 112
                jump filter_INPUT_ZONES # handle 114
                ct state { invalid } drop # handle 116
                reject with icmpx type admin-prohibited # handle 117
        }
}

# sudo nft -a list chain inet firewalld filter_INPUT_ZONES
table inet firewalld {
        chain filter_INPUT_ZONES { # handle 113
                goto filter_IN_public # handle 265
        }
}
In the default config the packets visit rules of zone 'public' behind the handle (rule) 114. It will handle connections to cockpit, dhcpv6-client, and sshd services.
All other packets are tested by rules 116 and 117 (if 116 does not match).

In other words, most incoming connections from both zone 'block' and 'public' will get the "I'm not talking to you!" ICMP reply.
The difference is that zone 'block' has a "reject with icmpx type admin-prohibited" rule and therefore nothing will reach rule 116 (nor 117).


Yes, the sudo firewall-cmd --set-default-zone=drop would change the rule 265 above.

Grenny
Posts: 3
Joined: 2020/11/26 05:45:02

Re: Firewalld Setup for Home based Computer

Post by Grenny » 2020/11/26 18:16:34

'What is a "Home Computer"?'
I meant a non-server...most of the tutorials I've read assume one is setting up a server, requiring other machines to access it, but I do not want that.

'When it comes to networking, a machine is either directly member of "public" subnet or behind a router that does NAT and filters traffic.'
I assume that 'drop' is more private than 'the default 'public' though.

'(Firewalld is not suitable for a router.)'
So I shouldn't be using Firewalld?

'If your machine is behind a router that filters, then Shields Up! mostly tells about the router, not about your machine.'
I have an older router and can not guarantee that it has effective filtering and hence the desire for Firewalld.

Thank you for the help.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld Setup for Home based Computer

Post by jlehtone » 2020/11/26 21:47:26

Grenny wrote:
2020/11/26 18:16:34
I assume that 'drop' is more private than 'the default 'public' though.

So I shouldn't be using Firewalld?

I have an older router and can not guarantee that it has effective filtering and hence the desire for Firewalld.
It seems https://stackoverflow.com/questions/490 ... t-and-deny
that UFW 'deny' does use the DROP. As said, attacker can't then tell whether your machine exists. With REJECT, and hence the public zone, the machine clearly exists and is thus worth scanning for (more) open ports (which the public has a couple).
You don't want connections from anywhere, so you will choose either the 'drop' zone or the 'block' zone.

Your machine is not a router. Firewalld is probably the least effort solution for you, because it will be available, up, and running from start. It has lot of bloat, but you won't be looking under its hood.

You have a router. A home router. Most likely with NAT (Network Address Translation). It will most likely block trivial attempts, but it is good practice to have "defence in depth"; to have firewall in every device. The more locks a thief has to pick, the more tempting the less locked neighbours start to look like.

Grenny
Posts: 3
Joined: 2020/11/26 05:45:02

Re: Firewalld Setup for Home based Computer

Post by Grenny » 2020/11/27 00:47:57

Thank you for this additional information. I have a long way to go to understand the 'magical' art of networking and security and you've given me a lot to think about.

Post Reply