FirewallD for VPS Hosting Server

Support for security such as Firewalls and securing linux
Post Reply
cypherxtr
Posts: 1
Joined: 2021/05/05 15:21:31

FirewallD for VPS Hosting Server

Post by cypherxtr » 2021/05/05 15:31:47

Hi all!

I'm new here and generally to firewalld, so I would greatly appreciate your help.

I know firewalld has a zone called cpanel.xml that allows all required cpanel ports to be oppened, but... according to this list of ports https://docs.cpanel.net/knowledge-base/ ... p-firewall recommended open by cPanel

We have to open certain ports just for incoming connections and certain just for outgoing... on tcp or udp.

I was wondering, how can I create an xml file that contains more then just
<port protocol="tcp" port="20"/

To be something like incoming port - tcp - port no but filter outgoing or
Outgoing - port - udp and tcp but filter incoming

?

Can you please guys list a few lines that will work within these xml files?

Cheers!

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: FirewallD for VPS Hosting Server

Post by TrevorH » 2021/05/05 16:09:32

One small correction: cpanel.xml is not supplied by firewalld, it must be supplied by cpanel.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: FirewallD for VPS Hosting Server

Post by jlehtone » 2021/05/05 19:18:10

cypherxtr wrote:
2021/05/05 15:31:47
We have to open certain ports just for incoming connections and certain just for outgoing... on tcp or udp.
The default ingress firewall setup in RHEL systems has been that:
1. Traffic within localhost is allowed
2. Related/established connections can continue
3. ICMP is allowed
4. Some services/ports (e.g. ssh) is allowed
5. Everything else is rejected

Then we adjust the "some services" list to cover necessary "incoming connections".

However, the default egress setup is to allow everything.
We obviously must allow replies to incoming connections, the related/established traffic.
The "allow all" covers all outgoing ports. When our process connects out, it will receive replies that the ingress rule #2 allows.


If you want to limit what in your machine can connect out, then you have to make the egress rules more similar to ingress rules.
Frankly, I would not use FirewallD for that. It might be possible, but it ain't trivial.
In el8 the alternative is nftables.service. The rules are perhaps more static and you need to know how to write them.

Post Reply