Hi all!
I'm new here and generally to firewalld, so I would greatly appreciate your help.
I know firewalld has a zone called cpanel.xml that allows all required cpanel ports to be oppened, but... according to this list of ports https://docs.cpanel.net/knowledge-base/ ... p-firewall recommended open by cPanel
We have to open certain ports just for incoming connections and certain just for outgoing... on tcp or udp.
I was wondering, how can I create an xml file that contains more then just
<port protocol="tcp" port="20"/
To be something like incoming port - tcp - port no but filter outgoing or
Outgoing - port - udp and tcp but filter incoming
?
Can you please guys list a few lines that will work within these xml files?
Cheers!
FirewallD for VPS Hosting Server
Re: FirewallD for VPS Hosting Server
One small correction: cpanel.xml is not supplied by firewalld, it must be supplied by cpanel.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: FirewallD for VPS Hosting Server
The default ingress firewall setup in RHEL systems has been that:
1. Traffic within localhost is allowed
2. Related/established connections can continue
3. ICMP is allowed
4. Some services/ports (e.g. ssh) is allowed
5. Everything else is rejected
Then we adjust the "some services" list to cover necessary "incoming connections".
However, the default egress setup is to allow everything.
We obviously must allow replies to incoming connections, the related/established traffic.
The "allow all" covers all outgoing ports. When our process connects out, it will receive replies that the ingress rule #2 allows.
If you want to limit what in your machine can connect out, then you have to make the egress rules more similar to ingress rules.
Frankly, I would not use FirewallD for that. It might be possible, but it ain't trivial.
In el8 the alternative is nftables.service. The rules are perhaps more static and you need to know how to write them.