Firewalld concept.

Support for security such as Firewalls and securing linux
Post Reply
hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Firewalld concept.

Post by hack3rcon » 2019/01/06 12:20:55

Hello.
Can anyone introduce a good manual for learn Firewalld?
In below commands what does "INPUT_direct" mean? How about numbers?

Code: Select all

# firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 2 -p tcp --dport 22 -m state --state NEW -m recent --set
# firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 3 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 30 --hitcount 4 -j REJECT --reject-with tcp-reset
Thank you.

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Firewalld concept.

Post by hunter86_bg » 2019/01/06 13:56:21

Just a warning.
Try to avoid direct rules if possible.
As per my knowledge, you want to protect yourself from ddos , right?

Maybe you should check epel for 'fail2ban-firewalld'.
Also, you can use rich rules to prevent bruteforcing by setting limits of established connections.

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: Firewalld concept.

Post by hack3rcon » 2019/01/06 19:41:49

hunter86_bg wrote:
2019/01/06 13:56:21
Just a warning.
Try to avoid direct rules if possible.
As per my knowledge, you want to protect yourself from ddos , right?

Maybe you should check epel for 'fail2ban-firewalld'.
Also, you can use rich rules to prevent bruteforcing by setting limits of established connections.
Thank you.
Can you tell me why avoid "direct" ? What does it mean?
What does "rich rule" mean? I just copy and paste above commands from a website.
How about "INPUT_direct" ? What is it?
Can I define a time to release banned IP?

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Firewalld concept.

Post by hunter86_bg » 2019/01/07 07:29:04

Direct rule : is a rule that will be processed before any other and you do not have control which one is the first.Direct rules were created as firewalld is still limited and cannot create all iptables alternatives.
Rich rules are advanced rules in firewalld (see man firewalld.richlanguage).
About unblocking a blocked ip - I'm not sure, you have to check the fail2ban abilities.

Most of the systems I support are always behind a corporate firewall , so I don't have to worry about that stuff.

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: Firewalld concept.

Post by hack3rcon » 2019/01/07 08:15:29

hunter86_bg wrote:
2019/01/07 07:29:04
Direct rule : is a rule that will be processed before any other and you do not have control which one is the first.Direct rules were created as firewalld is still limited and cannot create all iptables alternatives.
Rich rules are advanced rules in firewalld (see man firewalld.richlanguage).
About unblocking a blocked ip - I'm not sure, you have to check the fail2ban abilities.

Most of the systems I support are always behind a corporate firewall , so I don't have to worry about that stuff.
Thank you.
What is the good version of above lines?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Firewalld concept.

Post by jlehtone » 2019/01/07 14:31:00

hack3rcon wrote:
2019/01/06 12:20:55
In below commands what does "INPUT_direct" mean? How about numbers?
man firewall-cmd wrote:[--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
Add a rule with the arguments args to chain chain in table table with priority priority.

The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher priority the rule will be added further down. Rules with the same priority are on the same level and the order of these rules is not fixed and may change. If you want to make sure that a rule will be added after another one, use a low priority for the first and a higher for the following.
Based on that, the "INPUT_direct" is the name of a chain.

hack3rcon wrote:
2019/01/07 08:15:29
What is the good version of above lines?

Code: Select all

yum install fail2ban fail2ban-systemd
man fail2ban

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Firewalld concept.

Post by hunter86_bg » 2019/01/07 15:45:00

My knowledge in IPTABLES is quite limited, but it seems that the second rule is just limiting the rate of connections to ssh daemon.
I think that you can use :

Code: Select all

firewall-cmd --zone=myzone --timeout=300 'rule family="ipv4" service name="ssh" log prefix="ssh" level="notice" limit value="8/m" accept limit value="8/m"' && firewall-cmd --zone=myzone --timeout=300 --remove-service=ssh 
If the rules are bad - they will be invalidated in 5 min.
Once you verify that the rule is OK , remove the '--timeout=300' and create the same rules with '--permanent' flag and reload.

Don't forget to reload after finishing your tasks and always verify the firewall from another system.

Post Reply