Rob's web

Firewall

Firewalld

firewalld is a firewall management tool for Linux operating systems. It provides firewall features by acting as a front-end for the Linux kernel's netfilter framework via the nftables userspace utility (before v0.6.0 iptables backend), acting as an alternative to the nft command line program. The name firewalld adheres to the Unix convention of naming system daemons by appending the letter "d".

Features

firewalld supports both IPv4 and IPv6 networks and can administer separate firewall zones with varying degrees of trust as defined in zone profiles. Administrators can configure Network Manager to automatically switch zone profiles based on known Wi-Fi (wireless) and Ethernet (wired) networks, but firewalld cannot do this on its own.

Services and applications can use the D-Bus interface to query and configure the firewall. firewalld supports timed rules, meaning the number of connections (or "hits") to a service can be limited globally. There is no support for hit-counting and subsequent connection rejection per source IP; a common technique deployed to limit the impact of brute-force hacking and distributed denial-of-service attacks.

firewalld's command syntax is similar to but more verbose than other iptables front-ends like Ubuntu's Uncomplicated Firewall (ufw). The command-line interface allows managing firewall rulesets for protocol, ports, source and destination; or predefined services by name.

Services are defined as XML files containing port- and protocol-mappings, and optionally extra information like specifying subnets and listing required Kernel helper modules.[8] The syntax resembles that of systemd's service files. A simple service file for a web server listening on TCP port 443 might look like this:

<?xml version="1.0" encoding="utf-8"?>
<service> <short>Web Server</short> <description>Public web host over HTTPS.</description> <port port="443" protocol="tcp" /> </service>

Firewalld should be enabled by default. You can checkit.

# systemctl status firewalld

Starting

If not enabled by default enter on the command-line:

# systemctl start firewalld
# systemctl enable firewalld

Never disable firewalld.

Adding firewall rules

# firewall-cmd --permanent --zone=public --add-service=xxxx
# firewall-cmd --reload

Adding firewall ports

# firewall-cmd --permanent --zone=public --add-port=xxxx/<protocol>
# firewall-cmd --reload

For a range use --add-port=10080-10100/tcp.

Closing ports

# firewall-cmd --remove-port=port-number/port-type

Exploring the Defaults

We can see which zone is currently selected as the default by typing:

# firewall-cmd --get-default-zone

Since we haven't given firewalld any commands to deviate from the default zone, and none of our interfaces are configured to bind to another zone, that zone will also be the only "active" zone (the zone that is controlling the traffic for our interfaces). We can verify that by typing:

# firewall-cmd --get-active-zones

How do we know what rules are associated with the public zone though? We can print out the default zone's configuration by typing:

# firewall-cmd --list-all

Checking the firewall

You can do a portscan on another device that has the scanning software. For Android and iPhone/iPad there is "Net Analyzer".

For windows you can use Wireshark.

Which ports are used?

SELinux defines port types to represent TCP and UDP ports.

If you need to know what ports are used enter:

# semanage port -l
SELinux Port Type              Proto    Port Number

afs3_callback_port_t           tcp      7001
afs3_callback_port_t           udp      7001
afs_bos_port_t                 udp      7007
.....
zookeeper_election_port_t      tcp      3888
zookeeper_leader_port_t        tcp      2888
zope_port_t                    tcp      8021

The ports not listed can be used.

Fail2ban

Fail2ban is arguably the best software to secure a Linux server and protect it against automated attacks. When enabled, it offers many customizable rules to ban source addresses that may try to gain access to your machine. Fail2ban works hand in hand with a firewall, so we recommend you to install and enable them as separate security layers.

Setting up fail2ban

Final

After you have added the firewall rules and tested it on your LAN, you can do portforwarding in your ISP-router to your server per service.

Router

The safest setting for the router is when all inbound ports are stealthed. you can check it at Shields-up.

Only forward port that use TLS and that are needed.

If possible don't forward ssh. Use the private VPN if it is built-in. Never forward telnet.

Don't use DMZ function for your server.

For mail forward only IMAPS and POP3S ports. The SMTP ports - 25, 465, 587 - are all needed.

Links