https://www.linuxjournal.com/tag/firewalls en https://www.linuxjournal.com/content/understanding-firewalld-multi-zone-configurations <div data-history-node-id="1339272" class="layout layout--onecol"> <div class="layout__region layout__region--content"> <div class="field field--name-field-node-image field--type-image field--label-hidden field--item"> <img src="https://www.linuxjournal.com/sites/default/files/nodeimage/story/firewall-29503_640.png" width="500" height="493" alt="""" typeof="foaf:Image" class="img-responsive" /></div> <div class="field field--name-node-author field--type-ds field--label-hidden field--item">by <a title="View user profile." href="https://www.linuxjournal.com/users/nathan-vance-0" lang="" about="https://www.linuxjournal.com/users/nathan-vance-0" typeof="schema:Person" property="schema:name" datatype="" xml:lang="">Nathan Vance</a></div> <div class="field field--name-body field--type-text-with-summary field--label-hidden field--item"><p> Stories of compromised servers and data theft fill today's news. It isn't difficult for someone who has read an informative blog post to access a system via a misconfigured service, take advantage of a recently exposed vulnerability or gain control using a stolen password. Any of the many internet services found on a typical Linux server could harbor a vulnerability that grants unauthorized access to the system. </p> <p> Since it's an impossible task to harden a system at the application level against every possible threat, firewalls provide security by limiting access to a system. Firewalls filter incoming packets based on their IP of origin, their destination port and their protocol. This way, only a few IP/port/protocol combinations interact with the system, and the rest do not. </p> <p> Linux firewalls are handled by netfilter, which is a kernel-level framework. For more than a decade, iptables has provided the userland abstraction layer for netfilter. iptables subjects packets to a gauntlet of rules, and if the IP/port/protocol combination of the rule matches the packet, the rule is applied causing the packet to be accepted, rejected or dropped. </p> <p> Firewalld is a newer userland abstraction layer for netfilter. Unfortunately, its power and flexibility are underappreciated due to a lack of documentation describing multi-zoned configurations. This article provides examples to remedy this situation. </p> <h3> Firewalld Design Goals</h3> <p> The designers of firewalld realized that most iptables usage cases involve only a few unique IP sources, for each of which a whitelist of services is allowed and the rest are denied. To take advantage of this pattern, firewalld categorizes incoming traffic into zones defined by the source IP and/or network interface. Each zone has its own configuration to accept or deny packets based on specified criteria. </p> <p> Another improvement over iptables is a simplified syntax. Firewalld makes it easier to specify services by using the name of the service rather than its port(s) and protocol(s)—for example, samba rather than UDP ports 137 and 138 and TCP ports 139 and 445. It further simplifies syntax by removing the dependence on the order of statements as was the case for iptables. </p> <p> Finally, firewalld enables the interactive modification of netfilter, allowing a change in the firewall to occur independently of the permanent configuration stored in XML. Thus, the following is a temporary modification that will be overwritten by the next reload: </p><pre> <code> # firewall-cmd <some modification> </code> </pre> <p> And, the following is a permanent change that persists across reboots: </p></div> <div class="field field--name-node-link field--type-ds field--label-hidden field--item"> <a href="https://www.linuxjournal.com/content/understanding-firewalld-multi-zone-configurations" hreflang="und">Go to Full Article</a> </div> </div> </div> Thu, 02 Feb 2017 12:27:17 +0000 Nathan Vance 1339272 at https://www.linuxjournal.com