Hello,
I am setting up firewalld on CentOS 7 and an not yet familiar with the process for setting rules. I would like to blanket deny internet access for all applications and processes. I would then add specific whitelist access rules for a small number of applications that require access.
Can someone point me to a write up on how to set up rules like this?
LMHmedchem
On Thu, Feb 13, 2020 at 03:55:15AM -0000, Lmh Medchem wrote:
Hello,
I am setting up firewalld on CentOS 7 and an not yet familiar with the process for setting rules. I would like to blanket deny internet access for all applications and processes. I would then add specific whitelist access rules for a small number of applications that require access.
Out of the box, all connections are part of the "default" zone (usually public zone). This allows the following incoming services; ssh, dhcpv6-client. Everything else is blocked.
Can someone point me to a write up on how to set up rules like this?
You can get a deny ALL by default by changing the default zone to something like block or drop.
e.g.
firewall-cmd --set-default-zone=block
Keep in mind this will block ALL traffic until you explicitly add services/ports/etc. So you won't be able to ssh into the host. Best to do it when physically sitting at the host.
Hope that helps. Eric.
Thanks for the information. This is a workstation, so there should not be any traffic other than the browser, email client, and updates from the package manager. There should be no incoming connections allowed. The only allowed outgoing connections should be from firefox, seamonkey, and the package manager. This is how all of my windows computers are configured. There are specific exceptions like the print spooler being allowed to connect to the network printer at it's specific local network IP.
I have made the drop zone the default and all of the services are checked as being part of the drop zone. This has made no difference in connectivity for any application that I can detect. From the documentation, this appears to only affect incoming connections. This firewall doesn't appear to support the functionality of blocking or allowing individual programs to access the internet.
Is that correct?
LMHmedchem
On Thu, Feb 13, 2020 at 09:47:13PM -0000, Lmh Medchem wrote:
Thanks for the information. This is a workstation, so there should not be any traffic other than the browser, email client, and updates from the package manager. There should be no incoming connections allowed. The only allowed outgoing connections should be from firefox, seamonkey, and the package manager. This is how all of my windows computers are configured. There are specific exceptions like the print spooler being allowed to connect to the network printer at it's specific local network IP.
I have made the drop zone the default and all of the services are checked as being part of the drop zone. This has made no difference in connectivity for any application that I can detect. From the documentation, this appears to only affect incoming connections. This firewall doesn't appear to support the functionality of blocking or allowing individual programs to access the internet.
Is that correct?
You are correct. firewalld does not have native support for OUTPUT filtering. Work is in progress [1]. In the mean time you could use --direct rules - see the firewall-cmd man page.
[1] https://github.com/orgs/firewalld/projects/1#card-25963208
firewalld-users@lists.stg.fedorahosted.org