Greetings,
I'm working on setting up a shiny new CentOS 7.0 box and trying to wrap my head around firewalld. Generally speaking, firewalld is pretty straightforward for simple allow/deny, but I can't figure out how to handle the more complex rules I've been using. I'm hoping someone can point me in the right direction.
For starters, how do I create a simple spoofing filter? For my current firewalls, I check source and destination addresses, rejecting anything that isn't valid. For instance, reject anything sourced from RFC-1918 space that isn't in use in the network, reject anything destined for broadcast addresses, multicast, etc.
Next up, checking flags. Is this possible with firewalld? Part of my source address checking includes checks for invalid flags. For instance, TCP stealth scan checking :
# All of the bits are clear $IPTABLES -A tcp-state-flags -p tcp --tcp-flags ALL NONE -j log-tcp-state # Both SYN and FIN are set $IPTABLES -A tcp-state-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j log-tcp-state # Both SYN and RST are set $IPTABLES -A tcp-state-flags -p tcp --tcp-flags SYN,RST SYN,RST -j log-tcp-state # Both FIN and RST are set $IPTABLES -A tcp-state-flags -p tcp --tcp-flags FIN,RST FIN,RST -j log-tcp-state # FIN bit set, but no ACK $IPTABLES -A tcp-state-flags -p tcp --tcp-flags ACK,FIN FIN -j log-tcp-state # PSH bit set, but no ACK $IPTABLES -A tcp-state-flags -p tcp --tcp-flags ACK,PSH PSH -j log-tcp-state # URG bit set, but no ACK $IPTABLES -A tcp-state-flags -p tcp --tcp-flags ACK,URG URG -j log-tcp-state
And finally, ordering. I currently use individual chains for organization of rulesets. Management chains cover all of the rules allowing management tools access to the server, chains for source and destination checks, and a special chain for dropping known spammer/attacker IPs. Again, it doesn't appear that firewalld handles this yet. Am I missing something?
I'd like to use firewalld if that's the intended standard, but I don't want to compromise the ruleset I've built to do so. Can firewalld handle what I want to throw at it. or should I stick with iptables for now?
Thanks,
Does anyone have any thoughts on this?
- Friz
On Nov 28, 2014, at 21:41, Jason Frisvold xenophage@godshell.com wrote:
Greetings,
I'm working on setting up a shiny new CentOS 7.0 box and trying to wrap my head around firewalld. Generally speaking, firewalld is pretty straightforward for simple allow/deny, but I can't figure out how to handle the more complex rules I've been using. I'm hoping someone can point me in the right direction.
For starters, how do I create a simple spoofing filter? For my current firewalls, I check source and destination addresses, rejecting anything that isn't valid. For instance, reject anything sourced from RFC-1918 space that isn't in use in the network, reject anything destined for broadcast addresses, multicast, etc.
Next up, checking flags. Is this possible with firewalld? Part of my source address checking includes checks for invalid flags. For instance, TCP stealth scan checking :
# All of the bits are clear $IPTABLES -A tcp-state-flags -p tcp --tcp-flags ALL NONE -j log-tcp-state # Both SYN and FIN are set $IPTABLES -A tcp-state-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j log-tcp-state # Both SYN and RST are set $IPTABLES -A tcp-state-flags -p tcp --tcp-flags SYN,RST SYN,RST -j log-tcp-state # Both FIN and RST are set $IPTABLES -A tcp-state-flags -p tcp --tcp-flags FIN,RST FIN,RST -j log-tcp-state # FIN bit set, but no ACK $IPTABLES -A tcp-state-flags -p tcp --tcp-flags ACK,FIN FIN -j log-tcp-state # PSH bit set, but no ACK $IPTABLES -A tcp-state-flags -p tcp --tcp-flags ACK,PSH PSH -j log-tcp-state # URG bit set, but no ACK $IPTABLES -A tcp-state-flags -p tcp --tcp-flags ACK,URG URG -j log-tcp-state
And finally, ordering. I currently use individual chains for organization of rulesets. Management chains cover all of the rules allowing management tools access to the server, chains for source and destination checks, and a special chain for dropping known spammer/attacker IPs. Again, it doesn't appear that firewalld handles this yet. Am I missing something?
I'd like to use firewalld if that's the intended standard, but I don't want to compromise the ruleset I've built to do so. Can firewalld handle what I want to throw at it. or should I stick with iptables for now?
Thanks,
--
Jason 'XenoPhage' Frisvold xenophage@godshell.com
"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
firewalld-users@lists.stg.fedorahosted.org