firewalld

As a follow-up to my last post on the Linux desktop I thought I would write more about the firewall interface firewalld.

First I will share the good, it has a “panic mode” which blocks all network traffic in all directions.  Pretty funny.

$ sudo firewall-cmd --panic-on

Now the bad..  you essentially can’t tell what it’s doing.

I want a firewall that drops all packets inbound unless they are in response to an outbound packet, and logs the drop.

So I can take a look at the default firewall that Fedora ships with:

$ firewall-cmd --zone=FedoraWorkstation --list-all
 FedoraWorkstation
 interfaces:
 sources:
 services: dhcpv6-client samba-client ssh
 ports: 1025-65535/udp 1025-65535/tcp
 masquerade: no
 forward-ports:
 icmp-blocks:
 rich rules:

Is this default deny? Drop or reject? Any logging? Using iptables to print out the current rules (and nmap to confirm) shows that it is inserting a reject as the last rule in the INPUT chain. Great, how do we change that to a drop and log? Of course, none of the settings firewalld can modify directly for this zone will change it. It offers an odd interface to the chains directly (–direct) for additional rules, but not a way to modify what it writes.

There are a number of decent documents that outline how to use firewalld within its limitations, this being one of the better: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

This article outlines that the zone “drop” will drop all inbound that isn’t part of a tracked connection. Funny that the man pages mention none of this, and the tool output doesn’t differentiate “drop” in any way with “block”.  Also, there is no user-friendly way to enable logging of dropped packets.

$ sudo firewall-cmd --set-default-zone=drop

So in the goal of improving user friendliness, Linux again is hurting functionality and configurability.  Ugh.  Of course, you can still switch it all back to the iptables way of functioning if you like.  At this point, I’d highly recommend it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s