As a follow-up to my last post on the Linux desktop I thought I would write more about the firewall interface firewalld.
First I will share the good, it has a “panic mode” which blocks all network traffic in all directions. Pretty funny.
$ sudo firewall-cmd --panic-on
Now the bad.. you essentially can’t tell what it’s doing.
I want a firewall that drops all packets inbound unless they are in response to an outbound packet, and logs the drop.
So I can take a look at the default firewall that Fedora ships with:
$ firewall-cmd --zone=FedoraWorkstation --list-all FedoraWorkstation interfaces: sources: services: dhcpv6-client samba-client ssh ports: 1025-65535/udp 1025-65535/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
Is this default deny? Drop or reject? Any logging? Using iptables to print out the current rules (and nmap to confirm) shows that it is inserting a reject as the last rule in the INPUT chain. Great, how do we change that to a drop and log? Of course, none of the settings firewalld can modify directly for this zone will change it. It offers an odd interface to the chains directly (–direct) for additional rules, but not a way to modify what it writes.
There are a number of decent documents that outline how to use firewalld within its limitations, this being one of the better: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7
This article outlines that the zone “drop” will drop all inbound that isn’t part of a tracked connection. Funny that the man pages mention none of this, and the tool output doesn’t differentiate “drop” in any way with “block”. Also, there is no user-friendly way to enable logging of dropped packets.
$ sudo firewall-cmd --set-default-zone=drop
So in the goal of improving user friendliness, Linux again is hurting functionality and configurability. Ugh. Of course, you can still switch it all back to the iptables way of functioning if you like. At this point, I’d highly recommend it.