36. Firewalls

Question 1

Learning Objectives

By the end of this chapter, you should be able to?

Answer 1

By the end of this chapter, you should be able to:

• Understand what firewalls are and why they are necessary.
• Know what tools are available both at the command line and using graphical interfaces.
• Discuss about firewalld and the firewall-cmd programs.
• Know how to work with zones, sources, services and ports.

Question 2

Firewalls

Almost all firewalls are based on ___.

Answer 2

Packet Filtering

Question 3

Packet Filtering

Information is transmitted​ across networks in the form of packets, and each one of these packets has these 3 componets?

Answer 3

• Header
• Payload
• Footer.

Question 4

Packet Filtering

The ___ and ___ contain information about destination and source addresses, what kind of packet it is, and which protocol it obeys, various flags, which packet number this is in a stream, and ​all sorts of other metadata about transmissions. The actual data is in the payload.

Answer 4

• header
• footer

Question 5

Firewall

___ ___ intercepts packets at one or more stages in the network transmission, including application, transport, network, and datalink.

Answer 5

​Packet filtering

Question 6

Firewall

A firewall establishes a set of rules by which each packet may be: (what are the 4 actions a firewall does to packets?)

Answer 6

• Accepted or rejected based on content, address, etc.​
• Mangled in some way
• Redirected to another address
• Inspected for security reasons, etc.

Question 7

Firewall Generations

What are the 3 firewall generations and how did they improve upon eachother?

Answer 7

• Early firewalls (dating back to the late 1980s) were based on packet filtering: the content of each network packet was inspected and was either dropped, rejected, or sent on. No consideration was given about the connection state: what stream of traffic the packet was part of.
• The next generation of firewalls were based on stateful filters, which also examine the connection state of the packet, to see if it is a new connection, ​part of an already existing one, or part of none. Denial of service attacks can bombard this kind of firewall to try and overwhelm it.
• The third generation of firewalls is called Application Layer Firewalls, and are aware of the kind of application and protocol the connection is using. They can block anything which should not be part of the normal flow.​

Question 8

Firewall Interfaces and Tools

What the 3 relatively low-level tools from the command line that are used to configure a systems firewall? combined with editing various configuration files in the /etc subdirectory tree.

Answer 8

• iptables
• firewall-cmd
• ufw

Question 9

Firewall Interfaces and Tools

What are 4 robust graphical interfaces to manage a systems firewall?

Answer 9

• system-config-firewall
• firewall-config
• gufw
• yast
• etc.

Question 10

Firewall

What are the reasons to work with lower-level tools firewall tools? What are the cons of using lower-level tools?

Answer 10

• They change less often than the graphical ones.
• They tend to have a larger set of capabilities.
• They vary little from distribution to distribution, while the GUIs tend to be quite different and each confined to only one family of distributions.

The disadvantage is they can seem more difficult to learn at first. In the following, we will concentrate on the use of the modern firewalld package, which includes both firewall-cmd and firewall-config. For distributions which don’t have it by default, it can be installed from source rather easily, as we will do if necessary in an exercise.

Question 11

Why We Are Not Working with iptables

Most firewall installations today are actually using the iptables package on the user side. This currently interfaces the same kernel firewall implementation code as firewalld, which we will discuss in more detail.

We have decided not to teach iptables because it requires much more time to get to useful functionality.

However, iptables is discussed in detail in the next course in the Linux Foundation system administrator sequence: LFS311 - Linux for System Engineers/LFS211 - Linux Networking and Administration.

Question 12

firewalld and firewall-cmd

What does firewalld (Dynamic Firewall Manager) utilizes?

Answer 12

It utilizes network/firewall zones which have defined levels of trust for network interfaces or connections. It supports both IPv4 and IPv6 protocols.

Question 13

firewalld and firewall-cmd

In addition, firewalld separates ___ and ___ changes to configuration, and also includes interfaces for ___ or ___ to add firewall rules.

Answer 13

• runtime
• permanent (persistent)
• services
• applications

Question 14

firewalld and firewall-cmd

Configuration files for firewalld are kept in ___ and ___; the files in ___ override those in the other directory and are the ones a system administrator should work on.

Answer 14

• /etc/firewalld
• /usr/lib/firewalld
• /etc/firewalld

Question 15

The command line tool is actually ___ to interact with firewalld which we will discuss.

Answer 15

• firewall-cmd

We recommend that before getting any further, you run:

$ firewall-cmd –help

…

which runs about 200 lines, so it is too long to include here.

However, you will see that almost all options are rather obvious as they are well-named. As a service, firewalld replaces the older iptables. It is an error to run both services, firewalld and iptables, at the same time.

Question 16

firewalld Service Status

firewalld is a? to be able to?

Answer 16

service which needs to be running to use and configure the firewall, and is enabled/disabled, or started or stopped in the usual way.

$ sudo systemctl [enable/disable] firewalld
$ sudo systemctl [start/stop] firewalld

Question 17

firewalld Service Status

What is the command to enable/disable the firewalld service?

Answer 17

$ sudo systemctl [enable/disable] firewalld

Question 18

firewalld Service Status

What is the command to start/stop firewalld service?

Answer 18

$ sudo systemctl [start/stop] firewalld

Question 19

firewalld Service Status

What are two ways to see the current state of firewalld?

Answer 19

• $ sudo systemctl status firewalld
• $ sudo firewall-cmd –state​

Question 20

firewalld Service Status

Note when using firewalld and if you have more than ___ network interface when using IPv4, you have to turn on ___ ___. You can do this at runtime by doing either of:

Answer 20

• one
• ip forwarding

Note that if you have more than one network interface when using IPv4, you have to turn on ip forwarding. You can do this at runtime by doing either of:

$ sudo sysctl net.ipv4.ip_forward=1
$ echo 1 > /proc/sys/net/ipv4/ip_forward

where the second command has to be run as root to get echo to work properly. However, this is not persistent. To do that, you have to add the following line to /etc/sysctl.conf:

net.ipv4.ip_forward=1

and then reboot or type:

$ sudo sysctl -p

to read in the new setting without rebooting.

Question 21

Zones

firewalld works with ___, each of which ___. Each interface belongs to a particular zone (normally, it is NetworkManager which informs firewalld which zone is applicable), but this can be changed with firewall-cmd or the firewall-config GUI.

Answer 21

• zones
• has a defined level of trust and a certain known behavior for incoming and outgoing packets

Question 22

Zones

What is a zone in terms of firewalls?

Answer 22

A single zone is a defined level of specified trust and a certain known behavior for incoming and outgoing packets

Question 23

Zones

What are the different types of firewall zones? (9)

Answer 23

• drop
• block
• public
• external
• dmz (Demilitarized Zone)
• work
• home
• internal
• trusted

Question 24

Zones

On system installation, most, if not all Linux distributions, will select the ___ firewall zone as default for all interfaces.

Answer 24

• public

Question 25

Zones

Define the drop firewall zone type?

Answer 25

All incoming packets are dropped with no reply. Only outgoing connections are permitted.

Question 26

Zones

Define the block firewall zone type?

Answer 26

• All incoming network connections are rejected. The only permitted connections are those from within the system.

Question 27

Zones

Define the public firewall zone type?

Answer 27

Do not trust any computers on the network; only certain consciously selected incoming connections are permitted.

Question 28

Zones

Define the external firewall zone type?

Answer 28

Used when masquerading is being used, such as in routers. Trust levels are the same as in public.

Question 29

Zones

Define the dmz (Demilitarized Zone) firewall zone type?

Answer 29

Used when access to some (but not all) services are to be allowed to the public. Only particular incoming connections are allowed.

Question 30

Zones

Define the work firewall zone type?

Answer 30

Trust (but not completely) connected nodes to be not harmful. Only certain incoming connections are allowed.

Question 31

Zones

Define the home firewall zone type?

Answer 31

You mostly trust the other network nodes, but still select which incoming connections are allowed.

Question 32

Zones

Define the internal firewall zone type?

Answer 32

Similar to the work zone.

Question 33

Zones

Define the trusted firewall zone type?

Answer 33

All network connections are allowed.

Question 34

Zones

The differences between some of the zones we mentioned are not obvious, and we do not need to go into that much detail here, but note that one should ___ a more open zone than necessary.

Answer 34

• not use

Question 35

Zone Management Examples

What is the command to see the options available for firewall-cmd:

Answer 35

$ firewall-cmd –help….
Zone Options
–get-default-zone Print default zone for connections and interfaces
–set-default-zone=
Set default zone
–get-active-zones Print currently active zones
–get-zones Print predefined zones [P]
–get-services Print predefined services [P}
–get-icmptypes Print predefined icmptypes [P]
–get-zone-of-interface=
Print name of the zone the interface is bound to [P]
–get-zone-of-source=[/]
Print name of the zone the source[/mask] is bound to [P]
–list-all-zones List everything added for or enabled in all zones [P]
–new-zone= Add a new zone [P only]
–delete-zone= Delete an existing zone [P only]
–zone= Use this zone to set or query options, else default zone
Usable for options marked with [Z]
–get-target Get the zone target [P] [Z]
–set-target=
Set the zone target [P] [Z]

Question 36

Zone Management Examples

What is the command to get the default zone?

Answer 36

$ sudo firewall-cmd –get-default-zone
public

Question 37

Zone Management Examples

What is the command to obtain a list of zones currently being used?

Answer 37

$ sudo firewall-cmd –get-active-zones

• public
  interfaces: eno16777736*

Question 38

Zone Management Examples

What is the command to list all available zones?

Answer 38

$ sudo firewall-cmd –get-zones
block dmz drop external home internal public trusted work

Question 39

Zone Management Examples

What is the command to change the default zone to trusted and then change it back?

Answer 39

$ sudo firewall-cmd –set-default-zone=trusted
success

$ sudo firewall-cmd –set-default-zone=public
success

Question 40

Zone Management Examples

What is the command to assign an interface temporarily to a particular zone?

Answer 40

$ sudo firewall-cmd –zone=internal –change-interface=eno1
success

Question 41

Zone Management Examples

What is the command to assign an interface to a particular zone permanently?

Answer 41

$ sudo firewall-cmd –permanent –zone=internal –change-interface=eno1
success

which creates the file /etc/firewalld/zones/internal.xml.

Question 42

Zone Management Examples

What is the command to ascertain the zone associated with a particular interface?

Answer 42

$ sudo firewall-cmd –get-zone-of-interface=eno1
public

Question 43

Zone Management Examples

What is the command to get all details about a particular zone?

Answer 43

$ sudo firewall-cmd –zone=public –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eno1
sources:
services: chromecast libvirt libvirt-tls nfs nfs3 rsyncd ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Question 44

Controlling firewalld is done through the firewall-cmd program. More detailed information can be obtained with what man command?

Answer 44

man firewalld-cmd

Question 45

Source Management

Any firewall zone can be bound not just to a ___, but also to particular ___.

Answer 45

• Network interface
• Network addresses

Question 46

Source Management

A packet is associated with a zone if?

Answer 46

• It comes from a source address already bound to the zone; or if not,
• It comes from an interface bound to the zone.

Any packet not fitting the above criteria is assigned to the default zone (i.e, usually public).

Question 47

Source Management

What is the command to assign a source ip of 192.168.1.0/24 to a trusted zone (permanently)

Answer 47

$ sudo firewall-cmd –permanent –zone=trusted –add-source=192.168.1.0/24
success

This says anyone with an IP address of 192.168.1.x will be added to the trusted zone.

Note that you can remove a previously assigned source from a zone by using the –remove-source option, or change the zone by using –change-source

If you leave out the –permanent option, you get only the current runtime behavior.

Question 48

Source Management

What is the command to list the sources bound to a zone with the source ip of 192.168.1.0/24?

Answer 48

$ sudo firewall-cmd –permanent –zone=trusted –list-sources 192.168.1.0/24

If you leave out the –permanent option, you get only the current runtime behavior.

Question 49

Firewall Service Management

So far, we have assigned particular interfaces and/or addresses to zones, but we haven’t delineated what services and ports should be accessible within a zone.

What is the command to see all the services available to apply a firewall to?

Answer 49

$ sudo firewall-cmd –get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

Question 50

Firewall Service Management

What is the command to see those currently accessible in a particular zone?

Answer 50

$ sudo firewall-cmd –list-services –zone=public
dhcpv6-client ssh

Question 51

Firewall Service Management

What is the command to add a service to a zone:

Answer 51

$ sudo firewall-cmd –permanent –zone=home –add-service=dhcp
success

$ sudo firewall-cmd –reload

The second command, with –reload, is needed to make the change effective. It is also possible to add new services by editing the files in /etc/firewalld/services.

Question 52

Firewall Port Management

Port management is very similar to service management.

What is the command to add a port to a firewall zone?

Answer 52

$ sudo firewall-cmd –zone=home –add-port=21/tcp
success

Question 53

Firewall Port Management

What is the command to list port opened in a specific firewall zone?

Answer 53

$ sudo firewall-cmd –zone=home –list-ports
21/tcp

where by looking at /etc/services we can ascertain that port 21 corresponds to ftp:

$ grep “ 21/tcp” /etc/services
ftp 21/tcp