I need some help/guidance with firewalld and I can't seem to get an
account set up on the Fedora site where it appears that the main
newsgroup for supporting firewalld is being hosted. (at least according
to my Google research) I am getting requests from small businesses,
homeowners, and me myself and I to find a solution for handling modern
day internet of things "IOT" (devices that connect to the internet)
thingies that range from security cameras to robot vacuum cleaners to
fit bit wrist monitors etc... To handle all these wonderful thingy
dingys I thought the best approach would be to relegate them to their
own subnet and manage them at a firewall. That way I thought I could
monitor and if necessary keep ET from phoning home and sending data to
parties unknown (i.e security cameras with firmware made in China for
example, and yeah call me paranoid if it helps). AND I can keep these
thingies from bogging down my other networks of computers doing "real"
work and keeping them secured from these widgets as well. Towards this
goal I am setting up a second wireless/wired network to be used by these
devices and connecting it to a second NIC interface on one of my
computers. I then created a firewalld "zone" for that interface. And
yeah I will also set up a dhcpd (and assign static IP addresses based on
MAC addresses) and even a DNS server for these thingies to use, if
necessary.
Before I ask how to do what I want with firewalld, perhaps I should
express what I think the firewalld model of an interface is, because I
have found a lot of inconsistencies in articles on the internet that try
to explain things. I think when talking about incoming or outgoing
connections I will use the host computer that firewalld is running on as
the reference point (and not the network in which the host and it's
interface is part of). So incoming means packets coming in to the host,
through an interface, from some external network. Outgoing means packets
that are passing through an interface, from the host to some other
computer on an external network. Please excuse my wordiness but I need
to make an effort to be sure I am communicating clearly.
What I first want to be able to do is to be able to execute a command
that blocks all incoming traffic originating from devices within this
second network zone, regardless of whether those messages are trying to
connect to some service on firewalld's host itself or whether those
messages want to be passed on by the host to some other server on some
other network. I also want to block all outgoing traffic going to
devices on this second network. While in this state I want to be able to
monitor/log any attempts, and traffic content, by devices on this
network to initiate communication, so I can determine who/what is trying
to "phone home" and where it is trying to reach. I don't expect
firewalld to have such a builtin command, I expect to have to write a
script, but I need to know how to put firewalld in such a state for a
particular interface.
Next I want to be able to configure firewalld so that it allows incoming
requests from hosts on this second network, and to allow connections to
services running on firewalld's host as well as allowing those
connection requests to be passed on to external networks. But I still
want to block all outgoing traffic through this second interface, that
may be returning to devices on this secondary network. And I still want
to be able to log/monitor/examine this outgoing traffic before relaxing
any firewall rules to allow those outgoing connections through the
interface. Again I want to be able to create a script to put the
firewall in that state.
Next I want to be able to configure firewalld to block all incoming and
outgoing traffic to/from this secondary net unless the traffic was
initiated/established by a service/process running on the host that
firewalld is running on. In other words. I don't want to allow any
traffic from any network to be passed through the interface to this
secondary network, unless that traffic originated on the localhost
itself that the firewalld daemon is running on. Perhaps being able to
add/allow specific hosts would also be helpful as not all services are
necessarily provided on the local firewalld host that I want to monitor.
Conceptually it seems like a firewall should have the capability to
effectively turn an interface completely off, disallowing ALL incoming
and/or outgoing traffic through an interface regardless of whether it is
intended for some service on the host itself or for some other host on
some other network, while at the same time logging or allowing an
administrator to monitor what is happening at that interface. I can't
seem to get a straight answer on how to get firewalld to do these things
so I suspect it may not be possible or perhaps not intended. It is
certainly possible to use firewalld to control incoming connections to
services that are running on the host itself, and it is possible to
control/route specific types of incoming connections to specific other
hosts/nets. So it appears that firewalld is more oriented towards
regulating incoming connection requests, to the host (and network(s))
firewalld is running on/has direct control over, and could care less
about traffic that wants to pass through the host and become an outgoing
connection via some other interface. I suspect that firewalld, by
default, just passes those requests on to whatever gateway IP address or
routing rules, via some interface, that is defined by it's host system
network configuration tools. At least I should say I have not been able
to figure out how to make firewalld care about all these other
connections from the man pages for firewall-cmd. I suspect I am going
to have to create some "rich rules" or "direct rules" for firewalld
that augment iptables but I don't have much experience or understanding
of iptables though like most software engineers I can learn (or ask for
help from some kind guru). Seems like this should be easy/intuitive so
perhaps I am overlooking the obvious?
My goal is to be able to establish better control over some of these
insecure devices and to insert my own tools to interface with these
devices, for example an Apache web server that will want to make a
connection to security cameras on this subnet (tex zoneminder is a good
example of where I am headed here) to serve out an image stream after
proper authorization. I might want to open a particular port to a
particular IP address at a particular time using cron, add filters to
prevent things like traceroute being executed by some IOT thingy (yep I
saw that happen!) or use something like a port knocker to open ports at
will if/when I want to access one of these IOT thingies from the
internet... If for another example I see something like a security
camera trying to send large amounts of data to some unexpected location
I definitely want to put a stop to it fast!
I am aware of the fact that some of this may provoke a discussion about
controversial topics, and a one size solution is not going to be the
answer to everything. A Fitbit should be able to contact it's cloud from
home, but a business may want to ban it... yada yada yada... So please I
am not looking to start such discussions.
Since I am running most of my systems under OpenSuSE (most are 15.0, but
some are 42.3 and even one business is running 42 .1) I thought I would
throw my question out here while trying to get an account on Fedora so I
can ask questions on their firewalld support group. Any SuSE firewalld
gurus here or anyone who has traveled down this path? Would love to hear
suggestions, insights, or comments cuz right now I seem to be stuck...
Thanks in advance... Marc..
(P.S. I will say that the one thing that the man pages for firewall-cmd
makes crystal clear REPEATEDLY is that if you don't specify a zone for a
firewall-cmd command that "If the zone is omitted the default zone will
be used."!! You got NO excuse if you should ever forget that little bit
of a trinket! LOL)
--
--... ...-- .----. ... -.. . .-- .- --... .--. -..- .-- -- .- .-. -.-.
<b>Computers: the final frontier. These are the voyages of the user Marc.<br>
His mission: to explore strange new hardware. To seek out new software and new applications.<br>
To boldly go where no Marc has gone before!<br></b>
--
To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse+owner(a)opensuse.org
