[opensuse] Help needed configuring firewalld
I need some help/guidance with firewalld and I can't seem to get an account set up on the Fedora site where it appears that the main newsgroup for supporting firewalld is being hosted. (at least according to my Google research) I am getting requests from small businesses, homeowners, and me myself and I to find a solution for handling modern day internet of things "IOT" (devices that connect to the internet) thingies that range from security cameras to robot vacuum cleaners to fit bit wrist monitors etc... To handle all these wonderful thingy dingys I thought the best approach would be to relegate them to their own subnet and manage them at a firewall. That way I thought I could monitor and if necessary keep ET from phoning home and sending data to parties unknown (i.e security cameras with firmware made in China for example, and yeah call me paranoid if it helps). AND I can keep these thingies from bogging down my other networks of computers doing "real" work and keeping them secured from these widgets as well. Towards this goal I am setting up a second wireless/wired network to be used by these devices and connecting it to a second NIC interface on one of my computers. I then created a firewalld "zone" for that interface. And yeah I will also set up a dhcpd (and assign static IP addresses based on MAC addresses) and even a DNS server for these thingies to use, if necessary. Before I ask how to do what I want with firewalld, perhaps I should express what I think the firewalld model of an interface is, because I have found a lot of inconsistencies in articles on the internet that try to explain things. I think when talking about incoming or outgoing connections I will use the host computer that firewalld is running on as the reference point (and not the network in which the host and it's interface is part of). So incoming means packets coming in to the host, through an interface, from some external network. Outgoing means packets that are passing through an interface, from the host to some other computer on an external network. Please excuse my wordiness but I need to make an effort to be sure I am communicating clearly. What I first want to be able to do is to be able to execute a command that blocks all incoming traffic originating from devices within this second network zone, regardless of whether those messages are trying to connect to some service on firewalld's host itself or whether those messages want to be passed on by the host to some other server on some other network. I also want to block all outgoing traffic going to devices on this second network. While in this state I want to be able to monitor/log any attempts, and traffic content, by devices on this network to initiate communication, so I can determine who/what is trying to "phone home" and where it is trying to reach. I don't expect firewalld to have such a builtin command, I expect to have to write a script, but I need to know how to put firewalld in such a state for a particular interface. Next I want to be able to configure firewalld so that it allows incoming requests from hosts on this second network, and to allow connections to services running on firewalld's host as well as allowing those connection requests to be passed on to external networks. But I still want to block all outgoing traffic through this second interface, that may be returning to devices on this secondary network. And I still want to be able to log/monitor/examine this outgoing traffic before relaxing any firewall rules to allow those outgoing connections through the interface. Again I want to be able to create a script to put the firewall in that state. Next I want to be able to configure firewalld to block all incoming and outgoing traffic to/from this secondary net unless the traffic was initiated/established by a service/process running on the host that firewalld is running on. In other words. I don't want to allow any traffic from any network to be passed through the interface to this secondary network, unless that traffic originated on the localhost itself that the firewalld daemon is running on. Perhaps being able to add/allow specific hosts would also be helpful as not all services are necessarily provided on the local firewalld host that I want to monitor. Conceptually it seems like a firewall should have the capability to effectively turn an interface completely off, disallowing ALL incoming and/or outgoing traffic through an interface regardless of whether it is intended for some service on the host itself or for some other host on some other network, while at the same time logging or allowing an administrator to monitor what is happening at that interface. I can't seem to get a straight answer on how to get firewalld to do these things so I suspect it may not be possible or perhaps not intended. It is certainly possible to use firewalld to control incoming connections to services that are running on the host itself, and it is possible to control/route specific types of incoming connections to specific other hosts/nets. So it appears that firewalld is more oriented towards regulating incoming connection requests, to the host (and network(s)) firewalld is running on/has direct control over, and could care less about traffic that wants to pass through the host and become an outgoing connection via some other interface. I suspect that firewalld, by default, just passes those requests on to whatever gateway IP address or routing rules, via some interface, that is defined by it's host system network configuration tools. At least I should say I have not been able to figure out how to make firewalld care about all these other connections from the man pages for firewall-cmd. I suspect I am going to have to create some "rich rules" or "direct rules" for firewalld that augment iptables but I don't have much experience or understanding of iptables though like most software engineers I can learn (or ask for help from some kind guru). Seems like this should be easy/intuitive so perhaps I am overlooking the obvious? My goal is to be able to establish better control over some of these insecure devices and to insert my own tools to interface with these devices, for example an Apache web server that will want to make a connection to security cameras on this subnet (tex zoneminder is a good example of where I am headed here) to serve out an image stream after proper authorization. I might want to open a particular port to a particular IP address at a particular time using cron, add filters to prevent things like traceroute being executed by some IOT thingy (yep I saw that happen!) or use something like a port knocker to open ports at will if/when I want to access one of these IOT thingies from the internet... If for another example I see something like a security camera trying to send large amounts of data to some unexpected location I definitely want to put a stop to it fast! I am aware of the fact that some of this may provoke a discussion about controversial topics, and a one size solution is not going to be the answer to everything. A Fitbit should be able to contact it's cloud from home, but a business may want to ban it... yada yada yada... So please I am not looking to start such discussions. Since I am running most of my systems under OpenSuSE (most are 15.0, but some are 42.3 and even one business is running 42 .1) I thought I would throw my question out here while trying to get an account on Fedora so I can ask questions on their firewalld support group. Any SuSE firewalld gurus here or anyone who has traveled down this path? Would love to hear suggestions, insights, or comments cuz right now I seem to be stuck... Thanks in advance... Marc.. (P.S. I will say that the one thing that the man pages for firewall-cmd makes crystal clear REPEATEDLY is that if you don't specify a zone for a firewall-cmd command that "If the zone is omitted the default zone will be used."!! You got NO excuse if you should ever forget that little bit of a trinket! LOL) -- --... ...-- .----. ... -.. . .-- .- --... .--. -..- .-- -- .- .-. -.-. <b>Computers: the final frontier. These are the voyages of the user Marc.<br> His mission: to explore strange new hardware. To seek out new software and new applications.<br> To boldly go where no Marc has gone before!<br></b> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Samstag, 31. August 2019, 09:11:46 CEST schrieb Marc Chamberlin:
I need some help/guidance with firewalld
https://www.tuxonline.tech/an-introduction-to-firewalld/[1] Hope that helps :) Cheers MH -- *Mathias Homann* Mathias.Homann@openSUSE:.org[2] irc: [Lemmy] @ freenode, ircnet obs: lemmy04 *gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102* -------- [1] https://www.tuxonline.tech/an-introduction-to-firewalld/ [2] mailto:Mathias.Homann@eregion.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
31.08.2019 10:11, Marc Chamberlin пишет:
I need some help/guidance with firewalld and I can't seem to get an account set up on the Fedora site where it appears that the main newsgroup for supporting firewalld is being hosted. (at least according to my Google research) I am getting requests from small businesses, homeowners, and me myself and I to find a solution for handling modern day internet of things "IOT" (devices that connect to the internet) thingies that range from security cameras to robot vacuum cleaners to fit bit wrist monitors etc... To handle all these wonderful thingy dingys I thought the best approach would be to relegate them to their own subnet and manage them at a firewall. That way I thought I could monitor and if necessary keep ET from phoning home and sending data to parties unknown (i.e security cameras with firmware made in China for example, and yeah call me paranoid if it helps). AND I can keep these thingies from bogging down my other networks of computers doing "real" work and keeping them secured from these widgets as well. Towards this goal I am setting up a second wireless/wired network to be used by these devices and connecting it to a second NIC interface on one of my computers. I then created a firewalld "zone" for that interface. And yeah I will also set up a dhcpd (and assign static IP addresses based on MAC addresses) and even a DNS server for these thingies to use, if necessary.
Before I ask how to do what I want with firewalld, perhaps I should express what I think the firewalld model of an interface is, because I have found a lot of inconsistencies in articles on the internet that try to explain things. I think when talking about incoming or outgoing connections I will use the host computer that firewalld is running on as the reference point (and not the network in which the host and it's interface is part of). So incoming means packets coming in to the host, through an interface, from some external network. Outgoing means packets that are passing through an interface, from the host to some other computer on an external network. Please excuse my wordiness but I need to make an effort to be sure I am communicating clearly.
What I first want to be able to do is to be able to execute a command that blocks all incoming traffic originating from devices within this second network zone, regardless of whether those messages are trying to connect to some service on firewalld's host itself or whether those messages want to be passed on by the host to some other server on some other network.
Assign interface to this subnet to zone that blocks all incoming traffic, like "drop" or "block". firewall-cmd --change-interface=eth0 --zone=block
I also want to block all outgoing traffic going to devices on this second network.
firewalld rules are for incoming connection. You will need to add direct rules to limit outgoing connections. It may be possible to inject direct rules into zone definition, but you will need deep knowledge of chains created by firewalld.
While in this state I want to be able to monitor/log any attempts, and traffic content, by devices on this network to initiate communication, so I can determine who/what is trying to "phone home" and where it is trying to reach. I don't expect firewalld to have such a builtin command, I expect to have to write a script, but I need to know how to put firewalld in such a state for a particular interface.
Zone definition can include rich rules that may include optional logging of packets.
Next I want to be able to configure firewalld so that it allows incoming requests from hosts on this second network, and to allow connections to services running on firewalld's host as well as allowing those connection requests to be passed on to external networks. But I still
See above. Firwalld really does not offer any high level configuration for forwarding. You will need to learn iptables to do it.
want to block all outgoing traffic through this second interface, that may be returning to devices on this secondary network. And I still want
Again - no built-in support for defining outgoing rules.
to be able to log/monitor/examine this outgoing traffic before relaxing any firewall rules to allow those outgoing connections through the interface. Again I want to be able to create a script to put the firewall in that state.
Next I want to be able to configure firewalld to block all incoming and outgoing traffic to/from this secondary net unless the traffic was initiated/established by a service/process running on the host that firewalld is running on. In other words. I don't want to allow any
That's not possible at all. There is no way to classify packets based on process they are from/intended for. The only way is to place these processes in separate namespace and connect this namespace via internal interface, at which point problem is reduced to traffic to/from this interface. Namespacing processes is outside of firewalld scope entirely. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 31/08/2019 12.42, Andrei Borzenkov wrote:
31.08.2019 10:11, Marc Chamberlin пишет:
to be able to log/monitor/examine this outgoing traffic before relaxing any firewall rules to allow those outgoing connections through the interface. Again I want to be able to create a script to put the firewall in that state.
Next I want to be able to configure firewalld to block all incoming and outgoing traffic to/from this secondary net unless the traffic was initiated/established by a service/process running on the host that firewalld is running on. In other words. I don't want to allow any
That's not possible at all. There is no way to classify packets based on process they are from/intended for. The only way is to place these processes in separate namespace and connect this namespace via internal interface, at which point problem is reduced to traffic to/from this interface. Namespacing processes is outside of firewalld scope entirely.
:-) <https://lists.opensuse.org/opensuse-security/2005-04/msg00123.html> How to block Acroread 7 with SuSE FW2? ] Date: Sun, 17 Apr 2005 18:52:27 +0200 ] From: nordi ] To: suse-security@ ] Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2? ] ] In order to block that traffic you could make the acroread executable ] SGID 'acro' and then block all traffic coming from group 'acro'. ] Iptables has an option for doing this by using the --gid-owner option. ] Of course that works only with a local firewall. ] Date: Mon, 18 Apr 2005 15:56:26 +0200 ] From: nordi ] To: suse-security@ ] Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2? ] ] Carl A. Schreiber wrote: ]> I'd like to learn more about this, would you mind to give an example ]> for such a rule? ] ] I did it with the following rule: ] iptables -A OUTPUT -m owner --gid-owner talker -j REJECT ] ] Then I set /usr/bin/netcat to be owned by group 'talker' and to mode ] 2755 (SGID). After that I could not connect anywhere with netcat. Once I ] chmodded netcat back to 755 it worked again. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
31.08.2019 23:11, Carlos E. R. пишет:
On 31/08/2019 12.42, Andrei Borzenkov wrote:
31.08.2019 10:11, Marc Chamberlin пишет:
to be able to log/monitor/examine this outgoing traffic before relaxing any firewall rules to allow those outgoing connections through the interface. Again I want to be able to create a script to put the firewall in that state.
Next I want to be able to configure firewalld to block all incoming and outgoing traffic to/from this secondary net unless the traffic was initiated/established by a service/process running on the host that firewalld is running on. In other words. I don't want to allow any
That's not possible at all. There is no way to classify packets based on process they are from/intended for. The only way is to place these processes in separate namespace and connect this namespace via internal interface, at which point problem is reduced to traffic to/from this interface. Namespacing processes is outside of firewalld scope entirely.
:-)
<https://lists.opensuse.org/opensuse-security/2005-04/msg00123.html>
How to block Acroread 7 with SuSE FW2?
You seriously do not see the difference between "blocking everything from specific process" and "blocking everything from specific user/group"?
] Date: Sun, 17 Apr 2005 18:52:27 +0200 ] From: nordi ] To: suse-security@ ] Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2? ] ] In order to block that traffic you could make the acroread executable ] SGID 'acro' and then block all traffic coming from group 'acro'. ] Iptables has an option for doing this by using the --gid-owner option. ] Of course that works only with a local firewall.
] Date: Mon, 18 Apr 2005 15:56:26 +0200 ] From: nordi ] To: suse-security@ ] Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2? ] ] Carl A. Schreiber wrote: ]> I'd like to learn more about this, would you mind to give an example ]> for such a rule? ] ] I did it with the following rule: ] iptables -A OUTPUT -m owner --gid-owner talker -j REJECT ] ] Then I set /usr/bin/netcat to be owned by group 'talker' and to mode ] 2755 (SGID). After that I could not connect anywhere with netcat. Once I ] chmodded netcat back to 755 it worked again.
On 31/08/2019 22.31, Andrei Borzenkov wrote:
31.08.2019 23:11, Carlos E. R. пишет:
On 31/08/2019 12.42, Andrei Borzenkov wrote:
31.08.2019 10:11, Marc Chamberlin пишет:
to be able to log/monitor/examine this outgoing traffic before relaxing any firewall rules to allow those outgoing connections through the interface. Again I want to be able to create a script to put the firewall in that state.
Next I want to be able to configure firewalld to block all incoming and outgoing traffic to/from this secondary net unless the traffic was initiated/established by a service/process running on the host that firewalld is running on. In other words. I don't want to allow any
That's not possible at all. There is no way to classify packets based on process they are from/intended for. The only way is to place these processes in separate namespace and connect this namespace via internal interface, at which point problem is reduced to traffic to/from this interface. Namespacing processes is outside of firewalld scope entirely.
:-)
<https://lists.opensuse.org/opensuse-security/2005-04/msg00123.html>
How to block Acroread 7 with SuSE FW2?
You seriously do not see the difference between "blocking everything from specific process" and "blocking everything from specific user/group"?
And you do not see that the trick is blocking an specific application? -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
Andrei, Carlos, all - Thanks for your input, I am following along with interest! And yes I am also putting on my scuba tanks so I can dive deep into the world of iptables also (i.e. reading up on it...) Andrei I am a bit confused however by your comments about my desire to be able to control/block all incoming and outgoing communications through an interface zone, except for communications that originate in processes/services on my firewall system/server itself. You said I can't do that because firewalls don't know anything about processes that are behind the data packets carrying information across networks or in and out of a computer. Won't all such communications, originating for/from processes/services that are running on my firewall system, either have a source or a destination address of the IP address assigned to the firewall system itself? Anything else that is attempting to communicate with devices on my IOT thingies sub net, from the outside world, would have to either be NATted or deNATted (yeah I may be inventing some terminology here but I'm trying to understand/talk about the firewall model and it is not easy for me to communicate clearly) or have an incoming source address, and an outgoing destination address that is different from the firewalld's host IP address(es). I do understand AX.25 packet data structures and since these data packets are going through some other interface, into and out of the firewall system, before they can be routed through the interface for my IOT thingies subnet (again I hope I am using terminology correctly and clearly, by "IOT thingies subnet" I am referring to the second subnet I want to create for isolating and putting all my IOT thingies on.) it seems it should be possible for a firewall to block all such "external" packets and allow my "internal" packets. For example, data packets such as those "internal" packets to/from an Apache HTTP server that is also running on the same system with the firewalld service.. (but still log any incoming communication attempts by "external" devices from the internet or other unsecured networks, and log any outgoing communications attempts to "external" devices, so I can examine them later at my leisure) Please forgive me if my understanding of how firewalls actually work is all screwed up, I am looking at them in a high altitude conceptual way... It seems that as a system admin I should be able to control what information is allowed to pass through my systems. So these requirements I want to pursue seem to belong in the purview of firewall administration... If you look at this from what I am trying to accomplish I think it will make it clearer what I am asking for in the way of help on firewalld. I don't want IOT thingies to be able to communicate to/from the internet without my being able to discover what they are doing and to intercede and/or proxy what is being communicated. The best example is security cameras made in some foreign country. I want to have complete control over who is accessing the video data from these cameras, via my own web server and storage devices, rather than use some cloud based web service located who knows where and with who knows what sort of security systems are in that place. And I don't want any surreptitious data leakage to be occurring either from these IOT thingies nor of course do I want unauthorized accesses to be made to these thingies. Since there is no way to audit the firmware in IOT thingies, the next best security measure is to monitor/control when/what is being communicated and that is why I am focused on firewalld which I am using on all my Linux systems. Marc, who is struggling to learn about firewalls by drinking through a fire hose of information. And who is tired of the constant erosion of privacy and tired of hearing about all the data breaches going on around the world... (and who STILL cannot get an account on the Fedora servers where I could actually talk to some of the gurus who support firewalld...) On 8/31/19 1:41 PM, Carlos E. R. wrote:
On 31/08/2019 22.31, Andrei Borzenkov wrote:
31.08.2019 23:11, Carlos E. R. пишет:
On 31/08/2019 12.42, Andrei Borzenkov wrote:
31.08.2019 10:11, Marc Chamberlin пишет:
to be able to log/monitor/examine this outgoing traffic before relaxing any firewall rules to allow those outgoing connections through the interface. Again I want to be able to create a script to put the firewall in that state.
Next I want to be able to configure firewalld to block all incoming and outgoing traffic to/from this secondary net unless the traffic was initiated/established by a service/process running on the host that firewalld is running on. In other words. I don't want to allow any That's not possible at all. There is no way to classify packets based on process they are from/intended for. The only way is to place these processes in separate namespace and connect this namespace via internal interface, at which point problem is reduced to traffic to/from this interface. Namespacing processes is outside of firewalld scope entirely. :-)
<https://lists.opensuse.org/opensuse-security/2005-04/msg00123.html>
How to block Acroread 7 with SuSE FW2?
You seriously do not see the difference between "blocking everything from specific process" and "blocking everything from specific user/group"? And you do not see that the trick is blocking an specific application?
-- --... ...-- .----. ... -.. . .-- .- --... .--. -..- .-- -- .- .-. -.-. <b>Computers: the final frontier. These are the voyages of the user Marc.<br> His mission: to explore strange new hardware. To seek out new software and new applications.<br> To boldly go where no Marc has gone before!<br></b> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
01.09.2019 5:57, Marc Chamberlin пишет:
Andrei, Carlos, all - Thanks for your input, I am following along with interest! And yes I am also putting on my scuba tanks so I can dive deep into the world of iptables also (i.e. reading up on it...)
Andrei I am a bit confused however by your comments about my desire to be able to control/block all incoming and outgoing communications through an interface zone, except for communications that originate in processes/services on my firewall system/server itself. You said I can't do that because firewalls don't know anything about processes that are behind the data packets carrying information across networks or in and out of a computer. Won't all such communications, originating for/from processes/services that are running on my firewall system, either have a source or a destination address of the IP address assigned to the firewall system itself?
Yes, they will. And how exactly does it help to distinguish specific service/process? This can only be done at best using TCP/UDP ports, and for outgoing communications ports are usually selected automatically and at random and not every application even supports choosing specific port (range) to select from; for incoming communication it can be done (that is exactly the main functionality of firewalld), but that's not strictly speaking "service/application", this is still "TCP/UDP port". Distinction is crucial e.g. on Windows where you can actually allow communication for specific service/program (e.g. apache) over port 80 and in this case no other HTTP server (e.g. ngnix or your favorite trojan) you will run will be allowed. On Linux you can only open port 80; whatever listens on port 80 will be allowed. Yes, if you have total control over how your services work you may start each one under specific user/group and use this as criteria. This is unrealistic in general (what about services that *must* run as root as example). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/09/2019 07.13, Andrei Borzenkov wrote:
01.09.2019 5:57, Marc Chamberlin пишет:
Andrei, Carlos, all - Thanks for your input, I am following along with interest! And yes I am also putting on my scuba tanks so I can dive deep into the world of iptables also (i.e. reading up on it...)
Andrei I am a bit confused however by your comments about my desire to be able to control/block all incoming and outgoing communications through an interface zone, except for communications that originate in processes/services on my firewall system/server itself. You said I can't do that because firewalls don't know anything about processes that are behind the data packets carrying information across networks or in and out of a computer. Won't all such communications, originating for/from processes/services that are running on my firewall system, either have a source or a destination address of the IP address assigned to the firewall system itself?
Yes, they will. And how exactly does it help to distinguish specific service/process? This can only be done at best using TCP/UDP ports, and for outgoing communications ports are usually selected automatically and at random and not every application even supports choosing specific port (range) to select from; for incoming communication it can be done (that is exactly the main functionality of firewalld), but that's not strictly speaking "service/application", this is still "TCP/UDP port". Distinction is crucial e.g. on Windows where you can actually allow communication for specific service/program (e.g. apache) over port 80 and in this case no other HTTP server (e.g. ngnix or your favorite trojan) you will run will be allowed. On Linux you can only open port 80; whatever listens on port 80 will be allowed.
Yes, if you have total control over how your services work you may start each one under specific user/group and use this as criteria. This is unrealistic in general (what about services that *must* run as root as example).
There was talk of apparmour adding support to control this scenario, but I don't know how far they got. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
participants (4)
-
Andrei Borzenkov -
Carlos E. R. -
Marc Chamberlin -
Mathias Homann