Wonderful!
Can you do with firewalld an equivalent of the following done with iptables:
:SSHSCAN - [0:0] -A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN -A SSHSCAN -m recent --set --name SSH -A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH -j DROP -A INPUT -p tcp --dport 22 -j ACCEPT
I use it for years (lifted from some cleverer than I person of the internet). This effectively thwarts brute force password attacks from the network. It allows only 10 _new_ connection within 5 min window. Of course, it counts all successful and unsuccessful connections (with sshguard on FreeBSD I do better: only react on unsuccessful connections), but it still does pretty good job.
I guess, we all have accumulated some set of nice tools, and we don't like to just throw them away - in exchange for what? Long ago I learned a rule (what users will expect from a good sysadmin): do not make any changes unless they are absolutely necessary. I find myself expecting the same from system vendor, or at least an understanding why this or that change is necessary. So far I don't see any reasons other than giving an ability to administer the system to every computer user without special knowledge... Which is pretty good, we need free (and much better!) alternatives to M$ Windows. As far as our demands for servers are concerned: they can be fulfilled by other alternatives (FreeBSD being one of them).
Thanks again for education us in how we can do what we need using firewalld!
Valeri
On Tue, August 12, 2014 8:21 am, Jonathan Billings wrote:
On Fri, Aug 08, 2014 at 04:55:15PM -0500, Neil Aggarwal wrote:
I am looking at the documentation of the new firewalld service in CentOS 7. It looks like no matter what I configure with it, outgoing connections are still going to be allowed. That does not seem very secure.
Looking at the documentation closer, there does appear to be a way to add rules to the OUTPUT table, using the rich rules syntax.
Red Hat documents it in this KB, that is only open to subscribers: https://access.redhat.com/solutions/1121463
Here's basically how it's done:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT success # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --sport=80 -j ACCEPT success # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 99 -j DROP success
# firewall-cmd --permanent --direct --get-all-rules ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT ipv4 filter OUTPUT 1 -p tcp -m tcp --sport=80 -j ACCEPT ipv4 filter OUTPUT 99 -j DROP
That restricts outgoing traffic to only port 80 as the source and destination port.
Hopefully Red Hat opens up that KB, it would have been nice to find this earlier in the thread. It's still an overly complex way of doing things, although not much more so than running the iptables command.
-- Jonathan Billings billings@negate.org _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++