On Fri, Aug 08, 2014 at 04:55:15PM -0500, Neil Aggarwal wrote:
I am looking at the documentation of the new firewalld service in CentOS 7. It looks like no matter what I configure with it, outgoing connections are still going to be allowed. That does not seem very secure.
Looking at the documentation closer, there does appear to be a way to add rules to the OUTPUT table, using the rich rules syntax.
Red Hat documents it in this KB, that is only open to subscribers: https://access.redhat.com/solutions/1121463
Here's basically how it's done:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT success # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --sport=80 -j ACCEPT success # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 99 -j DROP success
# firewall-cmd --permanent --direct --get-all-rules ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT ipv4 filter OUTPUT 1 -p tcp -m tcp --sport=80 -j ACCEPT ipv4 filter OUTPUT 99 -j DROP
That restricts outgoing traffic to only port 80 as the source and destination port.
Hopefully Red Hat opens up that KB, it would have been nice to find this earlier in the thread. It's still an overly complex way of doing things, although not much more so than running the iptables command.