[CentOS] CentOS 7 - Firewall always allows outgoing packets?

Tue Aug 12 14:59:17 UTC 2014
Valeri Galtsev <galtsev at kicp.uchicago.edu>

Wonderful!

Can you do with firewalld an equivalent of the following done with iptables:

:SSHSCAN - [0:0]
-A INPUT -p tcp --dport 22 -m state --state NEW -j SSHSCAN
-A SSHSCAN -m recent --set --name SSH
-A SSHSCAN -m recent --update --seconds 300 --hitcount 10 --name SSH -j DROP
-A INPUT -p tcp --dport 22 -j ACCEPT

I use it for years (lifted from some cleverer than I person of the
internet). This effectively thwarts brute force password attacks from the
network. It allows only 10 _new_ connection within 5 min window. Of
course, it counts all successful and unsuccessful connections (with
sshguard on FreeBSD I do better: only react on unsuccessful connections),
but it still does pretty good job.

I guess, we all have accumulated some set of nice tools, and we don't like
to just throw them away - in exchange for what? Long ago I learned a rule
(what users will expect from a good sysadmin): do not make any changes
unless they are absolutely necessary. I find myself expecting the same
from system vendor, or at least an understanding why this or that change
is necessary. So far I don't see any reasons other than giving an ability
to administer the system to every computer user without special
knowledge... Which is pretty good, we need free (and much better!)
alternatives to M$ Windows. As far as our demands for servers are
concerned: they can be fulfilled by other alternatives (FreeBSD being one
of them).


Thanks again for education us in how we can do what we need using firewalld!

Valeri

On Tue, August 12, 2014 8:21 am, Jonathan Billings wrote:
> On Fri, Aug 08, 2014 at 04:55:15PM -0500, Neil Aggarwal wrote:
>> I am looking at the documentation of the new firewalld service in CentOS
>> 7.
>> It looks like no matter what I configure with it, outgoing connections
>> are
>> still going to be allowed.  That does not seem very secure.
>
> Looking at the documentation closer, there does appear to be a way to
> add rules to the OUTPUT table, using the rich rules syntax.
>
> Red Hat documents it in this KB, that is only open to subscribers:
> https://access.redhat.com/solutions/1121463
>
> Here's basically how it's done:
>
> # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp
> -m tcp --dport=80 -j ACCEPT
> success
> # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp
> -m tcp --sport=80 -j ACCEPT
> success
> # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 99 -j
> DROP
> success
>
> # firewall-cmd --permanent --direct --get-all-rules
> ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT
> ipv4 filter OUTPUT 1 -p tcp -m tcp --sport=80 -j ACCEPT
> ipv4 filter OUTPUT 99 -j DROP
>
> That restricts outgoing traffic to only port 80 as the source and
> destination port.
>
> Hopefully Red Hat opens up that KB, it would have been nice to find
> this earlier in the thread.  It's still an overly complex way of doing
> things, although not much more so than running the iptables command.
>
>
> --
> Jonathan Billings <billings at negate.org>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++