Neil Aggarwal
2014-Aug-08 21:55 UTC
[CentOS] CentOS 7 - Firewall always allows outgoing packets?
Hello all: I am looking at the documentation of the new firewalld service in CentOS 7. It looks like no matter what I configure with it, outgoing connections are still going to be allowed. That does not seem very secure. I always set my servers to default policy of DROP for everything incoming and outgoing and then add rules to allow very specific traffic through. Is this possible using the new firewalld service or should I disable it and go back to using iptables? Thanks, Neil -- Neil Aggarwal, (972) 834-1565 We lend money to investors to buy or refinance single family rent houses. No origination fees, quick approval, no credit check.
Earl Ramirez
2014-Aug-09 01:13 UTC
[CentOS] CentOS 7 - Firewall always allows outgoing packets?
On Fri, 2014-08-08 at 16:55 -0500, Neil Aggarwal wrote:> Hello all: > > I am looking at the documentation of the new firewalld service in CentOS 7. > It looks like no matter what I configure with it, outgoing connections are > still going to be allowed. That does not seem very secure. > > I always set my servers to default policy of DROP for everything incoming > and outgoing and then add rules to allow very specific traffic through. > > Is this possible using the new firewalld service or should I disable it and > go back to using iptables? > > Thanks, > Neil > > -- > Neil Aggarwal, (972) 834-1565 > We lend money to investors to buy or refinance single family rent houses. > No origination fees, quick approval, no credit check. > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosHello Neil, You can check out the following document https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html
Eero Volotinen
2014-Aug-09 13:17 UTC
[CentOS] CentOS 7 - Firewall always allows outgoing packets?
2014-08-09 0:55 GMT+03:00 Neil Aggarwal <neil at jammconsulting.com>:> Hello all: > > I am looking at the documentation of the new firewalld service in CentOS 7. > It looks like no matter what I configure with it, outgoing connections are > still going to be allowed. That does not seem very secure. > > I always set my servers to default policy of DROP for everything incoming > and outgoing and then add rules to allow very specific traffic through. > > Is this possible using the new firewalld service or should I disable it and > go back to using iptables? >Yes, it is possible, check this out: http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sec-Disabling_firewalld.html -- Eero
Jim Perrin
2014-Aug-09 13:44 UTC
[CentOS] CentOS 7 - Firewall always allows outgoing packets?
On 08/08/2014 04:55 PM, Neil Aggarwal wrote:> Hello all: > > I am looking at the documentation of the new firewalld service in CentOS 7. > It looks like no matter what I configure with it, outgoing connections are > still going to be allowed. That does not seem very secure. > > I always set my servers to default policy of DROP for everything incoming > and outgoing and then add rules to allow very specific traffic through. > > Is this possible using the new firewalld service or should I disable it and > go back to using iptables?Currently with firewalld it is not possible[1] to block outbound connections. You would need to revert back to iptables to get this behavior back. Please keep in mind that in CentOS 7, iptables is no longer just one package either. [1] - https://lists.fedorahosted.org/pipermail/firewalld-users/2013-February/000053.html -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77
Steve Clark
2014-Aug-09 16:02 UTC
[CentOS] CentOS 7 - Firewall always allows outgoing packets?
On 08/08/2014 05:55 PM, Neil Aggarwal wrote:> Hello all: > > I am looking at the documentation of the new firewalld service in CentOS 7. > It looks like no matter what I configure with it, outgoing connections are > still going to be allowed. That does not seem very secure. > > I always set my servers to default policy of DROP for everything incoming > and outgoing and then add rules to allow very specific traffic through. > > Is this possible using the new firewalld service or should I disable it and > go back to using iptables? > > Thanks, > Neil > > -- > Neil Aggarwal, (972) 834-1565 > We lend money to investors to buy or refinance single family rent houses. > No origination fees, quick approval, no credit check. >In my way of thinking I am always wary of "being taken care of", especially when it comes to internet security! I like your philosophy of deny everything and selectively allow what YOU want. My $.02 -- Stephen Clark *NetWolves Managed Services, LLC.* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark at netwolves.com http://www.netwolves.com
Jonathan Billings
2014-Aug-12 13:21 UTC
[CentOS] CentOS 7 - Firewall always allows outgoing packets?
On Fri, Aug 08, 2014 at 04:55:15PM -0500, Neil Aggarwal wrote:> I am looking at the documentation of the new firewalld service in CentOS 7. > It looks like no matter what I configure with it, outgoing connections are > still going to be allowed. That does not seem very secure.Looking at the documentation closer, there does appear to be a way to add rules to the OUTPUT table, using the rich rules syntax. Red Hat documents it in this KB, that is only open to subscribers: https://access.redhat.com/solutions/1121463 Here's basically how it's done: # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT success # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --sport=80 -j ACCEPT success # firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 99 -j DROP success # firewall-cmd --permanent --direct --get-all-rules ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT ipv4 filter OUTPUT 1 -p tcp -m tcp --sport=80 -j ACCEPT ipv4 filter OUTPUT 99 -j DROP That restricts outgoing traffic to only port 80 as the source and destination port. Hopefully Red Hat opens up that KB, it would have been nice to find this earlier in the thread. It's still an overly complex way of doing things, although not much more so than running the iptables command. -- Jonathan Billings <billings at negate.org>
Alexander Dalloz
2014-Aug-12 13:52 UTC
[CentOS] CentOS 7 - Firewall always allows outgoing packets?
Am 2014-08-08 23:55, schrieb Neil Aggarwal:> Hello all: > > I am looking at the documentation of the new firewalld service in > CentOS 7. > It looks like no matter what I configure with it, outgoing connections > are > still going to be allowed. That does not seem very secure. > > I always set my servers to default policy of DROP for everything > incoming > and outgoing and then add rules to allow very specific traffic through. > > Is this possible using the new firewalld service or should I disable it > and > go back to using iptables? > > Thanks, > NeilThose with a RHEL subscription can find a Red Hat knowledge base articel under https://access.redhat.com/solutions/1121463 about the question "How to filter outbound or outgoing network traffic in RHEL7?" It pretty much explains how to achieve outbound filtering using FirewallD. Alexander