Hello folks,
we develop security guidance / compliance related tools and content for Red Hat Enterprise Linux. Recently within the effort to port old(er) iptables sections from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7 we encountered the following firewalld related question.
Please have a look at sample guidance document at: [1] https://jlieskov.fedorapeople.org/rhel6-guide.html
In the section "2.5.7. iptables and ip6tables", under rule: "2.5.7.2.a. Set Default iptables Policy for Incoming Packets" there's the following requirement:
<quote> To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables:
:INPUT DROP [0:0] </quote>
The question is how to ensure the iptables rule of the exact meaning is applied on the system by using firewalld related tools? In other words is there a way via firewalld tools how to change default policy type from "ACCEPT" to e.g. "DROP" for some particular filter chain (e.g. "INPUT")? [*]
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team
[*] We are aware that firewalld uses different configuration file than /etc/sysconfig/iptables & can handle that. But the question is how to change the default policy type from 'ACCEPT' to something else.
On 10/07/2014 04:35 PM, Jan Lieskovsky wrote:
Hello folks,
we develop security guidance / compliance related tools and content for Red Hat Enterprise Linux. Recently within the effort to port old(er) iptables sections from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7 we encountered the following firewalld related question.
Please have a look at sample guidance document at: [1] https://jlieskov.fedorapeople.org/rhel6-guide.html
In the section "2.5.7. iptables and ip6tables", under rule: "2.5.7.2.a. Set Default iptables Policy for Incoming Packets" there's the following requirement:
<quote> To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables:
:INPUT DROP [0:0]
</quote>
The question is how to ensure the iptables rule of the exact meaning is applied on the system by using firewalld related tools? In other words is there a way via firewalld tools how to change default policy type from "ACCEPT" to e.g. "DROP" for some particular filter chain (e.g. "INPUT")? [*]
No there's no such way, it's wired to "ACCEPT" internally.
But I have 2 ideas how to solve this.
Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't change anything as all 'remaining' packets are matched with -A INPUT -j REJECT --reject-with icmp-host-prohibited anyway.
Or add a "policy" support to 'direct' interface. Something like $ firewall-cmd [--permanent] --direct --add-policy { ipv4 | ipv6 | eb } table chain target which would run 'iptables -P -t table chain target'
Thomas, ideas/objections ?
-- Jiri
On 10/13/2014 03:47 PM, Jiri Popelka wrote:
On 10/07/2014 04:35 PM, Jan Lieskovsky wrote:
Hello folks,
we develop security guidance / compliance related tools and content for Red Hat Enterprise Linux. Recently within the effort to port old(er) iptables sections from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7 we encountered the following firewalld related question.
Please have a look at sample guidance document at: [1] https://jlieskov.fedorapeople.org/rhel6-guide.html
In the section "2.5.7. iptables and ip6tables", under rule: "2.5.7.2.a. Set Default iptables Policy for Incoming Packets" there's the following requirement:
<quote> To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables:
:INPUT DROP [0:0]
</quote>
The question is how to ensure the iptables rule of the exact meaning is applied on the system by using firewalld related tools? In other words is there a way via firewalld tools how to change default policy type from "ACCEPT" to e.g. "DROP" for some particular filter chain (e.g. "INPUT")? [*]
No there's no such way, it's wired to "ACCEPT" internally.
But I have 2 ideas how to solve this.
Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't change anything as all 'remaining' packets are matched with -A INPUT -j REJECT --reject-with icmp-host-prohibited anyway.
Or add a "policy" support to 'direct' interface. Something like $ firewall-cmd [--permanent] --direct --add-policy { ipv4 | ipv6 | eb } table chain target which would run 'iptables -P -t table chain target'
Thomas, ideas/objections ?
I think it would be good to have one global setting in the firewalld config file to define the default policy for all default chains in all tables.
Having a policy per chain and table is too much in my opinion.
-- Jiri
Regards, Thomas
On 10/13/2014 05:03 PM, Thomas Woerner wrote:
On 10/13/2014 03:47 PM, Jiri Popelka wrote:
Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't change anything as all 'remaining' packets are matched with -A INPUT -j REJECT --reject-with icmp-host-prohibited anyway.
Or add a "policy" support to 'direct' interface. Something like $ firewall-cmd [--permanent] --direct --add-policy { ipv4 | ipv6 | eb } table chain target which would run 'iptables -P -t table chain target'
I think it would be good to have one global setting in the firewalld config file to define the default policy for all default chains in all tables.
Setting policies of all chains of all tables to DROP is IMHO *too* restrictive. That would AFAICT drop *all* traffic (for example in raw or mangle table) and it's not what the 'security guide' suggests - it suggests to set DROP policy of filter/INPUT only.
Anyway I think using firewalld's 'drop' zone is what we want here, as I already suggested in another answer.
-- Jiri
On 10/13/2014 05:41 PM, Jiri Popelka wrote:
On 10/13/2014 05:03 PM, Thomas Woerner wrote:
On 10/13/2014 03:47 PM, Jiri Popelka wrote:
Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't change anything as all 'remaining' packets are matched with -A INPUT -j REJECT --reject-with icmp-host-prohibited anyway.
Or add a "policy" support to 'direct' interface. Something like $ firewall-cmd [--permanent] --direct --add-policy { ipv4 | ipv6 | eb } table chain target which would run 'iptables -P -t table chain target'
I think it would be good to have one global setting in the firewalld config file to define the default policy for all default chains in all tables.
Setting policies of all chains of all tables to DROP is IMHO *too* restrictive. That would AFAICT drop *all* traffic (for example in raw or mangle table) and it's not what the 'security guide' suggests - it suggests to set DROP policy of filter/INPUT only.
Yes, that is right - it is too restrictive. Setting the policy in the filter/INPUT and filter/FORWARD only should be o.k..
Anyway I think using firewalld's 'drop' zone is what we want here, as I already suggested in another answer.
Yes.
-- Jiri
Thomas
On 10/13/2014 03:47 PM, Jiri Popelka wrote:
On 10/07/2014 04:35 PM, Jan Lieskovsky wrote:
Hello folks,
we develop security guidance / compliance related tools and content for Red Hat Enterprise Linux. Recently within the effort to port old(er) iptables sections from Red Hat Enterprise Linux 6 to Red Hat Enterprise Linux 7 we encountered the following firewalld related question.
Please have a look at sample guidance document at: [1] https://jlieskov.fedorapeople.org/rhel6-guide.html
In the section "2.5.7. iptables and ip6tables", under rule: "2.5.7.2.a. Set Default iptables Policy for Incoming Packets" there's the following requirement:
<quote> To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/iptables:
:INPUT DROP [0:0]
</quote>
The question is how to ensure the iptables rule of the exact meaning is applied on the system by using firewalld related tools? In other words is there a way via firewalld tools how to change default policy type from "ACCEPT" to e.g. "DROP" for some particular filter chain (e.g. "INPUT")? [*]
No there's no such way, it's wired to "ACCEPT" internally.
But I have 2 ideas how to solve this.
Either hard-wire policy of filter/INPUT to "DROP" - this shouldn't change anything as all 'remaining' packets are matched with -A INPUT -j REJECT --reject-with icmp-host-prohibited
With this in mind I think that recommending users to set default policy to DROP doesn't have much sense because all 'remaining' packets are rejected anyway (with the '-A INPUT -j REJECT'), i.e. no packet get's to the point of DROP policy being applied on it.
Actually in firewalld we already have a very simple way how to apply restrictive policy, it's called 'drop' zone. If you set firewalld's default zone to 'drop' all new (i.e. not initiated by this machine) incoming/forwarding traffic will be dropped by default, which is IMHO exactly what that 'security guide' wants to achieve.
One can do that either by setting 'DefaultZone=drop' in /etc/firewalld/firewalld.conf and restarting firewalld.
Or with $ firewall-cmd --set-default-zone=drop which will apply the change immediately and also permanently.
-- Jiri
firewalld-users@lists.fedorahosted.org