I'd like to achieve Four things in Firewalld:
1. Add a rule that blocks all outgoing and incoming traffic on your Local Ethernet Device. 2. Add an exception for your favorite DNS Server (to resolve the hostname of your VPN provider) 3. Add an exception for your VPN provider’s IP addresses 4. Add an Rule for your tun/tap or any other VPN Device to allow all outgoing Traffic for the VPN Tunnel.
Can someone tell me how?
Jake: The way you stated your requirements leads me to assume you are comfortable with iptables and probably have a working script that handles the setup of iptables directly. Firewalld does use iptables (and ip6tables) but assumes you can work within some preset scenarios as defined in firewalld. Your requirements suggest a "public" zone basic setup or "trust nobody at all". with dns and vpn services enabled. Firewalld also allows a definition of "sources", interfaces and/or ip addresses that are allowed before the basic netfilter packet path is traversed. I had been running a somewhat convoluted iptables setup at bootup in fedora 13 and upgraded through Centos 6 as the years passed, but Centos 7 changed the basic game. I found firewalld was workable provided I adjusted my netfilter plan to fit its predetermined setup.
I run a short script as root to output the iptables setup from firewalld just to see how it runs and you may find that script helpful for you. Note you must create/define an output directory as I did in line 1:
DIR=/tmp/IPTABLES # must be a pre-existing directory date > $DIR/firewalld/As-of date > $DIR/iptables-list /sbin/iptables -L -v --line-numbers -n >> $DIR/iptables-list echo -e "\n## table nat\n" >>$DIR/iptables-list /sbin/iptables -t nat -L -v --line-numbers -n >> $DIR/iptables-list echo -e "\n## table mangle\n" >>$DIR/iptables-list /sbin/iptables -t mangle -L -v --line-numbers -n >> $DIR/iptables-list echo -e "\nEND of iptables list\n" >>$DIR/iptables-list date > $DIR/ip6tables-list /sbin/ip6tables -L -v --line-numbers -n >> $DIR/ip6tables-list echo -e "\n## table nat\n" >>$DIR/ip6tables-list /sbin/ip6tables -t nat -L -v --line-numbers -n >> $DIR/ip6tables-list echo -e "\n## table mangle\n" >>$DIR/ip6tables-list /sbin/ip6tables -t mangle -L -v --line-numbers -n >> $DIR/ip6tables-list echo -e "\nEND of ip6tables list\n" >> $DIR/ip6tables-list date > $DIR/ebtables-list [ -x /sbin/ebtables ] && /sbin/ebtables -Ln >> $DIR/ebtables-list echo -e "\nEND of ebtables list\n" >>$DIR/ebtables-list
# The following adds the configs that iptables would use if I used installed iptables and used it in lieu of firewalld
/sbin/iptables-save > $DIR/saved_iptables_config /sbin/ip6tables-save > $DIR/saved_ip6tables_config
# If you have set up the traditional iptables configs the following could be added to the script
[ -f /etc/sysconfig/iptables ] && ( /bin/cp -u /etc/sysconfig/iptables $DIR/iptables-DEFAULT ) [ -f /etc/sysconfig/ip6tables ] && (/bin/cp -u /etc/sysconfig/ip6tables $DIR/ip6tables-DEFAULT )
# The following adds my defined "work" zone to the output
date > $DIR/firewalld-zones firewall-cmd --list-all-zones >>$DIR/firewalld-zones echo -e "\nEND of firewalld-zones\n" >>$DIR/firewalld-zones echo -e "\nDetailed xml of work zone\n(source: /etc/firewalld/zones/work.xml)\n">>$DIR/firewalld-zones cat /etc/firewalld/zones/work.xml >>$DIR/firewalld-zones date >$DIR/Connections /usr/bin/netstat -tlpn >> $DIR/Connections
Of course YMMV, sorry I wrote so much.
Amicalement, Dave -- Maple Park Development Linux Systems Integration http://www.maplepark.com/
If IP addresses weighed one gram each: IPv4 = half the Empire State Building vs. IPv6 = 56 billion earths
I use Linux and I wouldn't touch Outlook even if I were using a Hazmat suit and an isolation lab kit.
On Wed, Sep 14, 2016 at 2:16 AM, Jake Trader longid@fedoraproject.org wrote:
I'd like to achieve Four things in Firewalld:
- Add a rule that blocks all outgoing and incoming traffic on your Local
Ethernet Device. 2. Add an exception for your favorite DNS Server (to resolve the hostname of your VPN provider) 3. Add an exception for your VPN provider’s IP addresses 4. Add an Rule for your tun/tap or any other VPN Device to allow all outgoing Traffic for the VPN Tunnel.
Can someone tell me how? _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/firewalld- users@lists.fedorahosted.org
firewalld-users@lists.fedorahosted.org