Hi!
I have inherited a system using the following in order to prevent SIPVicious attacks:
iptables -I INPUT -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP iptables -I INPUT -p tcp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP
Now that we are migrating to firewalld, I am not quite sure how to translate this into the firewalld semantics.
Do I have to use a rich rule with "protocol value="?
Any idea?
Thanks,
Benjamin Lefoul nWISE AB
Hello Benjamin,
On 04/01/2016 12:29 PM, Benjamin Lefoul wrote:
Hi!
I have inherited a system using the following in order to prevent SIPVicious attacks:
iptables -I INPUT -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP iptables -I INPUT -p tcp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP
Now that we are migrating to firewalld, I am not quite sure how to translate this into the firewalld semantics.
Do I have to use a rich rule with "protocol value="?
Any idea?
As the string extension is not usable by firewalld, there is no way to add this in a rich rule. But it is possible to add direct rules for this. Direct rules can (since version 0.4.0) also be added to zones by using zone chains for the direct rules like for example IN_public_log, IN_public_deny and IN_public_allow. There is no automatism to select the proper chain by rule settings like table, chain and target yet.
In your case the proper chain should be IN_public_deny if you want to add the rule to the public zone only. Otherwise you could simply use INPUT_direct. Add the rule also in the permanent environment to have it also after reboot or restart of the service.
Thanks,
Benjamin Lefoul nWISE AB
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedorahoste...
Regards, Thomas
________________________________________ From: Thomas Woerner twoerner@redhat.com Sent: 01 April 2016 15:11 To: Firewalld users discussion list Subject: Re: SIPVicious attacks: Migration from iptables-extensions
Hello Benjamin,
On 04/01/2016 12:29 PM, Benjamin Lefoul wrote:
Hi!
I have inherited a system using the following in order to prevent SIPVicious attacks:
iptables -I INPUT -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP iptables -I INPUT -p tcp --dport 5060 -m string --string "friendly-scanner" --algo bm -j DROP
Now that we are migrating to firewalld, I am not quite sure how to translate this into the firewalld semantics.
Do I have to use a rich rule with "protocol value="?
Any idea?
As the string extension is not usable by firewalld, there is no way to add this in a rich rule. But it is possible to add direct rules for this. Direct rules can (since version 0.4.0) also be added to zones by using zone chains for the direct rules like for example IN_public_log, IN_public_deny and IN_public_allow. There is no automatism to select the proper chain by rule settings like table, chain and target yet.
In your case the proper chain should be IN_public_deny if you want to add the rule to the public zone only. Otherwise you could simply use INPUT_direct. Add the rule also in the permanent environment to have it also after reboot or restart of the service.
Thanks,
Benjamin Lefoul nWISE AB
firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedorahoste...
Regards, Thomas _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/firewalld-users@lists.fedorahoste...
Hi all, and Thomas thanks for your response a week ago.
Regarding the original question: How would such a direct rule be formatted in the XML? Could this be done with a module in a service file? Regarding zones, chains and default targets, we are so confused. All the doc seems to take it for granted that we know what a chain is.
For instance, according to man firewalld.zone:
target="ACCEPT|%%REJECT%%|DROP" Can be used to accept, reject or drop every packet. The ACCEPT target is used in the trusted zone, every packet will be accepted. The %%REJECT%% target is used in the block zone, every packet will be rejected with the default firewalld reject type. The DROP target is used in the drop zone, every packet will be dropped. The default target is {chain}_ZONE_{zone} and will be used if the target is not specified. If other than the default target is used, all settings except interface and source are ignored, because the first rule created in firewall for this zone is 'jump to target'.
What does "{chain}_ZONE_{zone}" mean? And if all settings except "interface" and "source" are ignored when target is set to "ACCEPT", why is it that "forward-port" seems to be working fine? (oh and, why the percentages around "REJECT"?)
Thanks in advance,
Benjamin
firewalld-users@lists.fedorahosted.org