On 2017-01-01 14:24, David Sommerseth wrote:
On 01/01/17 01:28, jdow wrote:Obviously I really do NOT want firewalld to run. This is, apparently, usually done using "systemctl mask firewalld". Unfortunately this leaves divots all over the logs about systemctl not being able to bring up /dev/null er firewalld. That seems "unfriendly" to say the least. (And it seems there is no "friendly" way to undo the "systemctl mask" command, at least for firewalld.# yum erase firewalld # yum install iptables-services
Did the second half. The first half had a large collection of dependencies that would be removed as well, little things like "anaconda-core". Erm, that might not be a good thing. I'm not interested in throwing the system into the dark ages. I just want to use some iptables features that it firewalld doesn't seem to be able to approach. It's gui doesn't even seem to have a way to turn SOME logging on leaving most logging off. That's rude. (I find I am even eschewing the iptables-services tools. I'm using the dhclient script capability to reset the firewall when a new address is assigned. The actual firewall design right now closely resembles that produced by firewalld. It was useful for a template for retuning the firewall's features.)
This little stanza is one I've been using since my first iptables setup:$IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name ssh_attack --rcheck --seconds 90 --hitcount 1 -j LOG --log-prefix 'SSH2 REJECT: ' --log-level info $IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name ssh_attack --rcheck --seconds 90 --hitcount 1 -j REJECT --reject-with tcp-reset $IPT -t filter -A IN_public_deny -p tcp --dport ssh --syn -m recent --name ssh_attack --set
A given site cannot feed a SYN packet to the ssh port more often than once every 90 seconds. It makes password guessing rather time consuming. Firewalld documentation was not clear how I'd add that into its firewall via the gui, especially if it is conditional to a tiny configuration file in /etc to disable all ingress ports or open them up and how to open them up. Open when traveling. Close when home.
But remove Anaconda? EEEEK!
{o.o}
