Re: [CentOS] Stupid C7 firewall question
On Thu, 25 Oct 2018, Valeri Galtsev wrote: Thanks Warren for nice quick start covering everything one needs to configure firewalld. There is one thing I am related to "direct iptables manipulation" which is: suppose I made configuration of some machine, which then I am going to replicate just by using kickstart when building new machines. What should I add to kickstart configuration file to make my configured firewalld part reproduced on all newly built machines? We stopped using kickstart and switched to ansible but the process is basically the same. Simply copy the appropriate files in /etc/firewalld. For me that means the files in the zones directory and in the services directory. Any changes you have made to the default configurations will be stored under /etc/firewalld. If the directories are empty, then you are running defaults. Because we run configuration management, I mostly just edit the files with an editor. The format is generally very simple to understand. The defaults are stored in /usr/lib/firewalld/. You can use the files there as examples by copying them to the correct directory in /etc/firewalld and making the necessary modifications. Don't forget to reload firewalld after any changes. Regards, -- Tom m...@tdiehl.org ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stupid C7 firewall question
On 10/25/2018 12:41 AM, Warren Young wrote: to make them permanent, you have to edit `/etc/sysconfig/iptables` with a somewhat different syntax. Or use "service iptables save". On systems where I use raw iptables, I set the thing up with the command line tools and then use that command to snapshot the running firewall to the sysconfig file. I'm using firewalld now, but I still inspect the resulting iptables to see what it does. You can do this with "iptables-save > /tmp/iptables.txt". (That's the command that the initscript uses under the hood to save the boot-time sysconfig file.) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stupid C7 firewall question
On Oct 25, 2018, at 9:04 AM, Valeri Galtsev wrote: > > suppose I made configuration of some machine, which then I am going to > replicate just by using kickstart when building new machines. What should I > add to kickstart configuration file to make my configured firewalld part > reproduced on all newly built machines? We use shell scripts here to bring new machines up, not kickstart, but my first result in a web search looks useful: https://firewalld.org/documentation/man-pages/firewall-offline-cmd.html ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stupid C7 firewall question
On Thu, Oct 25, 2018 at 09:53:13AM -0500, Blake Hudson wrote: > My first impression was that firewalld and NetworkManager had a more desktop > oriented/plug-n-play type feel compared to traditional tools like network > and iptables so I chose to stick with the latter on my servers (manual > IP4/IP6 configuration and a handful of services, some open to the public > internet while others open only to certain sources). I use NetworkManager and firewalld on my servers. NM (particularly, the more modern one on EL7) is great for servers, because they'll bring the network interface up and down based on the status of the line, not just at boot. In one of our datacenters, our faster booting servers often start up faster than the network infrastructure after an emergency power cut. Without NM in place, they'd have tried to start networking on boot, detect that the network device was down, and give up. I'd have to reboot them at the console (or remotely through a serial console) to get them back online. With NM, they start up, network is down but they still come up, and the network is activated a few minutes later when the switch becomes active. You can also set up NetworkManager dispatcher actions for when the network goes up or down. This way, after the network comes up, for example, you could have it reset the clock through chrony. I like firewalld for a different reason. You can parcel out configuration files related to configuration management roles, and that's easier done with firewalld than the monolithic /etc/sysconfig/iptables file. I still have to use a template for some files, but it's not a huge mess like the template I use for the iptables file. > For a laptop or desktop > (which probably uses DHCP and has few, if any, publicly accessible services) > I'd probably stick with the former. I have no idea how well tools like > fail2ban or logwatch integrate with firewalld, but if they work as well or > better than iptables that would be great. Warren is correct that the > firewall-cmd interface is probably more intuitive for most folks (especially > those not familiar with managing iptables). fail2ban works fine with firewalld. You just install the fail2ban-firewalld subpackage and it sets up the right firwalld configuration. (banaction = firewallcmd-ipset) It's nice, it uses ipsets instead of the iptables-multiport action, which I think is faster. -- Jonathan Billings ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stupid C7 firewall question
On 10/25/18 2:41 AM, Warren Young wrote: On Oct 24, 2018, at 8:06 PM, Joel Freeman wrote: Is there any reason to use Firewalld over IPTables? Lots: https://firewalld.org/ I'm incredibly new to Linux administration Given that, which would you rather type: $ sudo firewall-cmd --add-service=ftp or whatever that does under the hood, which probably resembles the 7 commands given here: https://unix.stackexchange.com/a/93555/138 The commands given will only take effect while the system runs, so to make them permanent, you have to edit `/etc/sysconfig/iptables` with a somewhat different syntax. Contrast FirewallD, where you just re-issue the command above with a single additional flag: $ sudo firewall-cmd --add-service=ftp --permanent FTP is an uncommonly difficult case, but direct iptables manipulation remains more difficult even in the single-port case. FirewallD doesn’t require that you use predefined services, either. It works just fine with raw port numbers: $ sudo firewall-cmd --add-port=5/tcp Contrast the equivalent iptables command: $ sudo iptables -A INPUT -p tcp --dport 5 -j ACCEPT …and that only works if inserting into the INPUT chain is what you actually want to do, which it might not be on a system managed by FirewallD, which probably set up some more complicated chain scheme you’d have to understand in order to get the expected behavior. Why not let FirewallD handle all of that for you? I don’t miss direct iptables manipulation. Thanks Warren for nice quick start covering everything one needs to configure firewalld. There is one thing I am related to "direct iptables manipulation" which is: suppose I made configuration of some machine, which then I am going to replicate just by using kickstart when building new machines. What should I add to kickstart configuration file to make my configured firewalld part reproduced on all newly built machines? Thanks again! Valeri PS Your quick startup reminds me how we were introducing UNIX (shell) to new users: basically we were showing them a handful of commands (5-10) with which person can start, and knowing which person can start doing what one needs. Bottom line: it takes 5-10 minutes to start using UNIX, no need to read 1000 page book before starting. I have exactly the same feeling after your introduction into firewalld - (except kickstart missing for me). ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos -- Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stupid C7 firewall question
Joel Freeman wrote on 10/24/2018 9:06 PM: On a similar note, Is there any reason to use Firewalld over IPTables? I'm incredibly new to Linux administration, and would like to your guys' opinions on it. Many thanks, Joel. My first impression was that firewalld and NetworkManager had a more desktop oriented/plug-n-play type feel compared to traditional tools like network and iptables so I chose to stick with the latter on my servers (manual IP4/IP6 configuration and a handful of services, some open to the public internet while others open only to certain sources). For a laptop or desktop (which probably uses DHCP and has few, if any, publicly accessible services) I'd probably stick with the former. I have no idea how well tools like fail2ban or logwatch integrate with firewalld, but if they work as well or better than iptables that would be great. Warren is correct that the firewall-cmd interface is probably more intuitive for most folks (especially those not familiar with managing iptables). ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stupid C7 firewall question
On Oct 24, 2018, at 8:06 PM, Joel Freeman wrote: > > Is there any reason to use Firewalld over IPTables? Lots: https://firewalld.org/ > I'm incredibly new to Linux administration Given that, which would you rather type: $ sudo firewall-cmd --add-service=ftp or whatever that does under the hood, which probably resembles the 7 commands given here: https://unix.stackexchange.com/a/93555/138 The commands given will only take effect while the system runs, so to make them permanent, you have to edit `/etc/sysconfig/iptables` with a somewhat different syntax. Contrast FirewallD, where you just re-issue the command above with a single additional flag: $ sudo firewall-cmd --add-service=ftp --permanent FTP is an uncommonly difficult case, but direct iptables manipulation remains more difficult even in the single-port case. FirewallD doesn’t require that you use predefined services, either. It works just fine with raw port numbers: $ sudo firewall-cmd --add-port=5/tcp Contrast the equivalent iptables command: $ sudo iptables -A INPUT -p tcp --dport 5 -j ACCEPT …and that only works if inserting into the INPUT chain is what you actually want to do, which it might not be on a system managed by FirewallD, which probably set up some more complicated chain scheme you’d have to understand in order to get the expected behavior. Why not let FirewallD handle all of that for you? I don’t miss direct iptables manipulation. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stupid C7 firewall question
On a similar note, Is there any reason to use Firewalld over IPTables? I'm incredibly new to Linux administration, and would like to your guys' opinions on it. Many thanks, Joel. On Wed, 24 Oct 2018 at 12:23, mark wrote: > On 10/23/18 14:45, Phil Perry wrote: > > On 23/10/18 19:05, mark wrote: > >> Been looking, and haven't found the answer: in c7, is there a > firewall-cmd > >> command, or a systemctl cmd, to check whether ip6tables firewall is > >> running > > > > Yes, the same as for any other service: > > > > systemctl status ip6tables.service > > > Um, no. I've discovered that on our boxen we have ip6tables running - I > can do > ip6tables-save and see them, but ip6tables.service, which comes, I find, > as > part of iptables-services, is *not* installed. > > Working around it. > > mark > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stupid C7 firewall question
On 10/23/18 14:45, Phil Perry wrote: On 23/10/18 19:05, mark wrote: Been looking, and haven't found the answer: in c7, is there a firewall-cmd command, or a systemctl cmd, to check whether ip6tables firewall is running Yes, the same as for any other service: systemctl status ip6tables.service Um, no. I've discovered that on our boxen we have ip6tables running - I can do ip6tables-save and see them, but ip6tables.service, which comes, I find, as part of iptables-services, is *not* installed. Working around it. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stupid C7 firewall question
On 24/10/18 00:35, Gordon Messmer wrote: On 10/23/18 11:45 AM, Phil Perry wrote: Yes, the same as for any other service: systemctl status ip6tables.service That will not provide useful information if the system is using firewalld, as is the default configuration. Thanks. I have firewalld disabled and just run the old school ip[6]tables services directly. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stupid C7 firewall question
On 10/23/18 11:45 AM, Phil Perry wrote: Yes, the same as for any other service: systemctl status ip6tables.service That will not provide useful information if the system is using firewalld, as is the default configuration. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stupid C7 firewall question
On 10/23/18 11:05 AM, mark wrote: Been looking, and haven't found the answer: in c7, is there a firewall-cmd command, or a systemctl cmd, to check whether ip6tables firewall is running "firewall-cmd --state" will tell you if the daemon is running. If it is, then there should be both IPv4 and IPv6 rules. You can use "ip6tables -L" to view the active rule set that firewalld has built. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Stupid C7 firewall question
On 23/10/18 19:05, mark wrote: Been looking, and haven't found the answer: in c7, is there a firewall-cmd command, or a systemctl cmd, to check whether ip6tables firewall is running Yes, the same as for any other service: systemctl status ip6tables.service ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] Stupid C7 firewall question
Been looking, and haven't found the answer: in c7, is there a firewall-cmd command, or a systemctl cmd, to check whether ip6tables firewall is running mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
