Re: [CentOS] firewalld management on a headless server
On 30 March 2017 at 19:47, Mark Milhollan wrote: > On Wed, 29 Mar 2017, Robert Moskowitz wrote: >>On 03/29/2017 07:38 AM, Leon Fauster wrote: > >>>We have good results with http://www.shorewall.net/ an iptables >>>"abstraction". >>>Despite its not a GUI, the streamlined configuration helps to be effective. >> > >From what I can determine, it is still iptables. Not firewalld. > > That's what Leon said, shorewall is an iptables abstraction, and > iptables is a command that manipulates netfilter. > > FirewallD is similar in that it abstracts and simplifies using netfilter > without using the iptables command. Which has a GUI that can be used > remotely but it is not web based as requested. Fedora's CoPilot > probably has a module for it, but I don't know that it can be used with > a CentOS based server. Webmin likely has a module for it by now. > > Minor correction here ... firewalld is an iptables abstraction like shorewall and it doesn't link into netfilter directly. You can see that here: https://github.com/t-woerner/firewalld/blob/master/src/firewall/core/ipXtables.py ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
On Wed, 29 Mar 2017, Robert Moskowitz wrote: >On 03/29/2017 07:38 AM, Leon Fauster wrote: >>We have good results with http://www.shorewall.net/ an iptables >>"abstraction". >>Despite its not a GUI, the streamlined configuration helps to be effective. > >From what I can determine, it is still iptables. Not firewalld. That's what Leon said, shorewall is an iptables abstraction, and iptables is a command that manipulates netfilter. FirewallD is similar in that it abstracts and simplifies using netfilter without using the iptables command. Which has a GUI that can be used remotely but it is not web based as requested. Fedora's CoPilot probably has a module for it, but I don't know that it can be used with a CentOS based server. Webmin likely has a module for it by now. /mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
On 03/29/2017 07:38 AM, Leon Fauster wrote: Am 27.03.2017 um 21:03 schrieb Robert Moskowitz : Is there an Apache tool to manage firewalld on a headless server? I am looking forward to my next Centos project which is to replace my Juniper SSG5 firewall... And along that line, what overlap, if any between firewalld and Suricata? We have good results with http://www.shorewall.net/ an iptables "abstraction". Despite its not a GUI, the streamlined configuration helps to be effective. From what I can determine, it is still iptables. Not firewalld. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
Am 27.03.2017 um 21:03 schrieb Robert Moskowitz : > > Is there an Apache tool to manage firewalld on a headless server? > > I am looking forward to my next Centos project which is to replace my Juniper > SSG5 firewall... > > And along that line, what overlap, if any between firewalld and Suricata? We have good results with http://www.shorewall.net/ an iptables "abstraction". Despite its not a GUI, the streamlined configuration helps to be effective. -- LF ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
James B. Byrne wrote: > > On Mon, March 27, 2017 17:31, m.r...@5-cent.us wrote: >> Mike wrote: >>> Nice catch, Mr. Schumacher ---> The following modules are included as standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz Configure a Linux firewall using FirewallD, by editing allowed services and ports. >>> >>> This is likely the right tool for the job. >>> >> Webmin used to be considered insecure, and people would scream and yell if you suggested using it. Has that changed? > > Webmin is as insecure as the administrator cares to make it. > > Our host systems' Webmin instances listen on a reserved IP address different from the host's DNS entry and that address is only reachable through the host's firewall from specified IP addresses originating on our internal LAN. Further, Webmin is configured to automatically switch to https and use a certificate generated by our corporate private CA. Our gateway firewall blocks all access to the port > assigned to Webmin. One has to tunnel in to one of the pre-determined host addresses to obtain remote access. > > A separate webmin logon is set in the webmin configuration which has no existence on the host system. > > Webmin can also be configured to restrict the hours and day that asccess is allowed to specific users but we have not bothered with that. > > The main known weakness is Webmin's dependency on passwords which for all I know is due to my ignorance. If Webmin does support RSA > certificate authentication then I would love to be told where it is configured. However,failing that, very long phase phrases mitigate the password issue somewhat. Further, Webmin does support two-factor authentication using Google or Authy. > > To my knowledge there are no CVEs reported for Webmin since 2015 and I believe that all known problems are resolved in the present release. Which is not to say that there are no exploits left to be uncovered but then again we can hardly claim that about any software. > Thanks for the extended response, James, esp. that last paragraph. I hadn't been following webmin for a number of years - we don't use it here. I did find and use it in a job I was in ten years ago - it was the only way I could get LDAP working, as, at the time, the tools that came with the package were *not* ready for prime time mark PS: Tried reply, James, but it bounced. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
On Mon, March 27, 2017 17:31, m.r...@5-cent.us wrote: > Mike wrote: >> Nice catch, Mr. Schumacher ---> The following modules are included >> as >> standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz >> Configure a Linux firewall using FirewallD, by editing allowed >> services and ports. >> >> This is likely the right tool for the job. >> > Webmin used to be considered insecure, and people would scream and > yell if you suggested using it. Has that changed? Webmin is as insecure as the administrator cares to make it. Our host systems' Webmin instances listen on a reserved IP address different from the host's DNS entry and that address is only reachable through the host's firewall from specified IP addresses originating on our internal LAN. Further, Webmin is configured to automatically switch to https and use a certificate generated by our corporate private CA. Our gateway firewall blocks all access to the port assigned to Webmin. One has to tunnel in to one of the pre-determined host addresses to obtain remote access. A separate webmin logon is set in the webmin configuration which has no existence on the host system. Webmin can also be configured to restrict the hours and day that asccess is allowed to specific users but we have not bothered with that. The main known weakness is Webmin's dependency on passwords which for all I know is due to my ignorance. If Webmin does support RSA certificate authentication then I would love to be told where it is configured. However,failing that, very long phase phrases mitigate the password issue somewhat. Further, Webmin does support two-factor authentication using Google or Authy. To my knowledge there are no CVEs reported for Webmin since 2015 and I believe that all known problems are resolved in the present release. Which is not to say that there are no exploits left to be uncovered but then again we can hardly claim that about any software. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
> -Original Message- > From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of John R Pierce > Sent: den 28 mars 2017 09:28 > To: centos@centos.org > Subject: Re: [CentOS] firewalld management on a headless server > > On 3/27/2017 10:20 PM, Sorin Srbu wrote: > > That reminded me about Smoothwall I used to use a few years back. > > Wasn't pfsense related to Smoothwall, maybe even a fork? > > smoothwall is linux based. > > m0n0wall was a BSD firewall that pfSense forked from back in 2004. Ah, my mistake. Thanks for the heads up. -- //Sorin ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
On 3/27/2017 10:20 PM, Sorin Srbu wrote: That reminded me about Smoothwall I used to use a few years back. Wasn't pfsense related to Smoothwall, maybe even a fork? smoothwall is linux based. m0n0wall was a BSD firewall that pfSense forked from back in 2004. -- john r pierce, recycling bits in santa cruz ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
> -Original Message- > From: CentOS [mailto:centos-boun...@centos.org] On Behalf Of Valeri > Galtsev > Sent: den 27 mars 2017 23:43 > To: CentOS mailing list > Subject: Re: [CentOS] firewalld management on a headless server > > > On Mon, March 27, 2017 3:58 pm, Mike wrote: > > I don't think it's going to give you a web-based firewall configuration > > tool. > > Firewall/router system I use is pfSense: > > https://pfsense.org/ > > It has nice web interface for configuration of everything, based on > FreeBSD (very slim, lightweight, small footprint). Has a lot what you may > want to have in router box, including VPN,... If OP is not married to what > he currently uses I would recommend to try pfSense. That reminded me about Smoothwall I used to use a few years back. Wasn't pfsense related to Smoothwall, maybe even a fork? -- //Sorin ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
On 03/27/2017 09:23 PM, Mike wrote: Webmin used to be considered insecure, and people would scream and yell if you suggested using it. Has that changed? mark Ahh, I did not know of this. Well, I'm back to suggesting OP take a little time and get comfortable with firewall-cmd in the terminal. If we want our solid redhat clone then systemd, NetworkManager, and firewalld are soldered into the foreseeable future. I am a bit familiar with firewall-cmd, but need to learn more. But I am looking out to other functions and management. I am looking at multi-function devices and such. So I would like something beyond cli for the interface. Wild thought. a php-firewall package with the policy in MariaDB :) Then I can tie it into RESTCOMF and I2NSF. Got to talk to some people here at IETF tomorrow... But I will look again at webmin. Use to use it a lot. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
Webmin used to be considered insecure, and people would scream and yell if you suggested using it. Has that changed? mark Ahh, I did not know of this. Well, I'm back to suggesting OP take a little time and get comfortable with firewall-cmd in the terminal. If we want our solid redhat clone then systemd, NetworkManager, and firewalld are soldered into the foreseeable future. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
On 27/03/17 22:43, Valeri Galtsev wrote: On Mon, March 27, 2017 3:58 pm, Mike wrote: I don't think it's going to give you a web-based firewall configuration tool. Firewall/router system I use is pfSense: https://pfsense.org/ It has nice web interface for configuration of everything, based on FreeBSD (very slim, lightweight, small footprint). Has a lot what you may want to have in router box, including VPN,... If OP is not married to what he currently uses I would recommend to try pfSense. Good luck! Valeri Or just buy a dedicated router/firewall box. The Ubiquiti EdgeRouter Lite 3 is a true gigabit router/firewall that runs iptables and has a very nice web interface, all for under $100. Also highly recommended. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
On 03/27/2017 02:31 PM, m.r...@5-cent.us wrote: Has that changed? That answer is probably subjective. I'll probably never trust it, but the number of recent known critical exploits isn't as high as it used to be: https://www.cvedetails.com/vulnerability-list/vendor_id-358/Webmin.html ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
On Mon, March 27, 2017 3:58 pm, Mike wrote: > I don't think it's going to give you a web-based firewall configuration > tool. Firewall/router system I use is pfSense: https://pfsense.org/ It has nice web interface for configuration of everything, based on FreeBSD (very slim, lightweight, small footprint). Has a lot what you may want to have in router box, including VPN,... If OP is not married to what he currently uses I would recommend to try pfSense. Good luck! Valeri > It does allow you to control/configure networking hardware and devices > via NetworkManager, but I don't believe it goes further than that for > networking. > Ironically, it does provide a an ssh-like session terminal where you > can get directly logged in and use firewall-cmd. :-) > http://cockpit-project.org/guide/latest/feature-terminal.html > > On Mon, Mar 27, 2017 at 4:46 PM, Robert Moskowitz > wrote: >> >> >> On 03/27/2017 03:24 PM, Mike wrote: >>> >>> I recently converted my employer's firewall from pure iptabes to >>> firewalld and looked for something similar, more along the lines of >>> webmin, etc. >>> I didn't find anything close to a match. >>> In the end, it all came down to getting comfortable with >>> "firewall-cmd" in the shell. >> >> >> I have been digging and found that Fedora includes Cockpit, but I don't >> know >> all it supports. Probably should ask over on Fedora list... >> >> >>> >>> Haven't used suricata, so nothing to add there. >>> >>> >>> >>> On Mon, Mar 27, 2017 at 3:03 PM, Robert Moskowitz >>> wrote: Is there an Apache tool to manage firewalld on a headless server? I am looking forward to my next Centos project which is to replace my Juniper SSG5 firewall... And along that line, what overlap, if any between firewalld and Suricata? thank you ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos >>> >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> https://lists.centos.org/mailman/listinfo/centos >>> >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
Mike wrote: > Nice catch, Mr. Schumacher ---> The following modules are included as > standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz > Configure a Linux firewall using FirewallD, by editing allowed > services and ports. > > This is likely the right tool for the job. > Webmin used to be considered insecure, and people would scream and yell if you suggested using it. Has that changed? mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
yum (CentOS/RedHat/Fedora) By adding the Webmin repository and Jamie Cameron's key, it is possible to install & maintain the latest Webmin/Usermin versions. The following will install the latest Webmin version by adding the webmin-repo and corresponding GPG key. Yum will resolve all the necessary dependancies. Just Cut&Paste the entire text below and hit enter/return: (echo "[Webmin] name=Webmin Distribution Neutral baseurl=http://download.webmin.com/download/yum enabled=1 gpgcheck=1 gpgkey=http://www.webmin.com/jcameron-key.asc"; >/etc/yum.repos.d/webmin.repo; yum -y install webmin) ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
Nice catch, Mr. Schumacher ---> The following modules are included as standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz Configure a Linux firewall using FirewallD, by editing allowed services and ports. This is likely the right tool for the job. On Mon, Mar 27, 2017 at 5:00 PM, Michael Schumacher wrote: > Hi, > >> I recently converted my employer's firewall from pure iptabes to >> firewalld and looked for something similar, more along the lines of >> webmin, etc. > > funny, > my webmin installation on a banana-pi has webmin 1.831, which has > support for firewalld. > > I am not sure, but I believe I got it directly from www.webmin.com. > > best regards > --- > Michael Schumacher > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
Hi, > I recently converted my employer's firewall from pure iptabes to > firewalld and looked for something similar, more along the lines of > webmin, etc. funny, my webmin installation on a banana-pi has webmin 1.831, which has support for firewalld. I am not sure, but I believe I got it directly from www.webmin.com. best regards --- Michael Schumacher ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
I don't think it's going to give you a web-based firewall configuration tool. It does allow you to control/configure networking hardware and devices via NetworkManager, but I don't believe it goes further than that for networking. Ironically, it does provide a an ssh-like session terminal where you can get directly logged in and use firewall-cmd. :-) http://cockpit-project.org/guide/latest/feature-terminal.html On Mon, Mar 27, 2017 at 4:46 PM, Robert Moskowitz wrote: > > > On 03/27/2017 03:24 PM, Mike wrote: >> >> I recently converted my employer's firewall from pure iptabes to >> firewalld and looked for something similar, more along the lines of >> webmin, etc. >> I didn't find anything close to a match. >> In the end, it all came down to getting comfortable with >> "firewall-cmd" in the shell. > > > I have been digging and found that Fedora includes Cockpit, but I don't know > all it supports. Probably should ask over on Fedora list... > > >> >> Haven't used suricata, so nothing to add there. >> >> >> >> On Mon, Mar 27, 2017 at 3:03 PM, Robert Moskowitz >> wrote: >>> >>> Is there an Apache tool to manage firewalld on a headless server? >>> >>> I am looking forward to my next Centos project which is to replace my >>> Juniper SSG5 firewall... >>> >>> And along that line, what overlap, if any between firewalld and Suricata? >>> >>> thank you >>> >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
On 03/27/2017 03:24 PM, Mike wrote: I recently converted my employer's firewall from pure iptabes to firewalld and looked for something similar, more along the lines of webmin, etc. I didn't find anything close to a match. In the end, it all came down to getting comfortable with "firewall-cmd" in the shell. I have been digging and found that Fedora includes Cockpit, but I don't know all it supports. Probably should ask over on Fedora list... Haven't used suricata, so nothing to add there. On Mon, Mar 27, 2017 at 3:03 PM, Robert Moskowitz wrote: Is there an Apache tool to manage firewalld on a headless server? I am looking forward to my next Centos project which is to replace my Juniper SSG5 firewall... And along that line, what overlap, if any between firewalld and Suricata? thank you ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld management on a headless server
I recently converted my employer's firewall from pure iptabes to firewalld and looked for something similar, more along the lines of webmin, etc. I didn't find anything close to a match. In the end, it all came down to getting comfortable with "firewall-cmd" in the shell. Haven't used suricata, so nothing to add there. On Mon, Mar 27, 2017 at 3:03 PM, Robert Moskowitz wrote: > Is there an Apache tool to manage firewalld on a headless server? > > I am looking forward to my next Centos project which is to replace my > Juniper SSG5 firewall... > > And along that line, what overlap, if any between firewalld and Suricata? > > thank you > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] firewalld management on a headless server
Is there an Apache tool to manage firewalld on a headless server? I am looking forward to my next Centos project which is to replace my Juniper SSG5 firewall... And along that line, what overlap, if any between firewalld and Suricata? thank you ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos