Enabling firewalld on Rockstor server

General
1

Hi all,

So I would like to share a recent experience concerning security and firewall, firewalld has been around for a while and honestly IMO its so much better than plain iptables I don’t know how come its not enabled by default.

Anyway in regard to Rockstor I have 1 ethernet card which has 1public IP and on it also a vlan which is connected to a private switch and through which our systems communicate.
As one of the servers is sitting in Germany they have this thing of an AbuseBSI bureau that scans constantly for open-services and you get a warning via your provider that your server has some open ports.
In this case was rpc services on port 111/udp, and our Rockstor servers are only serving nfs shares.

So to fix this, and secure your server, I proceeded with enabling firewalld. I am making this post because I searched about the subject but I didn’t see any post that was precise and about this subject specifically, or if there is I haven’t find it.

Anyway, firewalld is installed by default, but inactive.
So if you have a similar configuration, or any other with multiple interfaces, one thing you’ll want to do first is to define which zone an interface belongs to.
I could add the interface to the “trusted” zone which would accept all, but instead I’ve added it to the internal zone and added allowed services to this zone.

So the commands were:

# nmcli connection modify "connection name" connection.zone "zone name"
nmcli con mod vlan110 connection.zone internal
systemctl start firewalld
firewall-cmd --zone=internal --add-service={rpc-bind,nfs3,mountd}

If all went well, everything should be working. Depending on which connection you use to access the GUI, you’ll also need to add services http and https.
If something is failing you can easily stop firewalld with systemctl stop firewalld, but I suppose that all should go well.
After testing that is working, you’ll only need two more commands, one to put the current rules on the permanent config, and enabling firewalld to always run on boot:

firewall-cmd --runtime-to-permanent
systemctl enable firewalld
3 Likes
2

Firewall is disabled by rockstor after every boot. Dont ask me why.
Im using this patch to fix this.

--- /opt/rockstor/src/rockstor/scripts/initrock.py-orig 2021-01-01 15:49:04.046064350 +0100
+++ /opt/rockstor/src/rockstor/scripts/initrock.py      2021-01-01 15:52:26.219771965 +0100
@@ -556,10 +556,10 @@
     run_command([PREP_DB])
     logging.info("Done")

-    logging.info("stopping firewalld...")
-    run_command([SYSCTL, "stop", "firewalld"])
-    run_command([SYSCTL, "disable", "firewalld"])
-    logging.info("firewalld stopped and disabled")
+#    logging.info("stopping firewalld...")
+#    run_command([SYSCTL, "stop", "firewalld"])
+#    run_command([SYSCTL, "disable", "firewalld"])
+#    logging.info("firewalld stopped and disabled")
     update_nginx(logging)

     shutil.copyfile("/etc/issue", "/etc/issue.rockstor")
2 Likes
3

Hi @kri164 well amazing that is very interesting and helpful!

I actually had no idea about truth be told I haven’t rebooted this Rockstor server in a long while. But I’m definitely taking a look at that!

4

Im not a firewalld expert, but the another way to set firewalld is using the predefined zones.
If server has only one interface, local network is trusted and from public only a ssh service are allowed:

firewall-cmd --permanent --change-interface=eth0 --zone=public
firewall-cmd --permanent --zone=public --set-target=REJECT
firewall-cmd --permanent --zone=public --add-service ssh
firewall-cmd --permanent --zone=trusted --add-source=“192.168.0.0/24”
firewall-cmd --reload

6

I used the predefined zones.

Any standard firewalld install will have the following zones:

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

I assigned an interface to internal, hence, to a predefined zone (of which target is also default, not reject)

There was a bug that would ignore the zone set that way therefor you must change the interface using nmcli and the method above.

Interfaces are by default on the public zone you don’t need to issue a change interface to it.
One interface can only belong to one zone.
One source can only belong to one zone.
You put rules in different zones to evaluate by different criteria, the default action is already to Reject everything except ICMP so you don’t set that as target.
If you have the default target for public zone the rules will go in the chain and be recursively evaluated (or as some people say, do nothing and kick it upstairs), by putting reject you’re basically shutting down the connectivity of the server, as IIRC reject on public zone will prevent traffic from being evaluated for conntrack, which means you’ll lose connectivity.

That supposed or suggested configuration is a mess, and if anyone does that will only break server connectivity. This post was to help people, those commands will only hurt people.

Also, as I mentioned, the proposed configuration assumes you have two networks configured. If you look closely, I’ve let the eth0 interface to public with the default rules. I put the vlan interface on a zone and define rules for that zone to which the interface is assigned. The services available on eth0/public and the services available on vlan/internal are completely different.

Here’s a little documentation explaining how firewalld evaluates rules:

Precedence

Active zones fulfill two different roles. Zones with associated interface(s) act as interface zones, and zones with associated source(s) act as source zones (a zone could fulfill both roles). Firewalld handles a packet in the following order:

  1. The corresponding source zone. Zero or one such zones may exist. If the source zone deals with the packet because the packet satisfies a rich rule, the service is whitelisted, or the target is not default, we end here. Otherwise, we pass the packet on.
  2. The corresponding interface zone. Exactly one such zone will always exist. If the interface zone deals with the packet, we end here. Otherwise, we pass the packet on.
  3. The firewalld default action. Accept icmp packets and reject everything else.

Source zones have precedence over interface zones. Therefore, the general design pattern for multi-zoned firewalld configurations is to create a privileged source zone to allow specific IP’s elevated access to system services and a restrictive interface zone to limit the access of everyone else.

Linux Journal: Understanding Firewalld in Multi-Zone Configurations

1 Like