Firewalld how to

Disclaimer

This is not written by a network security specialist. Please use the following at your own risk.

Intro

Since migrating to fedora, i was interested in how to set up firewall properly. Before this, the router had a nftables config file that would trigger on startup, but fedora comes with firewalld which has a half-baked gui in Cockpit.

Not sure if this is used in the industry, but i wanted to see how well it can cover my case.

Scenario

                                            xxxxxxxx
                                         xxx       xxxx
                                       xx             xxx
┌─────────┐       ┌─────────┐        xx                 xx                       ┌─────────┐           ┌─────────┐
│         │       │         │       xx                   xx xxxxxxxxx            │         │           │         │
│         │       │ fedora  │       x                     xxx        xx          │         │           │         │
│   pc    ├───────┤ router  ├───────────────────────┐   ┌────────────────────────┤ router  ├───────────┤ server  │
│         │       │         │       x               │   │               x        │         │           │         │
│         │       │       ►─┼─────────────────────┐ │   │ ┌──────────────────────┼─►       │           │         │
└─────────┘       └─────────┘       xx            │ │   │ │             x        └─────────┘           └─────────┘
                                     xx           │ │   │ │            xx
                                      xxx xxx xx x│x│xxx│x│xx xxxxxxxxxx
                                         xxxx xxxx│x│xxx│x│xxxxxxxxxx
                                                  │ │   │ │
                                                  │ │   │ │
                                                  │ │   │ │
                                                  │ │   │ │
                                                  │ │   │ │
                                                 ┌┼─┴───┴─┼┐
                                                 ││       ││
                                                 │►       ►│
                                                 │   vps   │
                                                 │         │
                                                 │         │
                                                 └─────────┘

The idea here is that the pc on the left can access server on the right. The “right arrow” in the boxes represent wireguard interfaces.

Firewalld

Zone

Zone is basically an “entity” you want to manage. It can be represented with an interface (all traffic coming through one) or a ip based source (with mask).

Zones used previously described problem:

  • integrated (comes with firewalld)
    • external (which includes masquerading)
    • home
  • manually created
    • vpn

Zone can contain multiple interfaces, multiple sources or combination of interfaces and sources. This all works and is used for packet matching.

Traffic between different interfaces within one zone is not allowed by default, but can be enabled with firewall-cmd --zone=<desired-zone-name> --add-forward.

Interfaces and sources get assigned to zones and rules apply to zones.

#
# external
# move interface to proper zone
#
firewall-cmd --zone=external --change-interface=enp1s0 --permanent
firewall-cmd --reload


#
# home
# move interface to proper zone and add which services can be accessed from it
#
firewall-cmd --zone=home --change-interface=eno1 --permanent
firewall-cmd --zone=home --add-service=cockpit --permanent
firewall-cmd --zone=home --add-service=dhcp --permanent
firewall-cmd --zone=home --add-service=dns --permanent
firewall-cmd --reload


#
# vpn
# move interface to proper zone
#
firewall-cmd --new-zone=vpn --permanent
firewall-cmd --zone=vpn --add-service=dns --permanent
firewall-cmd --zone=vpn --change-interface=wg0 --permanent
firewall-cmd --reload

Policy

Policy is a rule (set of rules?) which works between different zones. Those rules contain two things:

  • ingress: a sender of packet, source
  • egress: a receiver of packet, destination

For bi-directional traffic, two policies must be made, in the problem described above, this is homevpn and vpnhome. The reason here is that some things are hosted on PC, like fileserver.

#
# policy: router
# applies rules between the home and external zones
# allow only outgoing forwarded traffic from home to external (normal router mode)
# we should not allow forwarded traffic from external to home zones (intruder)
#
firewall-cmd --new-policy=router --permanent

firewall-cmd --policy=router --add-ingress-zone=home --permanent
firewall-cmd --policy=router --add-egress-zone=external --permanent
firewall-cmd --policy=router --set-target=ACCEPT --permanent

firewall-cmd --reload


#
# policies: vpn_incoming and vpn_outgoing
# applies rules between the home and vpn zones
#
firewall-cmd --new-policy=vpn_outgoing --permanent

firewall-cmd --policy=vpn_outgoing --add-ingress-zone=home --permanent
firewall-cmd --policy=vpn_outgoing --add-egress-zone=vpn --permanent
firewall-cmd --policy=vpn_outgoing --set-target=ACCEPT --permanent

firewall-cmd --reload


firewall-cmd --new-policy=vpn_incoming --permanent

firewall-cmd --policy=vpn_incoming --add-ingress-zone=vpn --permanent
firewall-cmd --policy=vpn_incoming --add-egress-zone=home --permanent
firewall-cmd --policy=vpn_incoming --set-target=ACCEPT --permanent

firewall-cmd --reload