Disclaimer
This is not written by a network security specialist. Please use the following at your own risk.
Intro
Since migrating to fedora, i was interested in how to set up firewall properly. Before this, the router had a nftables config file that would trigger on startup, but fedora comes with firewalld which has a half-baked gui in Cockpit.
Not sure if this is used in the industry, but i wanted to see how well it can cover my case.
Scenario
xxxxxxxx
xxx xxxx
xx xxx
┌─────────┐ ┌─────────┐ xx xx ┌─────────┐ ┌─────────┐
│ │ │ │ xx xx xxxxxxxxx │ │ │ │
│ │ │ fedora │ x xxx xx │ │ │ │
│ pc ├───────┤ router ├───────────────────────┐ ┌────────────────────────┤ router ├───────────┤ server │
│ │ │ │ x │ │ x │ │ │ │
│ │ │ ►─┼─────────────────────┐ │ │ ┌──────────────────────┼─► │ │ │
└─────────┘ └─────────┘ xx │ │ │ │ x └─────────┘ └─────────┘
xx │ │ │ │ xx
xxx xxx xx x│x│xxx│x│xx xxxxxxxxxx
xxxx xxxx│x│xxx│x│xxxxxxxxxx
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ │ │ │
┌┼─┴───┴─┼┐
││ ││
│► ►│
│ vps │
│ │
│ │
└─────────┘
The idea here is that the pc on the left can access server on the right. The “right arrow” in the boxes represent wireguard interfaces.
Firewalld
Zone
Zone is basically an “entity” you want to manage. It can be represented with an interface (all traffic coming through one) or a ip based source (with mask).
Zones used previously described problem:
- integrated (comes with firewalld)
- external (which includes masquerading)
- home
- manually created
- vpn
Zone can contain multiple interfaces, multiple sources or combination of interfaces and sources. This all works and is used for packet matching.
Traffic between different interfaces within one zone is not allowed by default, but can be enabled with firewall-cmd --zone=<desired-zone-name> --add-forward.
Interfaces and sources get assigned to zones and rules apply to zones.
#
# external
# move interface to proper zone
#
firewall-cmd --zone=external --change-interface=enp1s0 --permanent
firewall-cmd --reload
#
# home
# move interface to proper zone and add which services can be accessed from it
#
firewall-cmd --zone=home --change-interface=eno1 --permanent
firewall-cmd --zone=home --add-service=cockpit --permanent
firewall-cmd --zone=home --add-service=dhcp --permanent
firewall-cmd --zone=home --add-service=dns --permanent
firewall-cmd --reload
#
# vpn
# move interface to proper zone
#
firewall-cmd --new-zone=vpn --permanent
firewall-cmd --zone=vpn --add-service=dns --permanent
firewall-cmd --zone=vpn --change-interface=wg0 --permanent
firewall-cmd --reload
Policy
Policy is a rule (set of rules?) which works between different zones. Those rules contain two things:
- ingress: a sender of packet, source
- egress: a receiver of packet, destination
For bi-directional traffic, two policies must be made, in the problem described above, this is home → vpn and vpn → home.
The reason here is that some things are hosted on PC, like fileserver.
#
# policy: router
# applies rules between the home and external zones
# allow only outgoing forwarded traffic from home to external (normal router mode)
# we should not allow forwarded traffic from external to home zones (intruder)
#
firewall-cmd --new-policy=router --permanent
firewall-cmd --policy=router --add-ingress-zone=home --permanent
firewall-cmd --policy=router --add-egress-zone=external --permanent
firewall-cmd --policy=router --set-target=ACCEPT --permanent
firewall-cmd --reload
#
# policies: vpn_incoming and vpn_outgoing
# applies rules between the home and vpn zones
#
firewall-cmd --new-policy=vpn_outgoing --permanent
firewall-cmd --policy=vpn_outgoing --add-ingress-zone=home --permanent
firewall-cmd --policy=vpn_outgoing --add-egress-zone=vpn --permanent
firewall-cmd --policy=vpn_outgoing --set-target=ACCEPT --permanent
firewall-cmd --reload
firewall-cmd --new-policy=vpn_incoming --permanent
firewall-cmd --policy=vpn_incoming --add-ingress-zone=vpn --permanent
firewall-cmd --policy=vpn_incoming --add-egress-zone=home --permanent
firewall-cmd --policy=vpn_incoming --set-target=ACCEPT --permanent
firewall-cmd --reload