Firewall Configuration

Wayne Workman

For the record - I’ll be using the Firewalld configuration at work soon - I’ll be doing it safely though. I’m keeping my old virtual FOG server in-tact but shutdown, and I’m setting up a new one on Fedora 23 using this configuration.

I’m really confident that the Firewalld settings will work really well - They’ve worked fine at home so far for me.

I’m holding off on adding this stuff to the WiKi because I feel it will be integrated into the installer prior to 1.3.0 being released @Developers.

I’m not so confident about the iptables config - but I haven’t used it. The only thing that concerns me is the NFS ports. Hopefully some Ubuntu and Debian users can try it out soon and let us know how it works? @ch3i

Wayne Workman

I’ve been running the firewalld settings in production with Fedora 23 and I’m cautiously optimistic.

Wayne Workman

@Developers I have successfully operated at work for about two weeks now with the Firewalld portion of these instructions active. In my opinion, the firewalld stuff should be implimented into the installer for further testing.

A good question is how to impliment them. Should the installer “just do it” or should it be a installation argument?

If the argument route was taken, it could be something as simple as:

./installfog.sh --firewall yes

or

./installfog.sh --firewall no

With the option stored in /opt/fog/.fogsettings with the default being yes

Wayne Workman

@Jbob Added to the Wiki here: https://wiki.fogproject.org/wiki/index.php?title=FOG_security

Thiago

@Wayne-Workman
I’m using ufw in a debian 8 system with:

ufw default deny incoming
ufw default allow outgoing

#ports 21ftp, 22ssh, 80web, 111rpc, 69tftp, 443web, 2049nfs, 20499-nfs
ufw allow from 192.168.0.0/24 to any port 21,22,80,111,443,2049,20499 proto tcp
ufw allow from 192.168.0.0/24 to any port 69,111,2049,6080 proto udp
ufw enable

I changed nfs to work with the firewall on debian
#from
RPCMOUNTDOPTS=“–manage-gids”
#to
RPCMOUNTDOPTS=“-p 20499”
#and
systemctl restart nfs-kernel-server.service

Wayne Workman

@Thiago How long have you been using these settings?

Thiago

@Wayne-Workman
at least 6 months

Wayne Workman

@Thiago said:

@Wayne-Workman
I’m using ufw in a debian 8 system with:

ufw default deny incoming
ufw default allow outgoing

#ports 21ftp, 22ssh, 80web, 111rpc, 69tftp, 443web, 2049nfs, 20499-nfs
ufw allow from 192.168.0.0/24 to any port 21,22,80,111,443,2049,20499 proto tcp
ufw allow from 192.168.0.0/24 to any port 69,111,2049,6080 proto udp
ufw enable

I changed nfs to work with the firewall on debian
#from
RPCMOUNTDOPTS=“–manage-gids”
#to
RPCMOUNTDOPTS=“-p 20499”
#and
systemctl restart nfs-kernel-server.service

Can anyone else test out Thiago’s UFW settings? @Moderators @Developers

Thiago

@Wayne-Workman
It lacked a row before ufw enable:

ufw allow from 192.168.0.255

to fit our net environment

Wayne Workman

the firewalld configuration no longer works on Fedora 21.

The commands succeed, but at least http is blocked still.