• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Firewall Configuration

    Scheduled Pinned Locked Moved
    General
    4
    23
    18.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Joe Schmitt Senior Developer
      last edited by Joe Schmitt

      Below are instructions on how to make FOG work with your firewall left on. If you encounter any scenario where this configuration does not work, please let me know and I’ll make adjustments.

      Firewalld vs IPTables

      Firewalld is an IPTables wrapper. It comes installed on Centos 7 and newer fedora installs. If you do not have firewalld then you most likely will have IPTables. To check if you have firewalld run firewall-cmd. If the command runs fine (no command not found error) then you have firewalld.

      Firewalld

      for service in http https tftp ftp mysql nfs mountd rpc-bind proxy-dhcp samba; do firewall-cmd --permanent --zone=public --add-service=$service; done
      systemctl restart firewalld.service
      

      IPTables

      echo "IPTABLES_MODULES=\"nf_conntract_tftp nf_conntrack_ftp nf_conntrack_netbios_ns\"" >> /etc/sysconfig/iptables-config
      for port in 80 443 21 3306 2049 20048 111 138 139 445; do iptables -I INPUT 1 -p tcp --dport $port -j ACCEPT; done
      for port in 69 111 4011 137; do iptables -I INPUT 1 -p udp --dport $port -j ACCEPT; done
      service iptables save
      

      DHCP & DNS

      If you use your FOG Server for DHCP or DNS run these commands as well.

      Firewalld

      for service in dhcp dns; do firewall-cmd --permanent --zone=public --add-service=$service; done
      firewall-cmd --reload
      

      IPTables

      iptables -I INPUT 1 -p tcp --dport 53 -j ACCEPT;
      for port in 53 67; do iptables -I INPUT 1 -p udp --dport $port -j ACCEPT; done
      service iptables save
      

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

      Wayne WorkmanW 1 Reply Last reply Reply Quote 2
      • J
        Joe Schmitt Senior Developer
        last edited by

        IPTables support added

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

        1 Reply Last reply Reply Quote 1
        • Wayne WorkmanW
          Wayne Workman
          last edited by Wayne Workman

          wiki hash tagging this for addition to the wiki

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
          Daily Clean Installation Results:
          https://fogtesting.fogproject.us/
          FOG Reporting:
          https://fog-external-reporting-results.fogproject.us/

          1 Reply Last reply Reply Quote 0
          • Wayne WorkmanW
            Wayne Workman
            last edited by

            My experience on Fedora 21 server:

            [root@fog SELinux]# systemctl enable firewalld
            Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
            Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
            [root@fog SELinux]# systemctl start firewalld
            [root@fog SELinux]# for service in http https tftp ftp mysql nfs mountd rpc-bind proxy-dhcp samba; do firewall-cmd --permanent --zone=public --add-service=$service; done
            success
            success
            success
            success
            success
            success
            success
            success
            success
            success
            [root@fog SELinux]# firewall-cmd --reload
            success
            [root@fog SELinux]# 
            

            About to try out imaging after a reboot…

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
            Daily Clean Installation Results:
            https://fogtesting.fogproject.us/
            FOG Reporting:
            https://fog-external-reporting-results.fogproject.us/

            1 Reply Last reply Reply Quote 0
            • Wayne WorkmanW
              Wayne Workman
              last edited by Wayne Workman

              @Jbob you forgot dhcp

              for service in http https tftp ftp mysql nfs mountd rpc-bind proxy-dhcp dhcp samba; do firewall-cmd --permanent --zone=public --add-service=$service; done
              

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
              Daily Clean Installation Results:
              https://fogtesting.fogproject.us/
              FOG Reporting:
              https://fog-external-reporting-results.fogproject.us/

              1 Reply Last reply Reply Quote 0
              • J
                Joe Schmitt Senior Developer
                last edited by Joe Schmitt

                I was assuming if people had a dhcp server on that machine they’d already have it configured. I just added the options used by FOG alone. Not anything extra a person may add. I updated the main post with a DHCP section.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                Wayne WorkmanW 1 Reply Last reply Reply Quote 1
                • Wayne WorkmanW
                  Wayne Workman @Joe Schmitt
                  last edited by

                  @Jbob If it’s in /opt/fog/.fogsettings

                  in the “packages” list like this, it’s safe to add:

                  packages=" httpd php php-cli php-common php-gd mysql mysql-server tftp-server nfs-utils vsftpd net-tools wget xinetd tar gzip make m4 gcc gcc-c++ lftp php-mysqlnd curl php-mcrypt php-mbstring mod_ssl php-fpm php-process dhcp";

                  dodhcp="$(grep 'dodhcp=' /opt/fog/.fogsettings | awk -F'"' '{$0=$2}1')"
                  
                  if [[ $dodhcp == "Y" ]] || [[ $dodhcp == "y" ]]
                  then
                  firewall-cmd --permanent --zone=public --add-service=dhcp;
                  fi
                  

                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                  Daily Clean Installation Results:
                  https://fogtesting.fogproject.us/
                  FOG Reporting:
                  https://fog-external-reporting-results.fogproject.us/

                  1 Reply Last reply Reply Quote 0
                  • george1421G
                    george1421 Moderator
                    last edited by

                    Ok a couple of things that hit me right away.

                    The instructions above for rhel is for Centos 7.X and newer. The firewalld function is not available on Centos 5 and 6. Centos 5 iptables is a mess so I wouldn’t even recommend installing FOG on Centos/rhel 5. So for Cento/rhel 6 you must use the “Other” instructions.

                    The second thing I ran into using the Other instructions is the first line for adding the modules to the iptables-config. The last IPTABLES_MODULES entry config wins. So after running that first line and restarting iptables I only had one new module loaded “nf_conntrack_netbios_ns” The product of that line looks like this in the iptables-config file.

                    IPTABLES_MODULES=“nf_conntract_tftp”
                    IPTABLES_MODULES=“nf_conntrack_ftp”
                    IPTABLES_MODULES=“nf_conntrack_netbios_ns”

                    The correct syntax should be

                    IPTABLES_MODULES=“nf_conntract_tftp nf_conntrack_ftp nf_conntrack_netbios_ns”

                    I have the screen shots if you need them but I think that info should get you pretty close.

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                    1 Reply Last reply Reply Quote 1
                    • J
                      Joe Schmitt Senior Developer
                      last edited by Joe Schmitt

                      @george1421 good catch on the iptables, updating the main post to reflect that and the REHL clarification.

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                      1 Reply Last reply Reply Quote 1
                      • george1421G
                        george1421 Moderator
                        last edited by

                        During the install of FOG, it asks to make fog a dns and dhcp server but those ports are not listed in the script.

                        For clarity, I took and rebuilt a clean centos box. I set the firewall rules and then installed the latest SVN trunk. I just remembered that I need to set the selinux policy since it is centos defaults. But any way the plan is to apply your settings to a clean install install your policies and then install the latest SVN trunk.

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                        1 Reply Last reply Reply Quote 1
                        • J
                          Joe Schmitt Senior Developer
                          last edited by Joe Schmitt

                          @george1421 there is a DHCP section in the post. I will include DNS as well. Right now I wish to keep those options separate. Eventually the installer should automatically configure the firewall based on installation preference.

                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                          george1421G 1 Reply Last reply Reply Quote 1
                          • george1421G
                            george1421 Moderator @Joe Schmitt
                            last edited by

                            @Jbob said:

                            @george1421 there is a DHCP section in the post. I will include DNS as well. Right now I wish to keep those options separate. Eventually the installer should automatically configure the firewall based on installation preference.

                            Sorry I missed that. I copied the top sections and skipped the bottom.

                            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                            1 Reply Last reply Reply Quote 1
                            • Wayne WorkmanW
                              Wayne Workman
                              last edited by Wayne Workman

                              the firewalld stuff works fine on Fedora 23 Server so far.

                              I’ve tried this setup on a virtualized Fedora 23 DHCP server, and a virtualized Fedora 23 FOG server (using only the settings each one needs). I’ve imaged 2 computers so far with this setup. One of them, I tried out WOL just to confirm that still works - it does.

                              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                              Daily Clean Installation Results:
                              https://fogtesting.fogproject.us/
                              FOG Reporting:
                              https://fog-external-reporting-results.fogproject.us/

                              1 Reply Last reply Reply Quote 0
                              • Wayne WorkmanW
                                Wayne Workman
                                last edited by Wayne Workman

                                For the record - I’ll be using the Firewalld configuration at work soon - I’ll be doing it safely though. I’m keeping my old virtual FOG server in-tact but shutdown, and I’m setting up a new one on Fedora 23 using this configuration.

                                I’m really confident that the Firewalld settings will work really well - They’ve worked fine at home so far for me.

                                I’m holding off on adding this stuff to the WiKi because I feel it will be integrated into the installer prior to 1.3.0 being released @Developers. 🙂

                                I’m not so confident about the iptables config - but I haven’t used it. The only thing that concerns me is the NFS ports. 😕 Hopefully some Ubuntu and Debian users can try it out soon and let us know how it works? @ch3i

                                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                Daily Clean Installation Results:
                                https://fogtesting.fogproject.us/
                                FOG Reporting:
                                https://fog-external-reporting-results.fogproject.us/

                                1 Reply Last reply Reply Quote 0
                                • Wayne WorkmanW
                                  Wayne Workman
                                  last edited by Wayne Workman

                                  I’ve been running the firewalld settings in production with Fedora 23 and I’m cautiously optimistic.

                                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                  Daily Clean Installation Results:
                                  https://fogtesting.fogproject.us/
                                  FOG Reporting:
                                  https://fog-external-reporting-results.fogproject.us/

                                  1 Reply Last reply Reply Quote 0
                                  • Wayne WorkmanW
                                    Wayne Workman
                                    last edited by Wayne Workman

                                    @Developers I have successfully operated at work for about two weeks now with the Firewalld portion of these instructions active. In my opinion, the firewalld stuff should be implimented into the installer for further testing.

                                    A good question is how to impliment them. Should the installer “just do it” or should it be a installation argument?

                                    If the argument route was taken, it could be something as simple as:

                                    ./installfog.sh --firewall yes

                                    or

                                    ./installfog.sh --firewall no

                                    With the option stored in /opt/fog/.fogsettings with the default being yes

                                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                    Daily Clean Installation Results:
                                    https://fogtesting.fogproject.us/
                                    FOG Reporting:
                                    https://fog-external-reporting-results.fogproject.us/

                                    1 Reply Last reply Reply Quote 0
                                    • Wayne WorkmanW
                                      Wayne Workman @Joe Schmitt
                                      last edited by

                                      @Jbob Added to the Wiki here: https://wiki.fogproject.org/wiki/index.php?title=FOG_security

                                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                      Daily Clean Installation Results:
                                      https://fogtesting.fogproject.us/
                                      FOG Reporting:
                                      https://fog-external-reporting-results.fogproject.us/

                                      ThiagoT 1 Reply Last reply Reply Quote 0
                                      • ThiagoT
                                        Thiago @Wayne Workman
                                        last edited by

                                        @Wayne-Workman
                                        I’m using ufw in a debian 8 system with:

                                        ufw default deny incoming
                                        ufw default allow outgoing

                                        #ports 21ftp, 22ssh, 80web, 111rpc, 69tftp, 443web, 2049nfs, 20499-nfs
                                        ufw allow from 192.168.0.0/24 to any port 21,22,80,111,443,2049,20499 proto tcp
                                        ufw allow from 192.168.0.0/24 to any port 69,111,2049,6080 proto udp
                                        ufw enable

                                        I changed nfs to work with the firewall on debian
                                        #from
                                        RPCMOUNTDOPTS=“–manage-gids”
                                        #to
                                        RPCMOUNTDOPTS=“-p 20499”
                                        #and
                                        systemctl restart nfs-kernel-server.service

                                        Wayne WorkmanW 2 Replies Last reply Reply Quote 1
                                        • Wayne WorkmanW
                                          Wayne Workman @Thiago
                                          last edited by

                                          @Thiago How long have you been using these settings?

                                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                          Daily Clean Installation Results:
                                          https://fogtesting.fogproject.us/
                                          FOG Reporting:
                                          https://fog-external-reporting-results.fogproject.us/

                                          ThiagoT 1 Reply Last reply Reply Quote 0
                                          • ThiagoT
                                            Thiago @Wayne Workman
                                            last edited by

                                            @Wayne-Workman
                                            at least 6 months

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post

                                            171

                                            Online

                                            12.0k

                                            Users

                                            17.3k

                                            Topics

                                            155.2k

                                            Posts
                                            Copyright © 2012-2024 FOG Project