Firewall Configuration

Joe Schmitt · Nov 18, 2015, 1:30 AM

IPTables support added

Wayne Workman · Nov 18, 2015, 1:35 AM

wiki hash tagging this for addition to the wiki

Wayne Workman · Nov 18, 2015, 2:43 AM

My experience on Fedora 21 server:

[root@fog SELinux]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@fog SELinux]# systemctl start firewalld
[root@fog SELinux]# for service in http https tftp ftp mysql nfs mountd rpc-bind proxy-dhcp samba; do firewall-cmd --permanent --zone=public --add-service=$service; done
success
success
success
success
success
success
success
success
success
success
[root@fog SELinux]# firewall-cmd --reload
success
[root@fog SELinux]#

About to try out imaging after a reboot…

Wayne Workman · Nov 17, 2015, 8:53 PM

@Jbob you forgot dhcp

for service in http https tftp ftp mysql nfs mountd rpc-bind proxy-dhcp dhcp samba; do firewall-cmd --permanent --zone=public --add-service=$service; done

Joe Schmitt · Nov 17, 2015, 8:58 PM

I was assuming if people had a dhcp server on that machine they’d already have it configured. I just added the options used by FOG alone. Not anything extra a person may add. I updated the main post with a DHCP section.

Wayne Workman · Nov 18, 2015, 3:03 AM

@Jbob If it’s in /opt/fog/.fogsettings

in the “packages” list like this, it’s safe to add:

packages=" httpd php php-cli php-common php-gd mysql mysql-server tftp-server nfs-utils vsftpd net-tools wget xinetd tar gzip make m4 gcc gcc-c++ lftp php-mysqlnd curl php-mcrypt php-mbstring mod_ssl php-fpm php-process dhcp";

dodhcp="$(grep 'dodhcp=' /opt/fog/.fogsettings | awk -F'"' '{$0=$2}1')"

if [[ $dodhcp == "Y" ]] || [[ $dodhcp == "y" ]]
then
firewall-cmd --permanent --zone=public --add-service=dhcp;
fi

george1421 · Nov 19, 2015, 2:23 AM

Ok a couple of things that hit me right away.

The instructions above for rhel is for Centos 7.X and newer. The firewalld function is not available on Centos 5 and 6. Centos 5 iptables is a mess so I wouldn’t even recommend installing FOG on Centos/rhel 5. So for Cento/rhel 6 you must use the “Other” instructions.

The second thing I ran into using the Other instructions is the first line for adding the modules to the iptables-config. The last IPTABLES_MODULES entry config wins. So after running that first line and restarting iptables I only had one new module loaded “nf_conntrack_netbios_ns” The product of that line looks like this in the iptables-config file.

IPTABLES_MODULES=“nf_conntract_tftp”
IPTABLES_MODULES=“nf_conntrack_ftp”
IPTABLES_MODULES=“nf_conntrack_netbios_ns”

The correct syntax should be

IPTABLES_MODULES=“nf_conntract_tftp nf_conntrack_ftp nf_conntrack_netbios_ns”

I have the screen shots if you need them but I think that info should get you pretty close.

Joe Schmitt · Nov 18, 2015, 8:27 PM

@george1421 good catch on the iptables, updating the main post to reflect that and the REHL clarification.

george1421 · Nov 19, 2015, 2:34 AM

During the install of FOG, it asks to make fog a dns and dhcp server but those ports are not listed in the script.

For clarity, I took and rebuilt a clean centos box. I set the firewall rules and then installed the latest SVN trunk. I just remembered that I need to set the selinux policy since it is centos defaults. But any way the plan is to apply your settings to a clean install install your policies and then install the latest SVN trunk.

Joe Schmitt · Nov 18, 2015, 8:37 PM

@george1421 there is a DHCP section in the post. I will include DNS as well. Right now I wish to keep those options separate. Eventually the installer should automatically configure the firewall based on installation preference.

george1421 · Nov 19, 2015, 2:42 AM

@Jbob said:

@george1421 there is a DHCP section in the post. I will include DNS as well. Right now I wish to keep those options separate. Eventually the installer should automatically configure the firewall based on installation preference.

Sorry I missed that. I copied the top sections and skipped the bottom.

Wayne Workman · Nov 22, 2015, 10:27 PM

the firewalld stuff works fine on Fedora 23 Server so far.

I’ve tried this setup on a virtualized Fedora 23 DHCP server, and a virtualized Fedora 23 FOG server (using only the settings each one needs). I’ve imaged 2 computers so far with this setup. One of them, I tried out WOL just to confirm that still works - it does.

Wayne Workman · Nov 25, 2015, 9:59 PM

For the record - I’ll be using the Firewalld configuration at work soon - I’ll be doing it safely though. I’m keeping my old virtual FOG server in-tact but shutdown, and I’m setting up a new one on Fedora 23 using this configuration.

I’m really confident that the Firewalld settings will work really well - They’ve worked fine at home so far for me.

I’m holding off on adding this stuff to the WiKi because I feel it will be integrated into the installer prior to 1.3.0 being released @Developers.

I’m not so confident about the iptables config - but I haven’t used it. The only thing that concerns me is the NFS ports. $:-\$ Hopefully some Ubuntu and Debian users can try it out soon and let us know how it works? @ch3i

Wayne Workman · Dec 1, 2015, 7:58 AM

I’ve been running the firewalld settings in production with Fedora 23 and I’m cautiously optimistic.

Wayne Workman · Dec 13, 2015, 1:11 AM

@Developers I have successfully operated at work for about two weeks now with the Firewalld portion of these instructions active. In my opinion, the firewalld stuff should be implimented into the installer for further testing.

A good question is how to impliment them. Should the installer “just do it” or should it be a installation argument?

If the argument route was taken, it could be something as simple as:

./installfog.sh --firewall yes

or

./installfog.sh --firewall no

With the option stored in /opt/fog/.fogsettings with the default being yes

Wayne Workman · Jan 19, 2016, 5:40 AM

@Jbob Added to the Wiki here: https://wiki.fogproject.org/wiki/index.php?title=FOG_security

Thiago · Jan 19, 2016, 9:45 AM

@Wayne-Workman
I’m using ufw in a debian 8 system with:

ufw default deny incoming
ufw default allow outgoing

#ports 21ftp, 22ssh, 80web, 111rpc, 69tftp, 443web, 2049nfs, 20499-nfs
ufw allow from 192.168.0.0/24 to any port 21,22,80,111,443,2049,20499 proto tcp
ufw allow from 192.168.0.0/24 to any port 69,111,2049,6080 proto udp
ufw enable

I changed nfs to work with the firewall on debian
#from
RPCMOUNTDOPTS=“–manage-gids”
#to
RPCMOUNTDOPTS=“-p 20499”
#and
systemctl restart nfs-kernel-server.service

Wayne Workman · Jan 19, 2016, 1:35 PM

@Thiago How long have you been using these settings?

Thiago · Jan 19, 2016, 1:47 PM

@Wayne-Workman
at least 6 months

Wayne Workman · Jan 19, 2016, 1:51 PM

@Thiago said:

@Wayne-Workman
I’m using ufw in a debian 8 system with:

ufw default deny incoming
ufw default allow outgoing

#ports 21ftp, 22ssh, 80web, 111rpc, 69tftp, 443web, 2049nfs, 20499-nfs
ufw allow from 192.168.0.0/24 to any port 21,22,80,111,443,2049,20499 proto tcp
ufw allow from 192.168.0.0/24 to any port 69,111,2049,6080 proto udp
ufw enable

I changed nfs to work with the firewall on debian
#from
RPCMOUNTDOPTS=“–manage-gids”
#to
RPCMOUNTDOPTS=“-p 20499”
#and
systemctl restart nfs-kernel-server.service

Can anyone else test out Thiago’s UFW settings? @Moderators @Developers

Firewall Configuration

174

12.0k

17.3k

155.2k