Introduction
The security of your device is very important. Who uses Linux in general on their notebook can not afford not to have adequate protection of his systems also Desktop.
Ubuntu uses as default firewall UFW (Uncomplicated Firewall) will show you how to replace it with FirewallD on Ubuntu.
For quite some time FirewallD use on my laptop, the main reason is because it supports the areas with ease and because it integrates seamlessly with NetworkManager.
On my laptop I have got many network profiles both wired and wireless. According to the place or the situation I have a profile manually activated by NetworkManager this is associated with a FirewallD area that automatically activates the firewall rules that I have chosen.
The zones
FirewallD comes with 9 predefined zones, in most cases enough, but if you want you can create new or modify existing.
The zones are divided into:
- drop
All incoming connections are blocked without giving reply to the applicant, it is permitted only for outgoing traffic.
- block
All incoming connections are blocked, but a reply is sent icmp-host-prohibited or icmp6-adm-prohibited
- public
Accettta inbound connections but only for the services specified, typically in areas such as public WiFi hotspots.
- external
Used when you have configured your device as a gateway. Enable NAT maquerating then accept incoming connections to the internal network that is private anyway. - internal
Used when you have configured your device as a gateway. Accept incoming connections from external, but only for the permitted services. - dmz
This island area completely the device, only accepts incoming connections to the specified services - work
Typically in known working environment. Accept incoming connections on the specified services, typically in areas considered fairly reliable. - home
Considered a very reliable area, convenient services are enabled. - trust
This level allows anything. Use it carefully.
The Rules
As with iptables , firewalld has two stages of operation, running and permanent. While we are writing a rule we can decide whether to make it up on boot or lose it. This allows us to write the rules and turn them simultaneously to reload or test them in the second case.
There are several ways to write the rules, you can use a graphical tool called firewall-config, or choose the traditional methods , and that is from the command line with firewall-cmd or configuration files using a “comfortable” XML file. We will see them all but with greater attention to the command -line. For completeness, there is also an applet that allows us to change the area on the fly firewall-applet, but it does the job.
Installation
Remove UFW and Install FirewallD.
$ sudo apt-get remove ufw $ sudo apt-get install firewalld ebtables
We verify that FirewallD on Ubuntu is running and is active on boot.
$ sudo firewall-cmd --state running $ sudo service --status-all |grep firewalld [ + ] firewalld
The firewall-cmd command
Let’s see how to start controlling FirewallD on Ubuntu. We verify what is the default zone, which is active and what rules expected.
$ sudo firewall-cmd --get-default-zone public $ sudo firewall-cmd --get-active-zones public interfaces: eth0 $ sudo firewall-cmd --list-all public (default, active) interfaces: eth0 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
These are the default services activated for the public area. We begin to make changes. I have disabled the dhcpv6 – client.
$ sudo firewall-cmd --zone=public --remove-service=dhcpv6-client success $ sudo firewall-cmd --list-all public (default, active) interfaces: eth0 sources: services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
Right now my only change is volatile, so that the restart gonna lose. To activate the boot just add the option
--permanent.
$ sudo firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
To open a port/service we have two choices , use the list of predefined services or directly enter the port/s
$ sudo firewall-cmd --get-services amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mongodb mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client unifi vnc-server wbem-https
Taking Skype for example. On Linux opens the incoming port 1947. We know that the public profile requires that you specify the ports to open , but Skype is not among the listed services . We can tell the firewalld to open that port,
sudo firewall-cmd --permanent --zone=public --add-port=1947/tcp
or we can define the Skype service on a permanent basis to find it in the list without remember what is that door. All known facilities are declared in the XML file, to add one must copy a file to an existing service type the dhcp.xml.
$ cd /etc/firewalld/services # directory configurazioni in esercizio $ suo cp /var/lib/firewalld/services/dhcp.xml skype.xml # directory template
Change the file as follows:
<?xml version="1.0" encoding="utf-8"?> <service> <short>Skype</short> <description>Accept incoming connection for Skype service</description> <port protocol="tcp" port="1947"/> </service>
The creation of a new service requires the firewalld to be reloaded.
$ sudo firewall-cmd --reload
Set the Skype service and verify:
$ sudo firewall-cmd --permanent --zone=public --add-service=skype $ sudo firewall-cmd --zone=public --list-services ssh skype
To remove the service just replace with add remove
$ sudo firewall-cmd --permanent --zone=public --remove-service=skype $ sudo firewall-cmd --zone=public --list-services ssh
Rich Rules
The default for the public area is the Reject, responding to the ping with an ICMP packet type ” destination unreachable ” I used the “rich rules” to add a Drop.
The rich-rule allow you to write complex rules in addition to the mere opening of a door in a particular area, or to modify existing ones when you can not do that with the normal procedures; add an incoming port or type of ICMP response. As you can see I’ve also added the Log to this Drop because I’m going to see who tries to do a scan of my pc. I’ve also set a limit on the repetition of the event to avoid a huge log and repetitive .
Given the nature of the public area I added a block icmp Because I do not wanna reserved respond to pings.
$ sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule protocol value="icmp" log prefix="Drop-Icmp" level="info" limit value="2/h" drop'
Check out the rule
$ sudo firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule protocol value="icmp" log prefix="Drop-Icmp" level="info" limit value="2/h" drop
- prefix
adds an identifying series - level
It defines the logging level (emerg, alert, crit, err, warn, notice, info or debug) - limit value
defines the level of repetitiveness with which events are written to the log file , I set 2/h which means 2 entries each hour
Go to second part
Latest posts by Federico (see all)
- Let’s Encrypt on pfSense – webConfigurator - Apr 04,2017
- Isc Dhcpd Openldap on Ubuntu 16.04 - Oct 03,2016
- yEd graph editor – Ubuntu 16.04 - Sep 01,2016
Federico
Leave a Comment