[HowTo] Secure your device using firewalld

Securing your server

Running servers is a constant challenge and a public facing device will be hammered by bots trying to find a hole so securing such a device is a high priority task.

Firewall

Due to the immense popularity of using GNU/Linux for servers several firewalls have been developed over time.

Most users know of ufw and the graphical tool gufw which uses iptables to control inbound and outbound traffic.

Application firewalls

Recently members of the forum has asked for application firewalls - arguing that it can be simpler for new users to understand and apply the concept of controlling network traffic.

Traditionally firewalls requires knowledge of which port(s) a given service uses and the ability to create a rule that limits inbound traffic to the given service - further restricting network interface and source addresses allowed.

This is a complex business and you got to have routes and priorities straight or you can get into serious connectivity problems and weird issues. The iptables based rules requires a reload and large complicated rulesets are hard to troubleshoot.

Due to my chat with @xabbu I have revised my perspective. Application firewalls is not just another word for the same thing and it does not work quite the same way as e.g. ufw.

If you for some reason want to know every single process making an outgoing network request - you could look to the opensnitch firewall. It is available from AUR.

Firewalld

Firewalld is the latest breed in free and opensource firewall applications. Firewalld can be configured using the term application since an application is merely a definition of which ports should be allowed - e.g. a http application or ssh or smtp.

When you configure the firewall you use zones to define where you are and services to define what you allow. Install firewalld

# pacman -Syu firewalld

When firewalld is enabled and started the default zone is public which allows the computer to be visible but all ports closed.

Adding a specific service (application) is most easily done using the command line. A GUI is available if you install the dependencies for it.

Adding services has immediate effect - no need to reload the service.

Simply add the service to the allowed service to the desired zone

Example - adding http to public zone

# firewall-cmd --zone=public --add-service=http
success

It is important to realize that changes you make on the fly is not permanent. To make a certain service available on a permanent base you add the --permanent argument

# firewall-cmd --permanent --zone=public --add-service=http
success

What if you want to add your own service definition?

Easy-peasy - look in the folder /usr/lib/firewalld/services and make a copy of an appropriate service definition.

Example - you want to run a ssh server on a non default port.

Copy the ssh.xml service definition to /etc/firewalld/services

# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/my-ssh.xml

Edit the service definition

# nano /etc/firewalld/services/my-ssh.xml

Change the port to match your service and the short name to distinguish from the original service.

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>My SSH service</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="30000"/>
</service>

Wait 5-10 seconds for the service file to be recognized and activate it

# firewall-cmd --zone=public --add-service=my-ssh
success

Same rule on permanent applies and that's it.

Conclusion

Firewalld is an extremely powerful and configurable firewall - it deserves much more attention than it gets.

Source

1 Like

That is not what "application firewalls" are about. A "application firewall" does not care about ports, it cares about processes and connections. This type of firewall restrict processes from establish connections to other systems. Sometimes just to allow or disallow a connection for certian processes, but sometimes it is possible to create more complex rules. In this scenario, you can also set ports.

But the main thing is usually to prevent a process to create a connection to the outside. On the other hand tools like ufw or firewalld are often simply used to prevent the outside of establishing a connection. Of course you can also deny ports for outgoing connections or even block connections to certain systems, but it is always for the complete system and not per process.

2 Likes

From a technical perspective - this is a choice of words.

An rule for blocking outgoing traffic would be based on endpoints. I can't really see what use the application scope has on *nix system - but what do I know :slight_smile:.

Is it something like https://www.opensnitch.io you are referring to?

http://aur.archlinux.org/packages/opensnitch-git

I reckon the usability on a Windows based system simply because of the abundant mass of malware - and because of that it makes sense on Windows system to restrict access for specific services or applications.

But even applications will connect using a given port which is then blocked by a rule in the firewall.

For firewalld - you can create very sophisticated rules based on contexts (SELinux) - command lines - usernames and user ids.

The concept privilege separation and network access has been taken to the extreme by qubes-os

1 Like

Me too, but it usually is asked by user that run applications they don't trust or don't want to connect to the outside. This is totally wrong in the first place but such user exist.

Yep, this is an example of an "application firewall". I like the name process based firewall a little bit more, but user usually look for a firewall that prevents application to reach the outside world.

Of course there are much better tools available that can "sandbox" (the next buzzword) an application. But sometimes the usage patterns from Windows are still in the minds of these users.

Kind of bad if you want an application blocked from connecting to port 443 on random hosts. But of course we established that there are better ways to handle this than a " application firewall".

I just want to make sure that it is clear what most people mean by " application firewall". And what the common use case for such a program is.

1 Like

Due to our little chat here - I have revised a part of the OP to reflect exactly this.

1 Like

Take a look at Private Firewall to see what an application firewall is (although PF is more than that). Apparently PF was discontinued and they now offer a different software, but you can still find the old program (don't use it in W10 - it crashes). I used mainly for blocking applications from phoning home. PF also monitors processes and warns you before running unknown software - good for keeping software from installing extras under the hood, for example. I used that little program since Windows XP.

Forum kindly sponsored by