-
Notifications
You must be signed in to change notification settings - Fork 0
/
16-firewalld.Rmd
214 lines (182 loc) · 6.66 KB
/
16-firewalld.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
# Firewalld Policy {#firewalld}
```{r, echo=FALSE, out.width="30%", fig.align='center'}
knitr::include_graphics("firewalld-images/firewall.png")
```
\index{Policies!Firewalld}
The purpose of the Firewalld Policy is to apply firewalld rules to the client machine.
This policy is physically stored on the SYSVOL in the **MACHINE/Registry.pol** file within the subdirectory of the Group Policy Object. It is stored in registry format. See chapter \@ref(regpol) for details on how to manually modify this file.
## Server Side Extension
The Server Side Extension (SSE) for the Firewalld Policy is distributed using Administrative Templates (ADMX). Refer to chapter \@ref(sse) in section \@ref(admx) for details about Administrative Templates.
Setting up the ADMX templates for this policy is described in chapter \@ref(install-admx) section \@ref(install-admx-samba).
\index{Server Side Extensions}
\index{Administrative Templates}
### Managing Firewalld Policy via the GPME
Open the Group Policy Management Editor (GPME) and navigate to `Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Firewalld`.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Group Policy Management Editor"}
knitr::include_graphics("firewalld-images/gpme.png")
```
You can see we have the options to create firewall rules, and firewall zones. For this example, we're going to create a single rule in a new zone named "work".
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "New Zone"}
knitr::include_graphics("firewalld-images/new-zone.png")
```
We'll define our new rule as follows.
```json
{ "work":
[
{
"rule": { "family": "ipv4"},
"source address": "172.25.1.7",
"service name": "ftp",
"reject": {}
}
]
}
```
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "New Rule"}
knitr::include_graphics("firewalld-images/new-rule.png")
```
#### Firewalld Policy Rule Definitions
The policy provides for the creation of rules and zones. Zones are defined as a list in the Zones setting in the Firewalld policy. Existing zones on the host will be unaffected.
Rules are defined using a JSON dictionary, containing zones paired with a list of rules.
For example, to create rules for the Work and Home zones, specify the following JSON:
```json
{
"work": [
{
"rule": {"family": "ipv4"},
"source address": "172.25.1.7",
"service name": "ftp",
"reject": {}
},
{
"rule": {},
"source address": "172.25.1.8",
"service name": "ftp",
"reject": {}
}
],
"home": [
{
"rule": {},
"protocol value": "icmp",
"reject": {}
},
{
"rule": {"family": "ipv4"},
"source address": "192.168.1.2/32",
"service name": "telnet",
"accept": {"limit value": "1/m"}
}
]
}
```
The rule structure loosely follows the Firewalld Rich Language Documentation. The general rule structure follows.
```json
{
"rule": {
"family": "ipv4 | ipv6",
"priority": "priority"
},
"source [not] address | mac | ipset":
"address[/mask] | mac-address | ipset",
"destination [not] adress": "address[/mask]",
"service name": "service name",
"port": {
"port": "port value",
"protocol": "tcp | udp"
}
"protocol value": "protocol value",
"icmp-block name": "icmptype name",
"Masquerade": true|false,
"icmp-type": "icmptype name",
"forward-port": {
"port": "port value",
"protocol": "tcp | udp",
"to-port": "port value",
"to-addr": "address"
},
"source-port": {
"port": "port value",
"protocol": "tcp | udp"
},
"log": {
"prefix": "prefix text",
"level": "emerg | alert | crit | error
| warning | notice | info | debug",
"limit value": "rate/duration"
},
"audit": {
"limit value": "rate/duration"
},
"accept" : {
"limit value": "rate/duration"
} | "reject": {
"type": "reject type",
"limit value": "rate/duration"
} | "drop": {
"limit value": "rate/duration"
} | "mark": {
"set": "mark[/mask]",
"limit value": "rate/duration"
}
}
```
## Client Side Extension
The Firewalld Client Side Extension (CSE) accepts the rules specified by the SSE, and applies them using the firewalld command `firewall-cmd`. For example, new zones are added using the `firewall-cmd --permanent --new-zone=work` command. New firewall rules are added using the `firewall-cmd --permanent --zone=work --add-rich-rule 'rule family=ipv4 source address=172.25.1.7 service name=ftp reject'`.
\index{Client Side Extensions}
Let's check the Resultant Set of Policy on our Linux client.
```
> sudo /usr/sbin/samba-gpupdate --rsop
[sudo] password for root:
Resultant Set of Policy
Computer Policy
GPO: Default Domain Policy
=================================================================
CSE: gp_firewalld_ext
-----------------------------------------------------------
Policy Type: Rules
-----------------------------------------------------------
[
[ work ] =
[
[ rule ] =
[ family ] = ipv4
[ source address ] = 172.25.1.7
[ service name ] = ftp
[ reject ] =
]
]
-----------------------------------------------------------
Policy Type: Zones
-----------------------------------------------------------
[ work ]
-----------------------------------------------------------
-----------------------------------------------------------
=================================================================
```
\index{Resultant Set of Policy}
Let’s now force an apply, and verify that rule gets applied.
```
> sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
| sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
| xmllint --xpath "//gp_ext[@name='Security/Firewalld']" - \
| xmllint --format -
<gp_ext name="Security/Firewalld">
<attribute name="rule:work:f480...e3a8">
rule family=ipv4 source address=172.25.1.7
service name=ftp reject
</attribute>
</gp_ext>
```
\index{Group Policy Cache}
Unfortunately, at the time of this writing, `firewall-cmd` appears to be unable to list installed rich rules. We can verify that our rule has applied though by trying to apply it again.
```
> sudo firewall-cmd --permanent --zone=work --add-rich-rule \
'rule family=ipv4 source address=172.25.1.7
service name=ftp reject'
Warning: ALREADY_ENABLED: rule family=ipv4
source address=172.25.1.7 service name=ftp reject
success
```
Attempting to add the rule, we can see that firewalld warns us that the rule is already enabled.