1

I'm in the process of migrating servers to CentOS 7 from 6.5 and the most major change appears to be the shift from iptables to firewalld. My prior experience with iptables tells me that there are a number of common attack vectors that one needs to set up rules to protect against, such as null packets or XMAS packets or syn-floods. After reading through as much of the documentation of firewalld as I can, I haven't been able to figure out whether or not firewalld comes with common protection meaures out of the box.

Does firewalld handle all of the common attack protection measures by default that one would have to add to iptables?

I'm guessing it does, but I'd rather not make assumptions when it comes to security. My evidence of this:

  • Rackspace's default CentOS 6.5 iptables rule set appears to include a variety of these attack vectors, but their CentOS 7 firewalld rule set does not appear to include anything special.
  • DigitalOcean's recommendations for setting up CentOS 6 includes adding several protection measures but their recommendations for CentOS 7 do not.
  • Googling "firewalld null packets" or the like produces no useful results.

My only reason for doubting this is that firewalld is too new for "best practices" to be published. I don't know enough to make this determination myself by actually attacking the firewall. Any help on this?

Venning
  • 111
  • 2
  • 2
    That tutorial for CentOS 6 is crap. It doesn't properly configure the firewall as fully stateful, which if done correctly makes most of their "special" rules unnecessary. A firewalld configured firewall is 100% stateful (unless you add custom rich rules that break it) and doesn't need this junk. – Michael Hampton Feb 05 '15 at 22:40
  • @MichaelHampton What does it mean for a firewall to be "stateful"? And are you confirming that firewalld handles most common attacks by default? – Venning Feb 06 '15 at 14:34

0 Answers0