1

I am upgrading to CentOS 7 and learning firewalld.

When I set up a new server my default iptable config for best security was (I believe this is a pretty standard config):

# IPv4
iptables -F
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/service iptables save
iptables -L -v

# IPv6
ip6tables -F
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/sbin/service ip6tables save
ip6tables -L -v

This has now become:

firewall-cmd --set-default-zone=public
firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd --permanent --zone public --remove-service dhcpv6-client
firewall-cmd --zone=public --change-interface=em1
firewall-cmd --reload

I believe this works but security is less. I have the impression that using the BLOCK zone would be more appropriate but ipv6 breaks due to icmp. Any suggestions on what the best firewalld config would be to best reflect the old iptable rules? To keep this question generic, I'm interested in just allowing SSH - without breaking IPv6 and not allowing anything else.

Thanks!

Michael Tremante
  • 121
  • 3
  • firewalld still manage iptables, so you can compare the output of `iptables -S` in both cases. – Rabin Jul 19 '15 at 21:20
  • The block zone blocks all traffic. Your firewall is fine as-is. – Michael Hampton Jul 19 '15 at 21:34
  • Thank you for comments. Rabin Did not realize `iptables -S` worked. It is a little noisy though given the different zones but will try and compare. Michael great - just does not feel as "locked down' as before! – Michael Tremante Jul 19 '15 at 21:38

0 Answers0