Docs/Security/Firewall

From Apertis
Jump to: navigation, search

Contents

Apertis Firewall Policies & Documentation

Integration

The iptables package provides the necessary tools to install filtering rules in the Netfilter framework. Iptables from upstream does not integrate with systemd but the Fedora packaging adds configuration files to install the filtering rules at startup. The Fedora packaging has been taken and adapted for Apertis.

Policies

A base rule blocks all incoming connections except:

  • port TCP 80
  • port UDP 1900 for UPnP
  • port UDP 5353 on multicast address 224.0.0.251 for mDNS

The configuration is static and defined in configuration file /etc/sysconfig/iptables. If the configuration needs to be changed, this file can be changed in the Apertis iptables package. It does not allow the configuration to be changed dynamically depending on applications' requests. If the need arises, FirewallD could be investigated.

Test cases

Testing

Disabling the firewall

To stop iptables and therefore allow all incoming connections, you can use the usual systemctl commands:

# # Remove iptables rules right now:
# systemctl stop iptables.service
# # Disable iptables for next boot:
# systemctl disable iptables.service

When the firewall is disabled, running nmap from outside should not show filtered ports:

# nmap -p 22,80,81,82 $IP
PORT   STATE  SERVICE
22/tcp open   ssh
80/tcp closed http
81/tcp closed hosts2-ns
82/tcp closed xfer

Enabling the firewall

To enable iptables again:

# # Install iptables rules right now:
# systemctl start iptables.service
# # Enable iptables for next boot:
# systemctl enable iptables.service

When the firewall is enabled, running nmap from outside should show the filtered ports:

# nmap -p 22,80,81,82 $IP
PORT   STATE    SERVICE
22/tcp filtered ssh
80/tcp closed   http
81/tcp filtered hosts2-ns
82/tcp filtered xfer

Checking the current status of the firewall

# systemctl status iptables.service
# iptables --list
Personal tools
Namespaces

Variants
Actions
Navigation
Tools