new firewalld setup for trusted hosts

English Network/Internet
1

Hello, as 42.3 is EOLling, we started installing the first servers with 15.1 and were very astonished by the new firewall setup.

Our machines sit in a datacenter (server only) with only one interface with a static IP.
We need http, https and ssh open to external of course, no problem.

But then, machine A needs to allow access to postgres port 5432 for (from) machine B (replication slave) ONLY.
And machine A und B need to allow access to zabbix 10050 for (from) machine C ONLY.

so a couple of quesions there:

  1. Since there is no “Custom Rules” option in yast-firewall anymore, I can’t set this up in yast (only), right ?

  2. How would I do this in firewalld conceptually ? Delete the default zones except external and trusted, somehow define zone “trusted” to be “source IP” A, B, C for the hosts ?

  3. How would I do actually do this ? Edit the zones xml definitions I read somehow ?
    (I realize this is RTFM, but I don’t know what FM to R yet :wink:

  4. does firewalld with the new yast-firewall make sense at all in this setup ?
    or is another approach (ufw, firewall-builder, you-tell-me …) better suited for the server-in-datacenter situation.
    (not too keen on using iptables directly, though)

many thanks and all the best
Tom.

2

Yes, that was brought in with Leap 15.0, and mentioned in the release notes at the time…

Anyway, it does present a learning curve, and the documentation is here

  1. Since there is no “Custom Rules” option in yast-firewall anymore, I can’t set this up in yast (only), right ?

Yes, that’s correct, however you can configure via the CLI (firewall-cmd) or the graphical interface (firewall-config).

3

But then, machine A needs to allow access to postgres port 5432 for (from) machine B (replication slave) ONLY.
And machine A und B need to allow access to zabbix 10050 for (from) machine C ONLY.

Rich rules are your friend here. Assuming all hosts have single interface assigned to public zone (by default). On host A, add a rich rule like this (with host B’s IP address)…

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="x.x.x.x/32" port protocol="tcp" port="5432" accept'

Host A and B need to allow traffic from host C on port 10050…

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="y.y.y.y/32" port protocol="tcp" port="10050" accept'

Once applied on the respective hosts, reload the firewall for the new configuration to take effect…

firewall-cmd --reload

Rich rules info:

https://codingbee.net/rhce/rhce-firewalld-understanding-rich-rules

Runtime vs permanent configuration:

4

Think of zones as broad configuration categories that can be chosen to suit before further firewall tuning as required…

https://firewalld.org/documentation/zone/

5

many thanks already!

if all I’ll ever use is one zone “external” (or public), I’d rather delete the other ones from the config, so as to avoid mistakes.
but it seems that is not so easy?

while searching for that I found an article that uses the approach I initially meant: define a dedicated zone for the trusted servers only:
https://www.ctrl.blog/entry/how-to-firewalld-zone-by-ip.html

what would you say to this approach ?

6

it’s just another means to the same end really… either approach will work.

7

many thanks for your efforts!
we discussed this through and realized that all we really need is the “custom rules” that yast-firewall no longer provides.

so we uninstalled firewalld and yast-firewall, and installed ufw

using firewall-cmd adds complexity to the configuration command syntax over ufw, without any benefit that we could see for our use case.

8

Glad that you’ve found a firewall solution that works for you. Firewalld isn’t hard to use though IMO.