Firewalld Management On A Headless Server

Home » CentOS » Firewalld Management On A Headless Server
CentOS 21 Comments

Is there an Apache tool to manage firewalld on a headless server?

I am looking forward to my next CentOS project which is to replace my Juniper SSG5 firewall…

And along that line, what overlap, if any between firewalld and Suricata?

thank you

21 thoughts on - Firewalld Management On A Headless Server

  • I recently converted my employer’s firewall from pure iptabes to firewalld and looked for something similar, more along the lines of webmin, etc. I didn’t find anything close to a match. In the end, it all came down to getting comfortable with
    “firewall-cmd” in the shell.

    Haven’t used suricata, so nothing to add there.

  • I have been digging and found that Fedora includes Cockpit, but I don’t know all it supports. Probably should ask over on Fedora list…

  • I don’t think it’s going to give you a web-based firewall configuration tool. It does allow you to control/configure networking hardware and devices via NetworkManager, but I don’t believe it goes further than that for networking. Ironically, it does provide a an ssh-like session terminal where you can get directly logged in and use firewall-cmd. :-)
    http://cockpit-project.org/guide/latest/feature-terminal.html

  • Hi,

    funny, my webmin installation on a banana-pi has webmin 1.831, which has support for firewalld.

    I am not sure, but I believe I got it directly from http://www.webmin.com.

    best regards

  • Nice catch, Mr. Schumacher —> The following modules are included as standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz Configure a Linux firewall using FirewallD, by editing allowed services and ports.

    This is likely the right tool for the job.

  • yum (CentOS/RedHat/Fedora)

    By adding the Webmin repository and Jamie Cameron’s key, it is possible to install & maintain the latest Webmin/Usermin versions.

    The following will install the latest Webmin version by adding the webmin-repo and corresponding GPG key. Yum will resolve all the necessary dependancies.

    Just Cut&Paste the entire text below and hit enter/return:

    (echo “[Webmin]
    name=Webmin Distribution Neutral baseurl=http://download.webmin.com/download/yum enabled=1
    gpgcheck=1
    gpgkey=http://www.webmin.com/jcameron-key.asc” >/etc/yum.repos.d/webmin.repo;
    yum -y install webmin)

  • Mike wrote:
    Webmin used to be considered insecure, and people would scream and yell if you suggested using it. Has that changed?

    mark

  • Firewall/router system I use is pfSense:

    https://pfsense.org/

    It has nice web interface for configuration of everything, based on FreeBSD (very slim, lightweight, small footprint). Has a lot what you may want to have in router box, including VPN,… If OP is not married to what he currently uses I would recommend to try pfSense.

    Good luck!

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Or just buy a dedicated router/firewall box. The Ubiquiti EdgeRouter Lite 3 is a true gigabit router/firewall that runs iptables and has a very nice web interface, all for under $100. Also highly recommended.

  • Webmin used to be considered insecure, and people would scream and yell if you suggested using it. Has that changed?

    mark

    Ahh, I did not know of this. Well, I’m back to suggesting OP take a little time and get comfortable with firewall-cmd in the terminal. If we want our solid redhat clone then systemd, NetworkManager, and firewalld are soldered into the foreseeable future.

  • I am a bit familiar with firewall-cmd, but need to learn more. But I am looking out to other functions and management. I am looking at multi-function devices and such. So I would like something beyond cli for the interface.

    Wild thought. a php-firewall package with the policy in MariaDB :)

    Then I can tie it into RESTCOMF and I2NSF. Got to talk to some people here at IETF tomorrow…

    But I will look again at webmin. Use to use it a lot.

  • That reminded me about Smoothwall I used to use a few years back. Wasn’t pfsense related to Smoothwall, maybe even a fork?

  • Webmin is as insecure as the administrator cares to make it.

    Our host systems’ Webmin instances listen on a reserved IP address different from the host’s DNS entry and that address is only reachable through the host’s firewall from specified IP addresses originating on our internal LAN. Further, Webmin is configured to automatically switch to https and use a certificate generated by our corporate private CA. Our gateway firewall blocks all access to the port assigned to Webmin. One has to tunnel in to one of the pre-determined host addresses to obtain remote access.

    A separate webmin logon is set in the webmin configuration which has no existence on the host system.

    Webmin can also be configured to restrict the hours and day that asccess is allowed to specific users but we have not bothered with that.

    The main known weakness is Webmin’s dependency on passwords which for all I know is due to my ignorance. If Webmin does support RSA
    certificate authentication then I would love to be told where it is configured. However,failing that, very long phase phrases mitigate the password issue somewhat. Further, Webmin does support two-factor authentication using Google or Authy.

    To my knowledge there are no CVEs reported for Webmin since 2015 and I
    believe that all known problems are resolved in the present release. Which is not to say that there are no exploits left to be uncovered but then again we can hardly claim that about any software.

  • James B. Byrne wrote:
    standard with release 1.831 of Webmin. FirewallD firewalld.wbm.gz Configure a Linux firewall using FirewallD, by editing allowed services and ports. if you suggested using it. Has that changed?
    different from the host’s DNS entry and that address is only reachable through the host’s firewall from specified IP addresses originating on our internal LAN. Further, Webmin is configured to automatically switch to https and use a certificate generated by our corporate private CA. Our gateway firewall blocks all access to the port host addresses to obtain remote access. existence on the host system. is allowed to specific users but we have not bothered with that. all I know is due to my ignorance. If Webmin does support RSA
    configured. However,failing that, very long phase phrases mitigate the password issue somewhat. Further, Webmin does support two-factor authentication using Google or Authy. believe that all known problems are resolved in the present release. Which is not to say that there are no exploits left to be uncovered but then again we can hardly claim that about any software. Thanks for the extended response, James, esp. that last paragraph. I
    hadn’t been following webmin for a number of years – we don’t use it here. I did find and use it in a job I was in ten years ago – it was the only way I could get LDAP working, as, at the time, the tools that came with the package were *not* ready for prime time….

    mark

    PS: Tried reply, James, but it bounced.

  • That’s what Leon said, shorewall is an iptables abstraction, and iptables is a command that manipulates netfilter.

    FirewallD is similar in that it abstracts and simplifies using netfilter without using the iptables command. Which has a GUI that can be used remotely but it is not web based as requested. Fedora’s CoPilot probably has a module for it, but I don’t know that it can be used with a CentOS based server. Webmin likely has a module for it by now.

    /mark