CentOS 7 – Firewall Always Allows Outgoing Packets?

Home » CentOS » CentOS 7 – Firewall Always Allows Outgoing Packets?
CentOS 38 Comments

Hello all:

I am looking at the documentation of the new firewalld service in CentOS 7. It looks like no matter what I configure with it, outgoing connections are still going to be allowed. That does not seem very secure.

I always set my servers to default policy of DROP for everything incoming and outgoing and then add rules to allow very specific traffic through.

Is this possible using the new firewalld service or should I disable it and go back to using iptables?

Thanks,
Neil

38 thoughts on - CentOS 7 – Firewall Always Allows Outgoing Packets?

  • Earl:

    7.

    ml/Security_Guide/sec-Using_Firewalls.html

    That is the document I read when I referred to reading the documentation on the firewalld service.

    Neil

  • I thought we were supposed to be moving forward, *shakeshead*, not being able to block all outbound traffic except for what you have called out seems really short sighted and moving us in the wrong direction. With all that is going on today I don’t need things to be
    *less* secure, geez.

  • Tom:

    That is my thought exactly. This is a step backwards.

    I guess I will disable firewalld and go back to iptables.

    Thanks,
    Neil

  • Systemd, firewalld… Linux from what formerly was “UNIX-like” becomes “MS
    Windows-like”. This is what you will hear from everybody fleeing Linux (I
    for one started gradually moving servers to FreeBSD a while back).

    BTW, original poster is doing extremely correct security wise thing:
    enumerates good, and prohibits everything else. To the contrary to logically flawed “Windows antivirus” approach which is attempting to
    “enumerate bad”. I mean general approach, the philosophy, it doesn’t matter that I exemplify it here with “apples” and there with “oranges”.

    Thanks. Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • In my way of thinking I am always wary of “being taken care of”, especially when it comes to internet security!

    I like your philosophy of deny everything and selectively allow what YOU want.

    My $.02

  • Snap ! (meaning in colloquial English, I agree exactly).

    I read someone’s supplied link to Red Hat’s firewalld documentation. As I looked at the confusing collection of zones I instantly remembered all the problems I had with Windoze especially trying to understand the logic of Windoze’s own firewall/Internet zones. I hated and despised that crap and used a superior third-party firewall instead.

    I am a heavily reliant user of IP Tables. I would not like to lose it. Yet someone at Red Hat decided in C7 it would be replaced by a M$
    lookalike product. OK, one may remove it and install IPT. Exactly which users demand IPT’s replacement by firewalld (Microsoft, Inc. ?)

    Firewalld is so much like the confusing and time-wasting M$ crap, fit only for brain dead morons, instead of those with functioning brains. The Windoze reminiscence was a very unpleasant feeling.

    I fled the M$ crap and found a delightful refuge in CentOS. The difference from Windows was inspiring and liberating. It was truly wonderful, and still is on C5 and C6. I wished I had abandoned Windoze
    20 years earlier.

    If Red Hat want to sell the company to Micro$oft or gradually replace excellence with M$-style crap, I sadly would go elsewhere, probably to OpenBSD.

    What is the point in gaining good Linux skills, if the Red Hat family is going to emulate M$ crap? Sorry, I absolutely loath Windoze.

  • While the lack of outbound rules is a rather big missing feature, I don’t consider ‘firewalld’ a step back. Just like systemd, firewalld lets you break up rules into small chunks, scoped to a particular service or zone, which makes it easier to include a firewall rule in your RPM package or Configuration Management-managed service. Right now, I jump through a bunch of hoops in my CM environment to manage a monolithic /etc/sysconfig/iptables file on our 6.5-based servers and workstations, and I’m looking forward to using firewalld in 7.x.

    I really don’t see how this is *more* like Windows behavior. To me, it feels like a step in the right direction. And it’s not like CentOS7 disables the ability to use iptables, or makes it incredibly difficult to switch.

  • You and 4 other guys are moving things from Linux to FreeBSD.

    The rest of the world is moving things from UNIX and Windows to Linux.

    CentOS-7 rebuild RHEL sources and most all of the “important” Enterprise Linux things are moving to RHEL.

    RHEL runs the stock exchanges, the banks, etc.

    Free BSD is fine and people can use it if they like … but if you want real Enterprise grade software, it needs to be RHEL based, that is just the way it is.

    Keep in mind that EL 7.0 is a ‘dot zero release’ and some of the features need work. It works for the majority of use cases, but some features will need to be enhanced, and Red Hat will enhance it. When they do, we will build the source code and it will be in CentOS.

  • I hear you Johnny, I’m a big RH fan, but there is several things that they have shifted to in RHEL 7 that just chafes a little.

    I am dual hat guy, network and IS and when iptables with firewalld, at a minimum I would like the ability to be able to accomplish the same things I accomplished with iptables. I read about firewalld the pros and cons and I understand the shift and reason.

    But I do have heartburn when they call something a “firewall” and you cannot drop all the packets. It’s not like they didn’t know about it since I read about it in fedora and it’s not clear if it will be addressed. There are lots of use cases where I want to control all of the packets coming and going from a box, I see this becoming more so moving forward.

    Hopefully this will be addressed in a future release, trying to figure out where I can go to now and keep up to date with the latest firewalld info, just to stay clued in.

  • You only spotted 4 _last_ guys running away to UNIX. The rest fled quite a while ago. Some 7 years ago the guy looking for new system to move his servers from Linux to called Linux “Lindoze”. Don’t explode on me, I held myself for several posts and didn’t repeat that. But he was so much cleverer than I am: already then he realized Linux is becoming “MS
    Windows-like” system.

    Again, I have to repeat: I was happy with Linux for over decade and a half. However, the changes are such that at least my server are moving
    (some of them have moved already) away from Linux.

    It takes quite a self confidence to say “the whole world is doing…” and then describe one’s own opinion. Well, part of the World is doing good thing: the ones who move away from Windows. Moving from UNIX… I better hold my opinion about this.

    Linux things are moving to RHEL.

    Which of the banks and stock exchanges are you working for? Never mind. You may be quite right as some on them which for long time used M$, are likely moving away, and Linux is definitely much better choice that M$, and easier step than from M$ to, say, FreeBSD…

    real Enterprise grade software, it needs to be RHEL based, that is just the way it is.

    This may be about the definition of what one calls “Enterprise” system.

    1. The system that runs securely for multiple Months without need for reboot, without kernel Oopses… Even if you need some effort to install and configure what you need, and have be somewhat careful in choice of hardware, but then you get ultimately reliable box. I may be off canonical definition, but this would be my choice of servers I run for the Departments I support.

    2. The system that is nice replacement of M$ system, easy to install, which runs millions of names of great software – without need to put much effort in building or God forbid porting to your system. And even though I
    do not call this “Enterprise” and do not prefer this for servers, I do prefer this system for workstations for my users. That is why I’m still on this mail list. Still maintaining public CentOS Linux and Ubuntu mirrors
    (and will add Debian mirror as another sysadmin who was maintaining Debian mirror left our University). So, this is why you still can hear me as one of the 4 fleeing [servers] from Linux.

    features need work. It works for the majority of use cases, but some features will need to be enhanced, and Red Hat will enhance it. When they do, we will build the source code and it will be in CentOS.

    And it looks like finally I start realizing that if I take what you said almost literally, you may be right. What I mean is: I’m sysadmin working for a couple of hundreds of scientists. I chose UNIX for servers. One person. My users – scientists – would chose Linux for their goals (they mostly choose MacOS actually for their laptops…). 200 people. (They fled M$ over 10 years ago…) In this statistics 200:1 you are right. Right?

    In any case the “Enterprise” definition may be different depending on what you do: run the server for 200+ users or the server for 3 users (yourself, you spouse and a good friend next door). Sorry, I used hyperbole here, do not take it literally ;-)

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • I wasn’t aware that this was a forum for whining that upstream’s vision of a system didn’t match one’s own. You stated your dislike of firewalld. Enough said. To go on trashing the OS wholesale is just juvenile. I
    designed an infrastructure of 2500 servers that are all CentOS 6 and they are managed by only 3 people. This is a decent OS for medium to large scale rollouts, per my experience.

    I am trying to schedule time to begin evaluation of CentOS 7, (which will not be rolled out for at least a year) and if I decide that firewalld does not suit our purposes, then I will continue to use iptables. If I decide that firewalld does not provide any additional features, I will probably also continue to use iptables just to save some engineering time. Either way, my use of it is my own (and my company’s) and no own should have to listen to me whine about it over and over. Pick whatever OS you want. You have that freedom.

  • While I am also disappointed with firewalld I think the whole situation is not as terrible as people claim it is after all you can easily go back to iptables as it was in CentOS 6:

    https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Using_iptables

    It’s strange that people threaten to go FreeBSD simply because the defaults are not to their liking. Not exactly a rational way to look at things.

    Regards,
    Dennis

  • Stating one’s dread of having imposed as a standard, a firewall that can not control outgoing packets and has dumbed-down Micro$oft-like ‘zones’
    and the possible future removal of IP Tables from the very much admired CentOS version of RHEL, is probably a desperate call for sanity to prevail at Red Hat.

    The imposition of what appears to many of unfinished software rather than a genuine finished improvement does suggests faulty reasoning upstream. Upstream’s people take more notice of this list since the Red Hat ‘take-over’ / ‘intervention’ / ‘involvement’ in CentOS. The ordinary CentOS fan has little ability to reach any of the decision makers at Red Hat. This list is probably the easiest and best method.

    It is better if one articulates one’s concerns on here rather than ignoring what appear to be fundamental mistakes in the composition of much appreciated software.

    We care because we genuinely like CentOS.

  • Leider nicht.

    1. firewalld is not a full firewall – at best it is half-finished but released into the world as a genuine firewall.

    2. All of us, including potential and actual defectors to *BSD’s, welcome good products. We like and appreciate IP Tables. To replace good solid working software with a half-finished (and confusing) substitute is not progress, not advancement and not an improvement. Some might think it is not a good idea.

    Please respect the fact that we really do like, appreciate and enjoy CentOS. Hence our desire that it is not degraded or Lindozed
    (dumbed-down).

  • ‘FirewallD’ doesn’t replace ‘iptables’ except in the sense of activated system services, not the core firewall functionality. FirewallD just builds and modifies iptables rules. If anything, FirewallD might make it easier to migrate to nftables (a potential replacement for iptables) when that becomes mature[1]. But that’s nowhere on the radar right now.

    If you don’t like FirewallD, don’t use it. It’s just a tool to make managing your firewall easier, and allowing the OS and user to dynamically load rules depending on certain logic. It replaces the monolithic /etc/sysconfig/iptables file and the ‘iptables’ systemd unit. No one is talking about removing the core netfilter technology behind ‘iptables’.

    Just reading this thread makes me wonder if people criticizing FirewallD actually even tried it or even read the documentation!

    1.) http://netfilter.org/projects/nftables/

  • Thank you Jonathan for injecting a little sanity. What I was reading just wasn’t making sense to me.

    I have not even started to digest 7. What is the proper method of getting back to an industrial strength firewall under 7? Does one disable FirewallD and install iptables or does iptables install on top of FirewallD? You are making it sound like FirewallD can act as a management tool for iptables.

  • OMG if it’s that important I will, I will!

    What’s your malfunction? How about gathering information and knowledge before starting a major upgrade?

  • I just love using sv ipt … (my abbreviations for service iptables). Not keen on another ‘service’ duplicating my manual and automated efforts.

    Why do I need more complexity together with more learning time and more effort and conversion of existing rules ? IP Tables works fine. Absolutely no complaints.

    Think I would prefer to use the nftables without a Lindoze wrapper.

  • Do you run virtual machines on any of your systems? The required dynamic rules are the primary use case it solves very well. It also works as a desktop firewall somewhat less ideally. Since it has an API, it may someday be a full-featured dynamic server firewall. But, otherwise, it’s probably not what you want for anything complicated — and mostly harmless for anything simple.

  • it could be argued that restrictive selinux rules are a better
    ‘outbound’ firewall than anything port based.

  • I think all the various folk that have learned to manage iptables have forgotten the pain and arcane syntax and gotchas that trap you when you first start. So now you have your favourite script that “just works” and you do not want to change.

    Fine, that is an option available to you – take the option and move on. For others, those new to Linux, and many that use things like webmin the new firewalld may be an adequate solution. Sure it feels a little windoze like, but please give it a rest.

    For better or otherwise the CentOS upstream provider has made a change and thus that is the new world for any that want CentOS-7. It is a done deal, perfect? unlikely, I for one have seldom needed or put in place an outgoing firewall, in fact cannot recall ever needing to. I have set up dozens of servers on multiple continents and always have an incoming firewall in place, along with selinux enforcing (since CentOS-6).

    Will shortly start installing CentOS-7, thus far, only done live boot of gnome and kde disks to have a look, and look forward to seeing how it plays.

    Would appreciate more constructive posts on the list – please

  • I have now been alerted by two list members to the behavior of the individual involved. I will not allow myself to be baited again.

    I apologize to everyone for the off-topic, off-subject posting. We return you to our regular programming.

    Kirk

  • Looking at the documentation closer, there does appear to be a way to add rules to the OUTPUT table, using the rich rules syntax.

    Red Hat documents it in this KB, that is only open to subscribers:
    https://access.redhat.com/solutions/1121463

    Here’s basically how it’s done:

    # firewall-cmd –permanent –direct –add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp –dport

  • Am 2014-08-08 23:55, schrieb Neil Aggarwal:

    Those with a RHEL subscription can find a Red Hat knowledge base articel under

    https://access.redhat.com/solutions/1121463

    about the question “How to filter outbound or outgoing network traffic in RHEL7?”

    It pretty much explains how to achieve outbound filtering using FirewallD.

    Alexander

  • Most likely, just adding the rich rule with the DROP in it will make the OUTPUT rule drop by default. I haven’t tested it.

  • Wonderful!

    Can you do with firewalld an equivalent of the following done with iptables:

    :SSHSCAN – [0:0]
    -A INPUT -p tcp –dport 22 -m state –state NEW -j SSHSCAN
    -A SSHSCAN -m recent –set –name SSH
    -A SSHSCAN -m recent –update –seconds 300 –hitcount 10 –name SSH -j DROP
    -A INPUT -p tcp –dport 22 -j ACCEPT

    I use it for years (lifted from some cleverer than I person of the internet). This effectively thwarts brute force password attacks from the network. It allows only 10 _new_ connection within 5 min window. Of course, it counts all successful and unsuccessful connections (with sshguard on FreeBSD I do better: only react on unsuccessful connections), but it still does pretty good job.

    I guess, we all have accumulated some set of nice tools, and we don’t like to just throw them away – in exchange for what? Long ago I learned a rule
    (what users will expect from a good sysadmin): do not make any changes unless they are absolutely necessary. I find myself expecting the same from system vendor, or at least an understanding why this or that change is necessary. So far I don’t see any reasons other than giving an ability to administer the system to every computer user without special knowledge… Which is pretty good, we need free (and much better!)
    alternatives to M$ Windows. As far as our demands for servers are concerned: they can be fulfilled by other alternatives (FreeBSD being one of them).

    Thanks again for education us in how we can do what we need using firewalld!

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • The English (non-American) version is

    “If it ain’t broke, don’t fix it.”

    So, to use in C7’s firewalld (some of, because it is doubtful all exists) the functionality of IP Tables, one must first convert one’s adequately expressed IP Tables wishes into a pseudo language which then changes the longer and more convoluted firewalld ‘instruction’ back into normal IP Tables syntax ?

    Some may innocently believe this is wonderful for Red Hat’s eventual Lindoze Linux but how is this making life easier for computer-knowledgeable people ? Is it genuinely sensible ?

  • I have blocked his normal and private email addresses on every incoming MTA. Details available.

  • Yes, I believe that’s possible with the ‘firewall-cmd –direct
    –addchain …’ and ‘firewall-cmd –direct –add-rule …’ syntax:

    # firewall-cmd –permanent –direct –add-chain ipv4 filter SSHSCAN
    success
    # firewall-cmd –permanent –direct –add-rule ipv4 filter IN_public_allow -p tcp –dport 22 -m state –state NEW -j SSHSCAN
    success
    # firewall-cmd –permanent –direct –add-rule ipv4 filter IN_public_allow 0 -p tcp –dport 22 -m state –state NEW -j SSHSCAN
    success
    # firewall-cmd –permanent –direct –add-rule ipv4 filter SSHSCAN 0 -m recent –set –name SSH
    success
    # firewall-cmd –permanent –direct –add-rule ipv4 filter SSHSCAN 1 -m recent –update –seconds 300 –hitcount 10 –name SSH -j DROP
    success
    # firewall-cmd –permanent –direct –add-rule ipv4 filter IN_public_allow 1 -p tcp –dport 22 -j ACCEPT
    success

    This has the handy side-effect of being able to just drop this in
    /etc/firewalld/direct.xml:

    # cat /etc/firewalld/direct.xml



    -p tcp –dport 22 -m state –state NEW -j SSHSCAN
    -p tcp –dport 22 -j ACCEPT
    -m recent –set –name SSH
    -m recent –update –seconds 300 –hitcount 10 –name SSH -j DROP

    You could also make sure that it’s added to other zones other than
    ‘public’ (by using something other than IN_public_allow).

    This is a *great* example of why firewalld wins over the old monolithic /etc/sysconfig/iptables. It’s just a file I can manage with my CM tools. Changes to other firewall rules (such as allowing in port 80 for web servers) doesn’t rewrite editing this file.

  • Great, thanks!

    It looks like I will survive even if they drop “iptables-service” in some future to come. Just for my understanding which of the following is incorrect:

    1. firewalld is a front end to the iptables kernel module (pretty much as
    “iptables-service” is)
    2. therefore the rules syntax is pretty much the same (well, is pretty close), only in config file(s) all is wrapped into xml (to please GUI
    front end used by GUI people).
    3. in the past we had both kernel module and front end written by the same team of programmers (iptables), from now on we are using front end by one team of programmers for kernel module written by another team.

    Thanks for all your help in understanding where do we stand now!

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Jonathan Billings wrote:

    I’m a bit surprised no-one has mentioned shorewall. I’m using it on two tiny home servers, one under CentOS-6 and the other CentOS-7. Basically, this is because I don’t understand iptables, or really want to understand it. Is firewalld a reasonable alternative in CentOS-6?

    I often wonder if I am in a small minority of CentOS users, who are just running home servers of some kind. Most of the posters to this mailing list seem to be in charge of systems with hundreds if not thousands of users.

  • Am 13.08.2014 um 15:16 schrieb Timothy Murphy:

    here, too, I’m using shorewall, because with the semantics in the config files, I can easily express what I want. It makes it easy to create very complex setups without knowing anything of iptables (although it helps to know about it). Moreover, the superb help of Tom Eastep and others in the support mailing list makes shorewall the firewall of my choice. Hence, the first thing I disable on a fresh CentOS install: firewall and sh**

    welcome to the club ;)

    Regards Michael

  • In my understanding, _you_ are in the majority of CentOS users. It also looks like upstream system (RHEL) vendor composes system more suitable for users like you. This is why there are many posts from admins working for larger number of users have so heated discussion, as some of them feel this new philosophy [we see in RHEL 7] is less suitable for large servers. To summarize: in my evaluation this new incarnation of system will be well suited for you, even better than previous versions, and I really recommend you to keep using CentOS 7 and follow RedHat manual for RHEL 7 – someone gave URL on this list – you quite likely will find it extremely helpful and easy to digest.

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • I run 6 servers currently (4 running CentOS-5 and 2 running CentOS-6)
    plus a laptop and a workstation running CentOS-6. Still to take the plunge into CentOS-7. My operating space is small business situations wanting low touch, high up time and reliability. Also a high aversion to being sold expensive software that in no way out-performs FOSS for all the basic tasks a small business needs to survive. Thus you are not alone and probably not that small a minority.