Master the working principle of firewall, and how to set up firewall to improve Linux security
Everyone has heard of firewalls (if only in the context of a cybercrime movie), and many know that they are probably running firewalls on their computers, but few understand how to harness them if necessary.
Firewalls are used to block unsolicited network traffic, but different networks require different levels of security. For example, you can trust other computers and devices in your network more when you’re at home than when you’re using public WiFi outside in a cafe. You might want your computer to be able to tell the difference between trustworthy and untrustworthy networks, but it’s best to learn to manage (or at least verify) your security Settings yourself.
How the firewall works
Communication between different devices in a network is achieved through a gateway called a port. I’m not referring to physical connections like USB ports or HDMI ports. In networking terms, a port is a purely virtual concept that represents the path taken by certain types of data to and from a computer. You could have called them “connections” or “gateways,” but they were called ports in 1981, and they’re still called ports. There’s nothing special about a port, just a way of referring to an address where data might be transferred.
In 1972, a list of port numbers was published (ports were then called “sockets”) and has since evolved into a well-known set of standard port numbers to help manage certain types of network traffic. For example, you use ports 80 and 443 when you visit a website every day, because most people on the Internet agree (or default) that data is transferred from a Web server through these two ports. To verify this, you can add a nonstandard port number to the URL when visiting a site using a browser. For example, a request to example.com:42 would be rejected because Example.com does not serve the site on port 42.
If you’re accessing the same site through port 80, it’s (unsurprisingly) working. You can specify port 80 by adding :80 to the URL, but since port 80 is the standard port for HTTP access, your browser already uses port 80 by default.
When a computer, such as a Web server, is prepared to receive network traffic at a designated port, it is acceptable (and necessary) behavior to keep that port open to network traffic. However, ports that do not need to receive traffic are more dangerous if they are also open. This is the problem that needs to be solved by firewalls.
Install firewalld
There are many ways to configure a firewall, and this article introduces Firewalld. On the desktop it is integrated in the Network Manager and on the terminal it is integrated in the Firewall-cmd. Many Linux distributions come preloaded with these tools. If you don’t have one in your distribution, you can take this article as general advice for managing firewalls and use a similar approach in your firewall software, or you can choose to install Firewalld.
On Ubuntu, for example, you must enable the Universe repository, turn off the default UFW firewall, and then install Firewalld:
$ sudo systemctl disable ufw
$ sudo add-apt-repository universe
$ sudo apt install firewalld
Copy the codeFedora, CentOS, RHEL, OpenSUSE, and many other distributions include Firewalld by default.
No matter which distribution you use, if you want your firewall to work, you must leave it on and set it to autoload upon startup. You should minimize the amount of effort you spend on firewall maintenance.
$ sudo systemctl enable --now firewalld
Copy the codeSelect regions using network manager
Maybe you’re connected to a lot of different networks every day. One network at work, another at the coffee shop, another at home. Your computer can tell which networks are used more often, but it doesn’t know which ones you trust.
A firewall zone contains preset rules for opening and closing ports. You can choose a strategy that works best for your current network by using regions.
You can either open the connection editor in network Manager, which can be found in the application menu, or use the nm-connection-edit& command to get a list of all available zones.
In the network connection list, double-click the network you are using.
In the network configuration window that appears, click the General TAB.
In the General panel, click the drop-down menu next to Firewall Areas to get a list of all available areas.
You can also use the following terminal command to get the same list:
$ sudo firewall-cmd --get-zones
Copy the codeThe name of each region already gives away the intention of the designer, but you can also get the details of any region using the following terminal command:
$ sudo firewall-cmd --zone work --list-all
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
[...]
Copy the codeIn this example, the work zone is configured to allow traffic from SSH and DHCPv6-client, but to reject traffic from any other user that is not explicitly requested. (In other words, the Work zone doesn’t block HTTP response traffic while you’re browsing a website, but it does block an HTTP request to port 80 on your computer.)
You can look at each area in turn and figure out what kind of traffic they allow. The more common ones are:
work: This area should be used on networks you trust. It allows SSH, DHCPv6, and mDNS, and more allowed projects can be added. This area is ideal as a base configuration on which to customize a work environment according to the needs of the daily office.public: For networks you don’t trust. The configuration of this area is the same as that of the work area, but you should not add any other allowed items.drop: All incoming connections are discarded and there is no response. This is the closest configuration to stealth mode without completely shutting down the network, since only outgoing network connections are allowed (although any port scanner can detect your computer through outgoing traffic, so this area is not a stealth device). If you’re using public WiFi, this area is arguably the safest place to go; If you feel that the current network is dangerous, this area is definitely the best choice.block: All incoming connections are rejected, but a message is returned indicating that the requested port is disabled. Only Internet connections initiated by you are allowed. This is the friendly versiondropArea, because while there is still no port to allow incoming traffic, it indicates that any connection that is not initiated by the host will be rejected.home: Use this area only if you trust other computers in the network. This area will only allow incoming connections of your choice, but you can add more allowed items as required.internal: Similar to the work area, this area applies to internal networks and should be used with basic trust in the computers on the network. You can open up as many ports and services as you need, while keeping a different set of rules than your workspace.trusted: Accepts all network connections. Ideal for troubleshooting situations or on a network you trust.
Specify an area for the network
You can specify an area for any of your network connections, and for different types of connections on the same network (such as Ethernet, WiFi, etc.).
Select the area you want and click the “Save” button to submit the changes.
The best way to get in the habit of designating areas for Internet connections is to start with the network you use most often. Designate a home area for your home network, a work area for your work network, and a PR area for your favorite library or coffee shop network.
Once you have designated an area for all your regular networks, try to designate an area for a new network later (whether it’s a new coffee shop or your friend’s home network). This is a good way to realize that security is different on different networks and that you are not more secure than anyone else just because you use Linux.
The default area
Each time you join a new network, Firewalld doesn’t ask you to select it, but instead specifies a default region. You can enter the following command in terminal to get your default locale:
$ sudo firewall-cmd --get-default
public
Copy the codeIn this case, the default locale is the public locale. You should ensure that the zone has very strict restrictions so that it is safe to assign it to an unknown network. Or you can set your own default area.
For example, if you are a suspicious person or have to deal with untrusted networks a lot, you can set a very strict default zone:
$ sudo firewall-cmd --set-default-zone drop
success
$ sudo firewall-cmd --get-default
drop
Copy the codeThis way, any new network you join will be designated to use the DROP zone, unless you manually make it a less restrictive zone.
Implement custom zones through open ports and services
Firewalld’s developers don’t want their zones to accommodate all the different networks and all the levels of trust in the world. You can use these areas directly or personalize them.
You can decide which ports to open or close based on the network activity you want to do, and this does not require a deep understanding of the firewall.
The default service
The easiest way to add a license to your firewall is to add a default service. Strictly speaking, your firewall does not know what a “service” is, because it only knows the port number and the type of protocol it uses. However, firewalls can provide you with a combination of ports and protocols on a standard and traditional basis.
For example, if you’re a Web developer and want your computer to be open to the local network (so your colleagues can see the site you’re building), add HTTP and HTTPS services. If you’re a gamer running the open source Murmur voice chat server for your game’s guild, add the service. There are many other services available, which you can view using this command:
$ sudo firewall-cmd --get-services
amanda-client amanda-k5-client bacula bacula-client \
bgp bitcoin bitcoin-rpc ceph cfengine condor-collector \
ctdb dhcp dhcpv6 dhcpv6-client dns elasticsearch \
freeipa-ldap freeipa-ldaps ftp [...]
Copy the codeIf you find a service you need, you can add it to your current firewall configuration, for example:
$ sudo firewall-cmd --add-service murmur
Copy the codeThis command adds all the ports and protocols required for the specified service to your default zone, but will be disabled after restarting your computer or firewall. To make your changes permanent, use the –permanent flag:
$ sudo firewall-cmd --add-service murmur --permanent
Copy the codeYou can also use this command for a non-default locale:
$ sudo firewall-cmd --add-service murmur --permanent --zone home
Copy the codeport
Sometimes you want to allow traffic that is not in the service defined by Firewalld. Maybe you want to run a regular service on a non-standard port, or you just want to open a port arbitrarily.
For example, maybe you’re running MapTool, the open source virtual board game software. Since there is no industry standard for which port a MapTool server should use, you can decide which port to use and then “cut a hole” in the firewall to allow traffic on that port.
The implementation is similar to adding a service:
$ sudo firewall-cmd --add-port 51234/tcp
Copy the codeThis command opens port 51234 to TCP incoming connections in your default zone, but will not work after you reboot your computer or firewall. To make your changes permanent, use the –permanent flag:
$ sudo firewall-cmd --add-port 51234/tcp --permanent
Copy the codeYou can also use this command for a non-default locale:
$ sudo firewall-cmd --add-port 51234/tcp --permanent --zone home
Copy the codeThe allowed traffic is set differently on the firewall of the router than on the local machine. Your router may provide a different configuration interface for its built-in firewall (the principle is the same), but that is beyond the scope of this article.
Remove ports and services
If you no longer need a service or port and do not use the –permanent flag, you can reboot the firewall to remove the change.
If you have made the change permanent, you can use the –remove-port or –remove-service flag to remove it:
$ sudo firewall-cmd --remove-port 51234/tcp --permanent
Copy the codeYou can remove ports or services from a non-default region by specifying a region in the command.
$ sudo firewall-cmd --remove-service murmur --permanent --zone home
Copy the codeCustom area
Feel free to use the default areas provided by Firewalld, but you can also create your own. For example, if you want to have a specific area for your game, you can create one and switch to that area only when playing the game.
If you want to create a new blank area, you can create a new area called Game and reload the firewall rules so that your new area is enabled:
$ sudo firewall-cmd --new-zone game --permanent
success
$ sudo firewall-cmd --reload
Copy the codeOnce created and enabled, you can customize it by adding the services and ports you need to play the game.
diligence
Start thinking about your firewall strategy today. Take your time and try to build some reasonable default rules. It may take you a while to get used to thinking about firewall configurations and figuring out what network services you’re using, but with a little exploration you can make your Linux workstation more powerful, no matter what environment you’re in.
Via: opensource.com/article/19/…
By Seth Kenlon (lujun9972
This article is originally compiled by LCTT and released in Linux China