Oracle linux firewall rules

Oracle В® Linux 8

Configuring the Firewall

Oracle Legal Notices

Copyright В© 2019, 2021 Oracle and/or its affiliates.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are «commercial computer software» or «commercial computer software documentation» pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloud services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc, and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.

Oracle Documentation License

This document uses the Web-based Help format from DocBook XML. The following license information applies to this format.

Copyright В© 1999-2007 Norman Walsh

Copyright В© 2003 Jiri Kosek

Copyright В© 2004-2007 Steve Ball

Copyright В© 2005-2008 The DocBook Project

Copyright В© 2011-2012 O’Reilly Media

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the «Software»), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

Except as contained in this notice, the names of individuals credited with contribution to this software shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from the individuals in question.

Any stylesheet derived from this Software that is publicly distributed will be identified with a different name and the version strings in any derived Software will be changed so that no possibility of confusion between the derived package and this Software will exist.

THE SOFTWARE IS PROVIDED «AS IS», WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL NORMAN WALSH OR ANY OTHER CONTRIBUTOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Web-based Help from DocBook XML

Copyright В© 2008-2012 Kasun Gajasinghe, David Cramer

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

Except as contained in this notice, the names of individuals credited with contribution to this software shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from the individuals in question.

Any stylesheet derived from this Software that is publicly distributed will be identified with a different name and the version strings in any derived Software will be changed so that no possibility of confusion between the derived package and this Software will exist.

Warranty: THE SOFTWARE IS PROVIDED «AS IS», WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL DAVID CRAMER, KASUN GAJASINGHE, OR ANY OTHER CONTRIBUTOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Certain search characteristics associated with the DocBook XSL webhelp stylesheets are provided as javascript files generated using Apache Lucene and other fourth party technologies, which are licensed under the Apache License reproduced below.

Источник

ChapterВ 1В Configuring a Packet Filtering Firewall

This chapter describes the concepts, tools, and methods for configuring the firewall by using packet filtering. It also provides examples for displaying the firewall settings that enforce network security on a system.

1.1В About Packet-Filtering Firewalls

A firewall filters incoming and outgoing network packets, based on packet header information. You create packet filter rules that determine whether packets are accepted or rejected. If you create a rule to block a port, any request to that port is rejected by the firewall and the request is ignored. Any service that is listening on a blocked port is effectively disabled.

The Oracle Linux kernel uses the Netfilter feature to provide packet filtering functionality for IPv4 and IPv6 packets.

Netfilter consists of two components:

A netfilter kernel component consisting of a set of tables in memory for the rules that the kernel uses to control network packet filtering.

Utilities to create, maintain, and display the rules that netfilter stores. In Oracle Linux 8, the default firewall utility is the firewall-cmd , which is provided by the firewalld package.

The firewalld -based firewall has the following advantages:

The firewalld-cmd utility does not restart the firewall and disrupt established TCP connections.

firewalld supports dynamic zones, which enable you to implement different sets of firewall rules for systems such as laptops that can connect to networks with different levels of trust. However, this feature is not typically used on server systems.

firewalld supports D-Bus for better integration with services that depend on firewall configuration.

1.2В Firewall Configuration Tools

You can configure the firewall by using one of two tools:

By using the firewall-cmd command and its multiple options.

By using the Firewall Configuration GUI

To use this tool you must install the firewall-config package first, then launch it by using the same command as the package name, for example:

The command opens the configuration tool, as shown in the following figure.

Cockpit is a browser-based configuration tool that you can also use to perform simple firewall configurations. See https://docs.oracle.com/en/operating-systems/oracle-linux/8/obe-cockpit-network/index.html.

1.3В Controlling the Firewall Service

In Oracle Linux 8, the firewall service, firewalld , is enabled by default. The service is controlled by the systemctl command.

To start the service:

To ensure that the service starts automatically when the system starts, run the following command after starting the firewall:

To stop the firewall service and prevent it from automatically starting when the system starts, run the following command:

To prevent the firewall service from being started by other services or through the firewalld D-Bus interface, run the following command after disabling the firewall:

To display the current status of the firewall service:

1.4В About Zones and Services

Firewall security is implemented through the concepts of zones and services.

Zones are predefined sets of filtering rules that correspond to levels of trust for network access. You can add to the default filtering rules of a zone by reconfiguring the zone’s settings and therefore refine the zone’s control of traffic flow. When you install Oracle Linux, a default zone called public is automatically assigned to the system.

Firewall rules are applied through services that are assigned to a zone. The service ports are the access points of network traffic. Services assigned to a zone automatically have their ports opened to receive and send network packets.

For more information about zones and firewall-related services, see the firewalld.zone(5) and the firewalld.services(5) manual pages.

1.4.1В Displaying Information About Zones

When you configure the firewall for zones, displaying the current zone and service settings and other information as part of the configuration steps is a good practice. With this approach you can monitor the changes you are introducing to the firewall and identify potential errors that would make your changes invalid.

To display the system’s default zone, run the following command:

List all the predefined zones that are included in the installation as follows:

You can configure any zone in the list. As you make changes to a particular zone, that zone becomes an active zone. To identify the active zone, type the following:

By default, all of the configurations are implemented on the default zone. Note also that an active zone is not necessarily the default zone. Therefore, you must specify the zone name in the command to define settings for that specific zone. Otherwise, the definitions will be applied to the default zone.

1.4.2В Displaying Zone Settings

To obtain the settings of a zone:

Without specifying a zone, the command displays the settings of the default zone. Thus, if you want to list the settings of the work zone, you would use the following command;

1.5В Configuring firewalld Zones

The following tasks describe how to use the firewall-cmd command to configure firewall rules for a zone. The rules are then recorded in the /etc/firewalld hierarchy for firewalld .

Configuring the firewall means setting all or some of a zone settings to specific values to enable the firewall to control network traffic according to your specifications.

1.5.1В Controlling Access to Services

Setting the services of a zone is the simplest way to configure the firewall. Each zone has predefined services assigned to it. To configure this setting further, you either add services to the zone or remove services from the zone.

To list predefined services, use the firewall-cmd —list-services command.

For example, the following command shows that the work zone has the cockpit , dhcpv6-client , mdns , samba-client , and ssh services assigned to it:

To allow access to a new service, use the —add-service service option. Include the —permanent option to make the rule persistent across reboots.

For example, to add the HTTP and NFS services to the work zone, you would use the following command:

To remove access to a service, use the —remove-service service option:

1.5.2В Controlling Access to Ports

Network traffic through the zone’s services uses the ports of those services. Ports should be opened to accept traffic. You can open additional ports for network access by specifying the port number and the associated protocol.

The —list-ports option lists the ports and associated protocols to which you have explicitly allowed access. However, ports that have been opened as a service are not included in this command’s output. Therefore, when listing ports, the best practice is to use the —list-all option to obtain more complete information.

Use the —add-port option to allow access to specific ports. Ports must be specified by using the format port-number / port-type . Port types can be tcp , udp , sctp , or dccp . Ensure that the type and the network traffic match, for example:

Similarly, the —remove-port option removes access to a port. Remember to use the —permanent option if you want to make the change persist.

For more information, see the firewall-cmd(1) manual page.

1.5.3В Assigning a Network Interface to a Zone

A system’s network interface is automatically assigned to the default zone. In Oracle Linux, you can configure multiple zones with their specific services, ports, and so on. You then activate a specific zone’s rules to become operative by assigning the interface to that zone. Thus, you have the flexibility to easily change the firewall rules that are active on the system simply by reassigning the network interface.

Suppose that you want to activate the firewall configuration of the work zone. You would assign the interface to the zone as follows:

You do not need to use the —permanent option to make the setting persist across reboots. If you set the zone to be the default zone, as explained in SectionВ 1.5.4, “Changing the Default Zone”, then the interface reassignment becomes permanent.

1.5.4В Changing the Default Zone

You can change a system’s default zone as follows:

You can also verify that your changes have been applied:

To display the entire and final results of your configuration:

1.5.5В Setting a Default Rule for Controlling Incoming Traffic

The target setting establishes the default behavior of the firewall when managing incoming traffic. This zone setting is automatically configured to default for all the predefined zones. To change the default behavior of a zone, use the following command;

You can specify the following options:

ACCEPT allows all incoming traffic except those you have set to be rejected in another rule.

REJECT blocks all incoming traffic except those you have allowed in another rule. The source machine is informed about the rejecion.

DROP is similar to REJECT but no notice of the rejection is sent to the source machine.

1.5.6В Managing Incoming Traffic Based on Sources

You can manage incoming traffic to a zone based on the traffic source. The two following two zone settings enable you to specify the origin of the packets:

source identifies the sending node or network.

source-ports identifies the port from which traffic originates.

To allow incoming traffic from a sending node, use the following command:

Note that the IP address can include the netmask in CIDR notation, such as 192.0.2.0/24 .

In the example, the second command makes the setting permanent. Omit this command if you are setting a temporary configuration that will be dropped if the system is rebooted.

The following similar syntax is used to set the source-port setting. However, you identify the source port by specifying the sending port number and the protocol type, for example:

You can combine different settings to configure the firewall. Specifically, the trusted zone can be configured to accept HTTP traffic from the 192.0.2.0 network source, as shown in the following example:

1.6В Creating Customized Zones for Firewall Implementation

You can create zones and then configure the zone’s settings for a customized firewall protection.

1.6.1В Using the firewall-cmd Command

As shown in the following example, you can use the firewall-cmd command-line interface (CLI) to create an empty zone, which means that no default services are assigned. When configuring a customized zone, you must always include the —permanent option in the command. Otherwise, an error message is generated.

Without the —permanent option, the —get-zones option does not display the created zone.

The —info-zone= zone-name option generates the same output as the —list-all option.

To make this zone creation persistent, add the following command:

After creating the zone, you can add services, ports, assign interfaces, and so on, by using the command options that are provided in the previous examples:

Ensure that you use the —permanent option when using all of these commands.

1.6.2В Using a Zone Configuration File

All zones have corresponding configuration files. For the predefined zones that are installed with the operating system, the configuration files are in the /usr/lib/firewalld/zones directory.

When you configure a predefined zone, the configuration file is copied to the /etc/firewalld/zones directory and the changes are stored in that location. If you use a configuration file to create new zones, you must also use /etc/firewalld/zones as the working directory.

If you are creating a zone with only minor differences from the settings of predefined zones, copying an existing configuration file to the working directory is the easiest approach. You can use either of the following commands:

Then, using a text editor, revise the settings in the new configuration file. The following example shows what the configuration file of testzone might contain. Specifically, testzone accepts traffic for one service (SSH) and one port range for the TCP and UDP protocols:

Copyright В© 2019, 2021 Oracle and/or its affiliates. Legal Notices

Источник