On Fri, Aug 08, 2014 at 04:55:15PM -0500, Neil Aggarwal wrote:
> I am looking at the documentation of the new firewalld service in CentOS 7.
> It looks like no matter what I configure with it, outgoing connections are
> still going to be allowed. That does not seem very secure.
Looking at the documentation closer, there does appear to be a way to
add rules to the OUTPUT table, using the rich rules syntax.
Red Hat documents it in this KB, that is only open to subscribers:
https://access.redhat.com/solutions/1121463
Here's basically how it's done:
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --sport=80 -j ACCEPT
success
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 99 -j DROP
success
# firewall-cmd --permanent --direct --get-all-rules
ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT
ipv4 filter OUTPUT 1 -p tcp -m tcp --sport=80 -j ACCEPT
ipv4 filter OUTPUT 99 -j DROP
That restricts outgoing traffic to only port 80 as the source and
destination port.
Hopefully Red Hat opens up that KB, it would have been nice to find
this earlier in the thread. It's still an overly complex way of doing
things, although not much more so than running the iptables command.
--
Jonathan Billings <billings@xxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
