Firewall rules for nginx & ssh

ketonik · February 26, 2020, 3:44pm

I have Clear Linux Live Server installed to a remote dedicated server hardware, (5,000km away) no VPS or shared hosting etc. I access the unit remotely via ssh port 4200.

Firewall document says “Clear Linux OS does not impose a firewall policy out of the box. All traffic is allowed inbound and all traffic is allowed outbound.”

https://docs.01.org/clearlinux/latest/guides/network/firewall.html

I have nginx-mainline web server, php 7.4.2, mariadb, redis native etc.
Ports listening now are:
nmap -n -Pn -sT -sU -p- 23.123.12.123

Host is up (0.000042s latency).
Not shown: 131066 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
3306/tcp open mysql
4200/tcp open vrml-multi-use

Before the website goes public i’ll need to install and configure a firewall.
I’m familiar with ufw and the configuration rules are very simple but this is not available on Clear LInux.

Clear Linux Firewall software avaible lists:
iptables
ipset
firewalld

Configuration rule sets for firewalld look to be the least obtuse of the options. I’ve never configured a firewall like this before, and very much cautioned by the warning on the Firewall document page:

Warning

Changing firewall configuration can cause abrupt network disconnection. If this happens on a remote host, local recovery may be required.

Be sure to test your firewall configuration before committing it permanently to ensure your system will remain accessible remotely, if required.

I want to make sure I receive safe accurate configuration advice to avoid locking myself out of my ssh session to the server preventing further access.

Some examples on the www show adding service, some show add port some show add both service and port (without explanation).

As I will be ssh’d into the remote machine, if I follow exactly the details on installing and using firewalld on Clear Linux in the document, is there a risk it can kill my ssh session and lock me out?

Will the below rules satisfy:

firewall-cmd --permanent --zone=public --add-service=http

firewall-cmd --permanent --zone=public --add-service=https

firewall-cmd --permanent --zone=public --add-port=80/tcp

firewall-cmd --permanent --zone=public --add-port=443/tcp

firewall-cmd --permanent --zone=public --add-port=4200/tcp

firewall-cmd --reload

Step 4 firewalld:

Enable the firewalld service the so that the firewalld daemon is automatically started and rules applied at boot from the /etc/firewalld/* file:
sudo systemctl enable --now firewalld.service

can I assume running this command creates a config file the the location or it just enables the service and user need manually create the config file?

puneetse · February 26, 2020, 5:56pm

Yes, there is always this risk when changing firewall rules. Since your system is remote and it sounds like you don’t have another way to easily access it, I would highly recommend testing your purposed firewall policy on another system first. Keep in mind with firewalld there is a running configuration and stored/persistent configuration.

Both are valid. Services are predefined entries of commonly used port/services. Check the documentation when in doubt. Documentation - Manual Pages - firewalld.service | firewalld

Yes, you interact through firewall-cmd and firewalld will create files under /etc/ when it needs to.

ketonik · February 27, 2020, 12:25pm

puneetse thanks for the reply, i’m glad I followed your advice and test on a local machine.

I can report that, the Firewall document guide is ONLY suitable for installing and configuring

on a physical accessible local machine:

https://docs.01.org/clearlinux/latest/guides/network/firewall.html

Remote SSH install and configuration of FirewallD with this guide will result in catastrophic instant termination of ssh connection at step 4.

Once the connection is terminated the remote user will be permanently locked out of the system and unable to access it remotely.

Step 3 refuses to apply any rule because FirewallD at this point is not yet running and unable to accept the rules.

For SSH remote install of FirewallD I suggest Perform steps 1 and 2.

1-Install the firewalld bundle:

sudo swupd bundle-add firewalld

2-Disable iptables and ipset services as they conflict with firewalld:

sudo systemctl mask iptables-restore ipset

3- Then MANUALLY create:

mkdir /etc/firewalld

mkdir /etc/firewalld/zones

sudo nano /etc/firewalld/zones/public.xml

sudo nano /etc/firewalld/firewalld.conf

public.xml contents:

<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<port port="80" protocol="tcp"/>
<port port="443" protocol="tcp"/>
<port port="4200" protocol="tcp"/>
</zone>

firewalld.conf contents:

DefaultZone=public
MinimalMark=100
CleanupOnExit=yes
Lockdown=no
IPv6_rpfilter=yes
IndividualCalls=no
LogDenied=off```

4-Enable the firewalld service the so that the firewalld daemon is automatically started and rules applied at boot from the /etc/firewalld/* file:

`sudo systemctl enable --now firewalld.service`

5-Verify that firewalld is running:

`sudo firewall-cmd --state`