マルチゾーンファイヤウォール設定をやってみたかった
環境
Rocky Linux 8
network
nic 1 con-mgmt-enp0s3 192.168.100.111/24 192.168.100.254 (GW) 8.8.8.8 (DNS) ssh nic 2 con-radius-enp0s8 natnetwork1 10.0.2.0/24 10.0.2.1 GW なし DNS なし radius nic 3 con-mysql-enp0s9 natnetwork2 10.0.3.0/24 10.0.3.1 GW なし DNS なし mysql
hostname fwtest01.tk.net
ネットワーク部分ちゃんと書く
| con name | ip | zone name | service |
|---|---|---|---|
| con-mgmt-enp0s3 | 192.168.100.111/24 | management | ssh |
| con-radius-enp0s8 | 10.0.2.1/24 | radius | radius |
| con-mysql-enp0s9 | 10.0.3.1/24 | mysql | mysql |
ゾーンの役割は、「名は体を表す」を地で行くことにする。
management zone だが、これは source ip (踏み台など) も指定するのが実際の使い方だと思うが出来るのだろうか
今度でやってみる(宿題)
まとめ
zone を増やす
sudo firewall-cmd --new-zone=<NEW ZONE NAME> --permanent sudo firewall-cmd --reload
zone を active zone にする
interface を zone に割り当てることで active になる
sudo firewall-cmd --zone=<ZONE NAME> --change-interface=<INTERFACE DEVICE NAME> sudo firewall-cmd --reload
zone name を変更する
見つからなかった
新しく作って、設定を行い、 change-interface で active にして削除
zone を削除する
sudo firewall-cmd --permanent --delete-zone=<ZONE NAME> sudo firewall-cmd --reload
--permanent が --delete-zone= より前にないと駄目
default zone を変更する
sudo firewall-cmd --set-default-zone=<ZONE NAME> sudo firewall-cmd --runtime-to-permanent
もしかしたら、 --reload でも default zone の変更が出来るかもしれない
$ man -P cat firewall-cmd | grep -A 10 'set-default-zone' --set-default-zone=zone Set default zone for connections and interfaces where no zone has been selected. Setting the default zone changes the zone for the connections or interfaces, that are using the default zone. This is a runtime and permanent change. --get-active-zones ... $
とあるので、 runtime-to-permanent の方が良いのかも
参考
いろいろ試す
ここから試していくよ
とりあえず、現状を確認する
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: enp0s3 enp0s8 enp0s9 sources: services: cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-zones block dmz drop external home internal nm-shared public trusted work [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-active-zones public interfaces: enp0s3 enp0s8 enp0s9 [op-kouno@fwtest01 ~]$
cockpit, dhcpv6-client いらないので外すいつもの儀式
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --remove-service=cockpit --permanent success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --remove-service=dhcpv6-client --permanent success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: enp0s3 enp0s8 enp0s9 sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$
とりあえず、ゾーンを3つ作る
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --help | grep new-zone --new-zone=<zone> Add a new zone [P only] --new-zone-from-file=<filename> [--name=<zone>] [op-kouno@fwtest01 ~]$
ファイルからも zone を作れるっぽい
定義ファイルを作って流し込めるってことか?
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --new-zone=management usage: see firewall-cmd man page Option can be used only with --permanent. [op-kouno@fwtest01 ~]$ sudo firewall-cmd --permanent --new-zone=mamagement success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --permanent --new-zone=radius success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --permanent --new-zone=mysql success [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-zones block dmz drop external home internal nm-shared public trusted work [op-kouno@fwtest01 ~]$
む?ない??? あー、 reload してないからかな?
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-zones block dmz drop external home internal mamagement mysql nm-shared public radius trusted work [op-kouno@fwtest01 ~]$
できた
あと、エラーメッセージでも分かるように、 --new-zone するときは、そのオプションよりも手前に --permanent が必須だと分かった
management ゾーンを作る
reload の前に必ずコンソールから入ったほうが良さそう
ssh 自動では切れないだろうから、firewall reload 後、別 terminal で ssh 接続できることを確認の上、切断するのが良さそう
やってみよう
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=management --add-service=ssh --permanent Error: INVALID_ZONE: management [op-kouno@fwtest01 ~]$
無効だと?
一度全部見てみる
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: drop target: DROP icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: external target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: home target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: internal target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: mamagement target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: mysql target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: nm-shared target: ACCEPT icmp-block-inversion: no interfaces: sources: services: dhcp dns ssh ports: protocols: icmp ipv6-icmp masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule priority="32767" reject public (active) target: default icmp-block-inversion: no interfaces: enp0s3 enp0s8 enp0s9 sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: radius target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: trusted target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: work target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$
あるよな。
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-active-zones public interfaces: enp0s9 enp0s8 enp0s3 [op-kouno@fwtest01 ~]$
もしかして、 active zone に追加しないと、ずっと INVALID(無効) ???
手詰まり感ある
radius ゾーンに add-service する
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --permanent --zone=radius --add-service=radius success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=radius --list-all radius target: default icmp-block-inversion: no interfaces: sources: services: radius ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$
すんなり出来たな
適応を外す必要があるのか?
1つのインターフェースは複数の zone にまたがれるのか?
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=public --list-interfaces enp0s9 enp0s8 enp0s3 [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=radius --list-interfaces [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=radius --add-interface=enp0s8 Error: ZONE_CONFLICT: 'enp0s8' already bound to a zone [op-kouno@fwtest01 ~]$
またげない
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=public --remove-interface=enp0s8 --permanent The interface is under control of NetworkManager and already bound to the default zone The interface is under control of NetworkManager, setting zone to default. success [op-kouno@fwtest01 ~]$
?? interface down させればいいのか?
[op-kouno@fwtest01 ~]$ sudo nmcli c down con-radius-enp0s8 接続 'con-radius-enp0s8' が正常に非アクティブ化されました (D-Bus アクティブパス: /org/freedesktop/NetworkManager/ActiveConnection/2) [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo nmcli c show NAME UUID TYPE DEVICE con-mgmt-enp0s3 01d43bc4-7c24-4f1f-9f7b-ae849316a31e ethernet enp0s3 con-mysql-enp0s9 ee8e4547-9a6e-4af0-845e-764bde401522 ethernet enp0s9 con-radius-enp0s8 70b8a7a0-3524-41ed-8b46-075e479d3213 ethernet -- [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=public --remove-interface=enp0s8 --permanent Warning: NOT_ENABLED: enp0s8 success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=public --list-interfaces enp0s9 enp0s3 [op-kouno@fwtest01 ~]$
できた。 if down する必要があった
これ、本番環境でやるには、down が発生するってことだろう?
きちんと設定を終えてから可動させなきゃ駄目ってこと
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=radius --list-interfaces [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=radius --add-interface=enp0s8 --permanent success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=radius --list-interfaces enp0s8 [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=radius --list-all radius (active) target: default icmp-block-inversion: no interfaces: enp0s8 sources: services: radius ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$
なるほど。できた
最後に、 if up
[op-kouno@fwtest01 ~]$ sudo nmcli c show NAME UUID TYPE DEVICE con-mgmt-enp0s3 01d43bc4-7c24-4f1f-9f7b-ae849316a31e ethernet enp0s3 con-mysql-enp0s9 ee8e4547-9a6e-4af0-845e-764bde401522 ethernet enp0s9 con-radius-enp0s8 70b8a7a0-3524-41ed-8b46-075e479d3213 ethernet -- [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo nmcli c up con-radius-enp0s8 接続が正常にアクティベートされました (D-Bus アクティブパス: /org/freedesktop/NetworkManager/ActiveConnection/4) [op-kouno@fwtest01 ~]$ sudo nmcli c show NAME UUID TYPE DEVICE con-mgmt-enp0s3 01d43bc4-7c24-4f1f-9f7b-ae849316a31e ethernet enp0s3 con-mysql-enp0s9 ee8e4547-9a6e-4af0-845e-764bde401522 ethernet enp0s9 con-radius-enp0s8 70b8a7a0-3524-41ed-8b46-075e479d3213 ethernet enp0s8 [op-kouno@fwtest01 ~]$
zone=management に ssh を追加する
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=mamagement --list-all mamagement target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=mamagement --add-service=ssh --permanent success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=mamagement --list-all mamagement target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$
?? なんで出来た ??
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-active-zones public interfaces: enp0s8 enp0s9 enp0s3 [op-kouno@fwtest01 ~]$
???
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=radius --list-all radius target: default icmp-block-inversion: no interfaces: sources: services: radius ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$
もどっている
change-interface をしてみる
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-active-zones public interfaces: enp0s8 enp0s9 enp0s3 [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=radius --change-interface=enp0s8 --permanent The interface is under control of NetworkManager, setting zone to 'radius'. success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-active-zones public interfaces: enp0s9 enp0s3 radius interfaces: enp0s8 [op-kouno@fwtest01 ~]$
active zone が増えた。インターフェースが移った。しかも、 if down なし
こうやるのか
ref
引き続き、 change-interface
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=mysql --change-interface=enp0s9 --permanent The interface is under control of NetworkManager, setting zone to 'mysql'. success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-active-zones mysql interfaces: enp0s9 public interfaces: enp0s3 radius interfaces: enp0s8 [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=mamagement --change-interface=enp0s3 --permanent The interface is under control of NetworkManager, setting zone to 'mamagement'. success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-active-zones mamagement interfaces: enp0s3 mysql interfaces: enp0s9 radius interfaces: enp0s8 [op-kouno@fwtest01 ~]$
zone name change
typo していることに気づかなかった
新しく作って、設定を移行して、消すしかないっぽい
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --permanent --new-zone=management success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-zones block dmz drop external home internal mamagement mysql nm-shared public radius trusted work [op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-zones block dmz drop external home internal mamagement management mysql nm-shared public radius trusted work [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=mamagement --list-all mamagement (active) target: default icmp-block-inversion: no interfaces: enp0s3 management sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=management --list-all management target: default icmp-block-inversion: no interfaces: sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=management --change-interface=enp0s3 --permanent The interface is under control of NetworkManager, setting zone to 'management'. success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=management --add-service=ssh --permanent success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=management --list-all management (active) target: default icmp-block-inversion: no interfaces: enp0s3 sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --permanent --delete-zone=mamagement success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-zones block dmz drop external home internal management mysql nm-shared public radius trusted work [op-kouno@fwtest01 ~]$
rich rule とかあると面倒かも
名前は先に確認しよう
あと、短い名前にしよう(多分間違えにくい)
default zone change
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --set-default-zone=management --permanent usage: see firewall-cmd man page Can't use stand-alone options with other options. [op-kouno@fwtest01 ~]$
ふむ
[op-kouno@fwtest01 ~]$ man -P cat firewall-cmd | grep -A 10 "set-default-zone" --set-default-zone=zone Set default zone for connections and interfaces where no zone has been selected. Setting the default zone changes the zone for the connections or interfaces, that are using the default zone. This is a runtime and permanent change. --get-active-zones Print currently active zones altogether with interfaces and sources used in these zones. Active zones are zones, that have a binding to an interface or source. The output format is: [op-kouno@fwtest01 ~]$
うーん?
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --set-default-zone=management success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --runtime-to-permanent success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-default-zone management [op-kouno@fwtest01 ~]$ sudo firewall-cmd --reload success [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-default-zone management [op-kouno@fwtest01 ~]$
できた
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --zone=management --list-all management (active) target: default icmp-block-inversion: no interfaces: enp0s3 sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --list-all management (active) target: default icmp-block-inversion: no interfaces: enp0s3 sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$
list-all だけで確認できる。なるほど
今どうなっているか
[op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-active-zones management interfaces: enp0s3 mysql interfaces: enp0s9 radius interfaces: enp0s8 [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --get-default-zone management [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --list-all management (active) target: default icmp-block-inversion: no interfaces: enp0s3 sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --list-all --zone=radius radius (active) target: default icmp-block-inversion: no interfaces: enp0s8 sources: services: radius ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$ [op-kouno@fwtest01 ~]$ sudo firewall-cmd --list-all --zone=mysql mysql (active) target: default icmp-block-inversion: no interfaces: enp0s9 sources: services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [op-kouno@fwtest01 ~]$
