Host Based Firewall Management
On all Manage OS VMs, a host based firewall is running in addition to the Distributed Firewall. This provides an additional layer of protection.
Configure firewall rules for Managed Windows
On Managed Windows the host based Firewall and all profiles are enabled and active.
Inbound connections that do not match a rule are blocked, and Outbound connections that do not match a rule are allowed.
The customer has the possibility to add custom rules to the ruleset, this can be done on the machine directly in the Temp Admin state.
Add custom Rule
Custom Rules can be added with the Snapin Windows Firewall with Advanced Security or PowerShell.
New-NetFirewallRule -DisplayName 'Application Alpha' -Description 'Customer Application Alpha, TCP Port 445' -Direction Inbound –LocalPort 445 -Protocol TCP -Action Allow
Configure firewall rules for Managed RHEL
On Managed RHEL VMs iptables is being used to provide Host Based Firewall services. The default ruleset blocks everything on the main network interface with the exceptions of the ports 22 (TCP), 4118 (TCP) and 9100 (TCP). From the loopback interface all traffic is allowed.
The customer has the possibility to add custom rules to the ruleset, this can be done on the machine directly in the Temp Admin state.
Basically, there are two types of rules:
- Filter rules that will be added to the RH-Firewall-1-INPUT chain of the
*filter
table - Other rules that will be added outside of the
*filter
table (e.g.*nat
or*mangle
tables)
Filter rules
In order to add custom filter rules, you simply have to add them to the /etc/sysconfig/iptables.custom
file and, during the next Puppet run, they will be added to the RH-Firewall-1-INPUT chain of the *filter
table in the /etc/sysconfig/iptables
file.
Example:
Given the following content in the /etc/sysconfig/iptables.custom
file:
$ sudo cat /etc/sysconfig/iptables.custom
# Test rules added from iptables.custom: Allow any via TCP port 1234
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 1234 -j ACCEPT
# Test rules added from iptables.custom: Allow everything coming from ip 1.2.3.4 via UDP port 161
-A RH-Firewall-1-INPUT -m udp -p udp --dport 161 -s 1.2.3.4 -j ACCEPT
# Test rules added from iptables.custom: Allow everything coming from the subnet <subnet>/24 via TCP ports 1556,13720,13724,13782
-A RH-Firewall-1-INPUT -m tcp -p tcp -m multiport --dports 1556,13720,13724,13782 -s <subnet>/24 -j ACCEPT
# Test rules added from iptables.custom: Allow everything coming from the IP <ip> via TCP Port Range 3181:3189
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 3181:3189 -s <ip>
# End test rules added from iptables.custom
During the next Puppet run (~every 90 minutes), the rules will be added to the /etc/sysconfig/iptables
file and the iptables configuration will be reloaded:
$ sudo cat /etc/sysconfig/iptables
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Test rules added from iptables.custom
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 1234 -j DROP
# End test rules added from iptables.custom
-A RH-Firewall-1-INPUT -j REJECT
COMMIT
Other rules
It is also possible to add custom rules before or after the '*filter' table by adding them to the /etc/sysconfig/iptables.custom.before
and/or /etc/sysconfig/iptables.custom.after
files. As for the custom filer rules, during the next Puppet run the content of this file will be added to the /etc/sysconfig/iptables
file and the iptables configuration will be reloaded.
Example:
Given the following content in the /etc/sysconfig/iptables.custom.before
file:
$ sudo cat /etc/sysconfig/iptables.custom.before
# Test NAT rules before
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
COMMIT
# End test NAT rules before
And the following content in the /etc/sysconfig/iptables.custom.after
file:
$ sudo cat /etc/sysconfig/iptables.custom.after
# Test mangle rules after
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# DHCP packets sent to VMs have no checksum (due to a longstanding bug).
-A POSTROUTING -o lo -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# End test mangle rules after
During the next Puppet run, the rules will be added to the /etc/sysconfig/iptables
file and the iptables configuration will be reloaded:
$ sudo cat /etc/sysconfig/iptables.custom
# Test NAT rules before
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
COMMIT
# End test NAT rules before
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT
COMMIT
# Test mangle rules after
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# DHCP packets sent to VMs have no checksum (due to a longstanding bug).
-A POSTROUTING -o lo -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# End test mangle rules after