Host Based Firewall Management

On all Manage OS VMs, a host based firewall is running in addition to the Distributed Firewall. This provides an additional layer of protection.

Configure firewall rules for Managed Windows

On Managed Windows the host based Firewall and all profiles are enabled and active.
Inbound connections that do not match a rule are blocked, and Outbound connections that do not match a rule are allowed.

The customer has the possibility to add custom rules to the ruleset, this can be done on the machine directly in the Temp Admin state.

Add custom Rule

Custom Rules can be added with the Snapin Windows Firewall with Advanced Security or PowerShell.

New-NetFirewallRule -DisplayName 'Application Alpha' -Description 'Customer Application Alpha, TCP Port 445' -Direction Inbound –LocalPort 445 -Protocol TCP -Action Allow

Configure firewall rules for Managed RHEL

On Managed RHEL VMs iptables is being used to provide Host Based Firewall services. The default ruleset blocks everything on the main network interface with the exceptions of the ports 22 (TCP), 4118 (TCP) and 9100 (TCP). From the loopback interface all traffic is allowed.

The customer has the possibility to add custom rules to the ruleset, this can be done on the machine directly in the Temp Admin state.

Basically, there are two types of rules:

  • Filter rules that will be added to the RH-Firewall-1-INPUT chain of the *filter table
  • Other rules that will be added outside of the *filter table (e.g. *nat or *mangle tables)

Filter rules

In order to add custom filter rules, you simply have to add them to the /etc/sysconfig/iptables.custom file and, during the next Puppet run, they will be added to the RH-Firewall-1-INPUT chain of the *filter table in the /etc/sysconfig/iptables file.

Example:

Given the following content in the /etc/sysconfig/iptables.custom file:

$ sudo cat /etc/sysconfig/iptables.custom
# Test rules added from iptables.custom: Allow any via TCP port 1234
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 1234 -j ACCEPT
# Test rules added from iptables.custom: Allow everything coming from ip 1.2.3.4 via UDP port 161
-A RH-Firewall-1-INPUT -m udp -p udp --dport 161 -s 1.2.3.4 -j ACCEPT
# Test rules added from iptables.custom: Allow everything coming from the subnet <subnet>/24 via TCP ports 1556,13720,13724,13782
-A RH-Firewall-1-INPUT -m tcp -p tcp -m multiport --dports 1556,13720,13724,13782 -s <subnet>/24 -j ACCEPT
# Test rules added from iptables.custom: Allow everything coming from the IP <ip> via TCP Port Range 3181:3189
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 3181:3189 -s <ip>
# End test rules added from iptables.custom

During the next Puppet run (~every 90 minutes), the rules will be added to the /etc/sysconfig/iptables file and the iptables configuration will be reloaded:

$ sudo cat /etc/sysconfig/iptables
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Test rules added from iptables.custom
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 1234 -j DROP
# End test rules added from iptables.custom
-A RH-Firewall-1-INPUT -j REJECT
COMMIT

Other rules

It is also possible to add custom rules before or after the '*filter' table by adding them to the /etc/sysconfig/iptables.custom.before and/or /etc/sysconfig/iptables.custom.after files. As for the custom filer rules, during the next Puppet run the content of this file will be added to the /etc/sysconfig/iptables file and the iptables configuration will be reloaded.

Example:

Given the following content in the /etc/sysconfig/iptables.custom.before file:

$ sudo cat /etc/sysconfig/iptables.custom.before
# Test NAT rules before
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
COMMIT
# End test NAT rules before

And the following content in the /etc/sysconfig/iptables.custom.after file:

$ sudo cat /etc/sysconfig/iptables.custom.after
# Test mangle rules after
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# DHCP packets sent to VMs have no checksum (due to a longstanding bug).
-A POSTROUTING -o lo -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# End test mangle rules after

During the next Puppet run, the rules will be added to the /etc/sysconfig/iptables file and the iptables configuration will be reloaded:

$ sudo cat /etc/sysconfig/iptables.custom
# Test NAT rules before
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
COMMIT
# End test NAT rules before
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -s 0.0.0.0/0 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT
COMMIT
# Test mangle rules after
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# DHCP packets sent to VMs have no checksum (due to a longstanding bug).
-A POSTROUTING -o lo -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# End test mangle rules after
Last Updated: