Firewalld Configuration - atmail 7

PROBLEM

How do I use firewalld?

ENVIRONMENT

• on-premises server + webmail installations: Version 7.8+

CAUSE
Configure firewalld for mail-server functionality.

RESOLUTION

The following document will be divided into the following sections:

• Mailserver Configuration
  General configuration for mail functionality
• Getting familiar with firewalld
  Further understanding of firewalld

Mailserver Configuration

Check if firewalld is enabled and started

[root@a8 services]# systemctl is-enabled firewalld
disabled
[root@a8 services]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@a8 services]# systemctl start firewalld
[root@a8 services]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2017-06-27 16:53:32 AEST; 5s ago

List allowed services

[root@a8 ~]# firewall-cmd --list-service
dhcpv6-client ssh

Add required services: HTTPS, SMTP, IMAP, POP3, DAV, DHCP(May be required in a testing environment).

[root@a8 ~]# firewall-cmd --zone=public --add-service=smtp --add-service=smtps --add-service=imap --add-service=imaps --add-service=pop3 --add-service=pop3s --add-service=https --add-service=dhcp --permanent
success
[root@a8 ~]# firewall-cmd --zone=public --add-port=587/tcp --add-port=8443/tcp --permanent
success

Reload firewalld

[root@a8 ~]# firewall-cmd --reload
success

List allowed services and ports. Check for previously added additions.

[root@a8 ~]# firewall-cmd --list-all | grep 'services\|ports' | head -n 2
services: dhcpv6-client https imap imaps pop3 pop3s smtp smtps ssh
ports: 8443/tcp 587/tcp 

A simple bash script containing the above default settings can be found here.

Getting familiar with firewalld

Firewalld is based around the concepts of zones. Each zone can be assigned a level of trust to allow for a dynamically changing firewall. Although server installations commonly reside in the same network for the duration of its life, understanding these core concepts eases configuration and administration of firewalld.

Before configuring any additional rules, its important to know:

• default zone
• active zone
• summary of zone

[root@a8 ~]# firewall-cmd --get-default-zone
public
[root@a8 ~]# firewall-cmd --get-active-zones
public
  interfaces: enp0s3
[root@a8 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s3
  sources: 
  services: dhcp dhcpv6-client https imap imaps pop3 pop3s smtp smtps ssh
  ports: 8443/tcp 587/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

Available services can be listed and added as demonstrated below. Remember you will need to pass the --permanent flag for the rule to remain consistent after restarting the service. Ports can also be added in the same fashion.

[root@a8 ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula ...
[root@a8 ~]# firewall-cmd --add-service=telnet --permanent
success
[root@a8 ~]# firewall-cmd --add-port=53 --permanent
success

Services and ports can be removed from zones using the following:

[root@a8 ~]# firewall-cmd --zone=public --remove-service=telnet --permanent
success 
[root@a8 ~]# firewall-cmd --zone-public --remove-port=53 --permanent
success

Further Configuration

Firewalld also comes with a built in panic mode. When enabled, panic mode will prevent any incoming and outgoing packets as well as dropping all active connections. This may be useful if your service is under attack.

To query panic mode:

[root@a8 services]# firewall-cmd --query-panic
no

To turn ON panic mode:

[root@a8 services]# firewall-cmd --panic-on
success

To turn OFF panic mode:

[root@a8 services]# firewall-cmd --panic-off
success

ICMP blocks can be added to zones. To see available icmp types:

[root@a8 services]# firewall-cmd --get-icmptypes
destination-unreachable echo-reply echo-request parameter-problem ...

To query an ICMP block, add it and then confirm:

[root@a8 services]# firewall-cmd --zone=public --query-icmp-block=echo-reply
no
[root@a8 services]# firewall-cmd --zone=public --add-icmp-block=echo-reply --permanent
success
[root@a8 services]# firewall-cmd --list-all | grep "icmp-blocks"
  icmp-blocks: echo-reply

Access for IP addresses can be managed using rich-rule's. Below, we add the 192.168.0.254 address, check its presence, then remove it.

[root@a8 services]# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'
success
[root@a8 services]# firewall-cmd --zone=public --list-all | grep "rule"
  rich rules: 
    rule family="ipv4" source address="192.168.0.254" accept
[root@a8 services]# firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.0.254" accept'
success

For troubleshooting, logs can be located in /var/log/firewalld.

For further information, the official documentation for firewalld can be found here.