Howto::Firewall

From Computer Science Wiki
Jump to navigation Jump to search

Overview

Using a firewall to limit services to VT Campus is a quick and easy way to protect your services and server from getting hacked. The service can still be accessible from outside Campus by using VT's VPN service. These instructions show you how to protect a service running on TCP port 3306, you can change the port number to protect other services.

There are different firewall programs available on different Operating Systems. Make sure you follow the instructions for the specific firewall running on your operating system.

Campus IP Ranges

To Restrict access to the VT main campus IP's use these:

  • IP: 172.16.0.0 Subnet: 255.240.0.0
  • IP: 128.173.0.0 Subnet: 255.255.0.0
  • IP: 198.82.0.0 Subnet: 255.255.0.0
  • IP: 45.3.120.0 Subnet: 255.255.248.0 (This is an additional block of IP's added for VPN users on March 17th, 2020)

Windows 10

The primary option for firewalls for Windows, is the Windows Defender Firewall.

Windows Defender Firewall

Locating Windows Defender Firewall

  • This can be located by typing Windows Defender Firewall into the search bar, or through Control Panel -> System and Security -> Windows Defender Firewall

Enabling Windows Defender Firewall

  • Windows Defender Firewall is on by Default, unless you install another endpoint management tool such as Symantec or McAfee.
  • The default protection is block all connections to apps that are not on the list of allowed apps.
  • Whenever Windows encounters an app not on the list it will prompt the user to allow or disallow the connection and specify the zones which its allowed. You can change this setting by clicking Allow an App or Feature through the Windows Defender Firewall on the the left side panel.

Using Windows Defender Firewall

  • Windows Defender firewall uses 3 different zones to manage your firewall preferences: Domain, Private, and Guest/Public Networks. You can check which one is currently active by looking at each for Active "" Networks. Whichever zone has your active network is the one you need to use when setting up your default firewall. If you use public networks often you can also look at restricting access even further for those.
  • More advanced Rules can be specified by clicking on advanced settings in the left pane.

MacOS

https://support.apple.com/en-us/HT201642

Linux

firewalld

As of RedHat/CentOS 7, firewalld is the default firewall program. firewalld uses "zones" to separate traffic. We will create a new "campus" zone that you can use to limit services to just Campus/VPN.

Create new zone

  • sudo firewall-cmd --new-zone=campus --permanent
  • sudo firewall-cmd --reload

Set the source ranges

  • sudo firewall-cmd --zone=campus --add-source=128.173.0.0/16 --permanent
  • sudo firewall-cmd --zone=campus --add-source=198.82.0.0/16 --permanent
  • sudo firewall-cmd --zone=campus --add-source=172.16.0.0/12 --permanent
  • sudo firewall-cmd --zone=campus --add-source=45.3.64.0/18 --permanent
  • sudo firewall-cmd --zone=campus --add-source=2001:468:c80::/48 --permanent
  • sudo firewall-cmd --zone=campus --add-source=2607:b400::/40 --permanent
  • Check https://4help.vt.edu/sp?id=kb_article&sys_id=16eadd6f0fe6a640ee5a0bcce1050e77 for the most up to date source IP list

Add the service(s)

  • sudo firewall-cmd --zone=campus --add-port=3306/tcp --permanent
  • You add additional ports as needed, just change the port number

Check your rules

  • sudo firewall-cmd --zone=campus --list-all
Retrieved from "http://wiki.cs.vt.edu/index.php?title=Howto::Firewall&oldid=4364"