Howto::Firewall: Difference between revisions

From Computer Science Wiki
Jump to navigation Jump to search
Miket (talk | contribs)
Miket (talk | contribs)
Line 8: Line 8:
=Linux=
=Linux=


= firewalld =
== firewalld ==
As of RedHat/CentOS 7, firewalld is the default firewall program.  firewalld uses "zones" to separate traffic.  We will create a new "campus" zone that you can use to limit services to just Campus/VPN.
As of RedHat/CentOS 7, firewalld is the default firewall program.  firewalld uses "zones" to separate traffic.  We will create a new "campus" zone that you can use to limit services to just Campus/VPN.


== Create new zone ==
=== Create new zone ===
* <code>sudo firewall-cmd --new-zone=campus --permanent</code>
* <code>sudo firewall-cmd --new-zone=campus --permanent</code>
* <code>sudo firewall-cmd --reload</code>
* <code>sudo firewall-cmd --reload</code>


== Set the source ranges ==
=== Set the source ranges ===
* <code>sudo firewall-cmd --zone=campus --add-source=128.173.0.0/16 --permanent</code>
* <code>sudo firewall-cmd --zone=campus --add-source=128.173.0.0/16 --permanent</code>
* <code>sudo firewall-cmd --zone=campus --add-source=198.82.0.0/16 --permanent</code>
* <code>sudo firewall-cmd --zone=campus --add-source=198.82.0.0/16 --permanent</code>
Line 24: Line 24:
* Check https://4help.vt.edu/sp?id=kb_article&sys_id=16eadd6f0fe6a640ee5a0bcce1050e77 for the most up to date source IP list
* Check https://4help.vt.edu/sp?id=kb_article&sys_id=16eadd6f0fe6a640ee5a0bcce1050e77 for the most up to date source IP list


== Add the service(s) ==
=== Add the service(s) ===
* <code>sudo firewall-cmd --zone=campus --add-port=3306/tcp --permanent</code>
* <code>sudo firewall-cmd --zone=campus --add-port=3306/tcp --permanent</code>
* You add additional ports as needed, just change the port number
* You add additional ports as needed, just change the port number


== Check your rules ==
=== Check your rules ===
* <code>sudo firewall-cmd --zone=campus --list-all</code>
* <code>sudo firewall-cmd --zone=campus --list-all</code>

Revision as of 12:35, 16 August 2021

Overview

Using a firewall to limit services to VT Campus is a quick and easy way to protect your services and server from getting hacked. The service can still be accessible from outside Campus by using VT's VPN service. These instructions show you how to protect a service running on TCP port 3306, you can change the port number to protect other services.

There are different firewall programs available on different Operating Systems. Make sure you follow the instructions for the specific firewall running on your operating system.

Windows

MacOS

Linux

firewalld

As of RedHat/CentOS 7, firewalld is the default firewall program. firewalld uses "zones" to separate traffic. We will create a new "campus" zone that you can use to limit services to just Campus/VPN.

Create new zone

  • sudo firewall-cmd --new-zone=campus --permanent
  • sudo firewall-cmd --reload

Set the source ranges

  • sudo firewall-cmd --zone=campus --add-source=128.173.0.0/16 --permanent
  • sudo firewall-cmd --zone=campus --add-source=198.82.0.0/16 --permanent
  • sudo firewall-cmd --zone=campus --add-source=172.16.0.0/12 --permanent
  • sudo firewall-cmd --zone=campus --add-source=45.3.64.0/18 --permanent
  • sudo firewall-cmd --zone=campus --add-source=2001:468:c80::/48 --permanent
  • sudo firewall-cmd --zone=campus --add-source=2607:b400::/40 --permanent
  • Check https://4help.vt.edu/sp?id=kb_article&sys_id=16eadd6f0fe6a640ee5a0bcce1050e77 for the most up to date source IP list

Add the service(s)

  • sudo firewall-cmd --zone=campus --add-port=3306/tcp --permanent
  • You add additional ports as needed, just change the port number

Check your rules

  • sudo firewall-cmd --zone=campus --list-all