Howto::Firewall: Difference between revisions
Jump to navigation
Jump to search
Line 8: | Line 8: | ||
=Linux= | =Linux= | ||
= firewalld = | == firewalld == | ||
As of RedHat/CentOS 7, firewalld is the default firewall program. firewalld uses "zones" to separate traffic. We will create a new "campus" zone that you can use to limit services to just Campus/VPN. | As of RedHat/CentOS 7, firewalld is the default firewall program. firewalld uses "zones" to separate traffic. We will create a new "campus" zone that you can use to limit services to just Campus/VPN. | ||
== Create new zone == | === Create new zone === | ||
* <code>sudo firewall-cmd --new-zone=campus --permanent</code> | * <code>sudo firewall-cmd --new-zone=campus --permanent</code> | ||
* <code>sudo firewall-cmd --reload</code> | * <code>sudo firewall-cmd --reload</code> | ||
== Set the source ranges == | === Set the source ranges === | ||
* <code>sudo firewall-cmd --zone=campus --add-source=128.173.0.0/16 --permanent</code> | * <code>sudo firewall-cmd --zone=campus --add-source=128.173.0.0/16 --permanent</code> | ||
* <code>sudo firewall-cmd --zone=campus --add-source=198.82.0.0/16 --permanent</code> | * <code>sudo firewall-cmd --zone=campus --add-source=198.82.0.0/16 --permanent</code> | ||
Line 24: | Line 24: | ||
* Check https://4help.vt.edu/sp?id=kb_article&sys_id=16eadd6f0fe6a640ee5a0bcce1050e77 for the most up to date source IP list | * Check https://4help.vt.edu/sp?id=kb_article&sys_id=16eadd6f0fe6a640ee5a0bcce1050e77 for the most up to date source IP list | ||
== Add the service(s) == | === Add the service(s) === | ||
* <code>sudo firewall-cmd --zone=campus --add-port=3306/tcp --permanent</code> | * <code>sudo firewall-cmd --zone=campus --add-port=3306/tcp --permanent</code> | ||
* You add additional ports as needed, just change the port number | * You add additional ports as needed, just change the port number | ||
== Check your rules == | === Check your rules === | ||
* <code>sudo firewall-cmd --zone=campus --list-all</code> | * <code>sudo firewall-cmd --zone=campus --list-all</code> |
Revision as of 12:35, 16 August 2021
Overview
Using a firewall to limit services to VT Campus is a quick and easy way to protect your services and server from getting hacked. The service can still be accessible from outside Campus by using VT's VPN service. These instructions show you how to protect a service running on TCP port 3306, you can change the port number to protect other services.
There are different firewall programs available on different Operating Systems. Make sure you follow the instructions for the specific firewall running on your operating system.
Windows
MacOS
Linux
firewalld
As of RedHat/CentOS 7, firewalld is the default firewall program. firewalld uses "zones" to separate traffic. We will create a new "campus" zone that you can use to limit services to just Campus/VPN.
Create new zone
sudo firewall-cmd --new-zone=campus --permanent
sudo firewall-cmd --reload
Set the source ranges
sudo firewall-cmd --zone=campus --add-source=128.173.0.0/16 --permanent
sudo firewall-cmd --zone=campus --add-source=198.82.0.0/16 --permanent
sudo firewall-cmd --zone=campus --add-source=172.16.0.0/12 --permanent
sudo firewall-cmd --zone=campus --add-source=45.3.64.0/18 --permanent
sudo firewall-cmd --zone=campus --add-source=2001:468:c80::/48 --permanent
sudo firewall-cmd --zone=campus --add-source=2607:b400::/40 --permanent
- Check https://4help.vt.edu/sp?id=kb_article&sys_id=16eadd6f0fe6a640ee5a0bcce1050e77 for the most up to date source IP list
Add the service(s)
sudo firewall-cmd --zone=campus --add-port=3306/tcp --permanent
- You add additional ports as needed, just change the port number
Check your rules
sudo firewall-cmd --zone=campus --list-all