Howto::Firewall
Overview
Using a firewall to limit services to VT Campus is a quick and easy way to protect your services and server from getting hacked. The service can still be accessible from outside Campus by using VT's VPN service. These instructions show you how to protect a service running on TCP port 3306, you can change the port number to protect other services.
There are different firewall programs available on different Operating Systems. Make sure you follow the instructions for the specific firewall running on your operating system.
Windows 10
The primary option for firewalls for Windows, is the Windows Defender Firewall.
Windows Defender Firewall
- This can be located by typing Windows Defender Firewall into the search bar, or through Control Panel -> System and Security -> Windows Defender Firewall
- Windows Defender firewall uses 3 different zones to manage your firewall preferences: Domain, Private, and Guest/Public Networks. You can check which one is currently active by looking at each for Active "" Networks. Whichever zone has your active network is the one you need to use when setting up your default firewall. If you use public networks often you can also look at restricting access even further for those.
- Windows Defender Firewall is on by Default, unless you install another endpoint management tool such as Symantec or McAfee. The default protection is block all connections to apps that are not on the list of allowed apps. Whenever Windows encounters an app not on the list it will prompt the user to allow or disallow the connection and specify the zones which its allowed. You can change this setting by clicking Allow an App or Feature through the Windows Defender Firewall on the the left side panel.
- More advanced Rules can be specified by clicking on advanced settings in the left pane.
MacOS
Linux
firewalld
As of RedHat/CentOS 7, firewalld is the default firewall program. firewalld uses "zones" to separate traffic. We will create a new "campus" zone that you can use to limit services to just Campus/VPN.
Create new zone
sudo firewall-cmd --new-zone=campus --permanent
sudo firewall-cmd --reload
Set the source ranges
sudo firewall-cmd --zone=campus --add-source=128.173.0.0/16 --permanent
sudo firewall-cmd --zone=campus --add-source=198.82.0.0/16 --permanent
sudo firewall-cmd --zone=campus --add-source=172.16.0.0/12 --permanent
sudo firewall-cmd --zone=campus --add-source=45.3.64.0/18 --permanent
sudo firewall-cmd --zone=campus --add-source=2001:468:c80::/48 --permanent
sudo firewall-cmd --zone=campus --add-source=2607:b400::/40 --permanent
- Check https://4help.vt.edu/sp?id=kb_article&sys_id=16eadd6f0fe6a640ee5a0bcce1050e77 for the most up to date source IP list
Add the service(s)
sudo firewall-cmd --zone=campus --add-port=3306/tcp --permanent
- You add additional ports as needed, just change the port number
Check your rules
sudo firewall-cmd --zone=campus --list-all