See Also
Chapter 4. Hardening Your System with Tools and Services
4.5. Using Firewalls
4.5.16. Firewall Lockdown
Local applications or s e rvice s are able to change the fire wall configuration if the y are running as root (for e xample , libvirt ). With this fe ature , the adminis trator can lock the fire wall configuration s o that e ithe r no applications , or only applications that are adde d to the lockdown white lis t, are able to re que s t fire wall change s . The lockdown s e ttings de fault to dis able d. If e nable d, the us e r can be s ure that the re are no unwante d configuration change s made to the fire wall by local applications or s e rvice s .
4.5.16.1. Conf iguring Firewall Lockdown
Us ing an e ditor running as root, add the following line to the /etc/firewalld/firewalld.conf file as follows :
Lockdown=yes
Re load the fire wall us ing the following command as root:
~]# firewall-cmd --reload
Try to e nable the s e rvice imaps in the de fault zone us ing the following command as an adminis trative us e r, that is to s ay, a us e r in group wheel (us ually the firs t us e r on s ys te m). You will be prompte d for the us e r pas s word:
~]$ firewall-cmd --add-service=imaps
Error: ACCESS_DENIED: lockdown is enabled
To e nable the us e of f irewall-cmd, is s ue the following command as root:
/usr/bin/firewall-cmd*'
Add the --permanent option if you want to make it pe rs is te nt.
Re load the fire wall as root:
~]# firewall-cmd --reload
Try to e nable the imaps s e rvice again in the de fault zone by e nte ring the following command as an adminis trative us e r. You will be prompte d for the us e r pas s word:
~]$ firewall-cmd --add-service=imaps This time the command s ucce e ds .
4.5.16.2. Conf igure Lockdown with the Command Line Client
To que ry whe the r lockdown is e nable d, e nte r the following command as root:
~]# firewall-cmd --query-lockdown
Prints yes with e xit s tatus 0, if lockdown is e nable d, prints no with e xit s tatus 1 othe rwis e . To e nable lockdown, e nte r the following command as root:
~]# firewall-cmd --lockdown-on
To dis able lockdown, e nte r the following command as root:
~]# firewall-cmd --lockdown-off
4.5.16.3. Conf igure Lockdown Whitelist Options with the Command Line The lockdown white lis t can contain commands , s e curity conte xts , us e rs and us e r IDs . If a command e ntry on the white lis t e nds with an as te ris k “*”, the n all command line s s tarting with that command will match. If the “*” is not the re the n the abs olute command including argume nts mus t match.
The conte xt is the s e curity (SELinux) conte xt of a running application or s e rvice . To ge t the conte xt of a running application us e the following command:
~]$ ps -e --context
That command re turns all running applications . Pipe the output through the grep tool to ge t the application of inte re s t. For e xample :
~]$ ps -e --context | grep example_program
To lis t all command line s that are on the white lis t, e nte r the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-commands
To add a command command to the white lis t, e nte r the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
To re move a command command from the white lis t, e nte r the following command as root:
~]# firewallcmd removelockdownwhitelistcommand='/usr/bin/python -Es /usr/bin/command'
To que ry whe the r the command command is on the white lis t, e nte r the following command as root:
~]# firewall-cmd --query-lockdown-whitelist-command='/usr/bin/python -Es /usr/bin/command'
Prints yes with e xit s tatus 0, if true , prints no with e xit s tatus 1 othe rwis e .
To lis t all s e curity conte xts that are on the white lis t, e nte r the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-contexts
To add a conte xt context to the white lis t, e nte r the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-context=context Add the --permanent option to make it pe rs is te nt.
To re move a conte xt context from the white lis t, e nte r the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-context=context Add the --permanent option to make it pe rs is te nt.
To que ry whe the r the conte xt context is on the white lis t, e nte r the following command root:
~]# firewall-cmd --query-lockdown-whitelist-context=context Prints yes with e xit s tatus 0, if true , prints no with e xit s tatus 1 othe rwis e .
To lis t all us e r IDs that are on the white lis t, e nte r the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-uids
To add a us e r ID uid to the white lis t, e nte r the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-uid=uid Add the --permanent option to make it pe rs is te nt.
To re move a us e r ID uid from the white lis t, e nte r the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-uid=uid
Add the --permanent option to make it pe rs is te nt.
To que ry whe the r the us e r ID uid is on the white lis t, e nte r the following command:
~]$ firewall-cmd --query-lockdown-whitelist-uid=uid
Prints yes with e xit s tatus 0, if true , prints no with e xit s tatus 1 othe rwis e .
To lis t all us e r name s that are on the white lis t, e nte r the following command as root:
~]# firewall-cmd --list-lockdown-whitelist-users
To add a us e r name user to the white lis t, e nte r the following command as root:
~]# firewall-cmd --add-lockdown-whitelist-user=user Add the --permanent option to make it pe rs is te nt.
To re move a us e r name user from the white lis t, e nte r the following command as root:
~]# firewall-cmd --remove-lockdown-whitelist-user=user Add the --permanent option to make it pe rs is te nt.
To que ry whe the r the us e r name user is on the white lis t, e nte r the following command:
~]$ firewall-cmd --query-lockdown-whitelist-user=user
Prints yes with e xit s tatus 0, if true , prints no with e xit s tatus 1 othe rwis e .
4.5.16.4. Conf igure Lockdown Whitelist Options with Conf iguration Files The de fault white lis t configuration file contains the Net wo rkManager conte xt and the de fault conte xt of libvirt . Als o the us e r ID 0 is in the lis t.
<?xml version="1.0" encoding="utf-8"?>
<whitelist>
<selinux context="system_u:system_r:NetworkManager_t:s0"/>
<selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
<user id="0"/>
</whitelist>
He re follows an e xample white lis t configuration file e nabling all commands for the firewall-cmd utility, for a us e r calle d user whos e us e r ID is 815:
<?xml version="1.0" encoding="utf-8"?>
<whitelist>
<command name="/usr/bin/python -Es /bin/firewall-cmd*"/>
<selinux context="system_u:system_r:NetworkManager_t:s0"/>
<user id="815"/>
<user name="user"/>
</whitelist>
In this e xample we have s hown both user id and user name but only one is re quire d.
Python is the inte rpre te r and the re fore pre pe nde d to the command line . You can als o us e a ve ry s pe cific command, for e xample :
/usr/bin/python /bin/firewall-cmd --lockdown-on
In that e xample only the --lockdown-on command will be allowe d.
Note
In Re d Hat Ente rpris e Linux 7, all utilitie s are now place d in /usr/bin/ and the /bin/
dire ctory is s ym-linke d to the /usr/bin/ dire ctory. In othe r words , although the path for firewall-cmd whe n run as root might re s olve to /bin/firewall-cmd,
/usr/bin/firewall-cmd can now be us e d. All ne w s cripts s hould us e the ne w location but be aware that if s cripts that run as root have be e n writte n to us e the /bin/firewall-cmd path the n that command path mus t be white lis te d in addition to the /usr/bin/firewall-cmd path traditionally us e d only for non-root us e rs .
The “*” at the e nd of the name attribute of a command me ans that all commands that s tart with this s tring will match. If the “*” is not the re the n the abs olute command including argume nts mus t match.
4.5.17. Addit ional Resources
The following s ource s of information provide additional re s ource s re garding firewalld.
4.5.17.1. Installed Documentation
firewalld(1) man page — De s cribe s command options for firewalld.
firewalld.conf(5) man page — Contains information to configure firewalld.
firewall-cmd(1) man page — De s cribe s command options for the firewalld command line clie nt.
firewalld.icmptype(5) man page — De s cribe s XML configuration file s for ICMP filte ring.
firewalld.service(5) man page — De s cribe s XML configuration file s for f irewalld service.
firewalld.zone(5) man page — De s cribe s XML configuration file s for firewalld zone configuration.
firewalld.direct(5) man page — De s cribe s the firewalld dire ct inte rface configuration file .
firewalld.lockdown-whitelist(5) man page — De s cribe s the firewalld lockdown white lis t configuration file .
firewall.richlanguage(5) man page — De s cribe s the firewalld rich language rule s yntax.
firewalld.zones(5) man page — Ge ne ral de s cription of what zone s are and how to configure the m.