firewalld interview questions
Top firewalld frequently asked interview questions
I am running CentOS 7 (firewalld not iptables) with the fail2ban v0.9.3.
How do I clear all bans without doing them one by one?
Source: (StackOverflow)
How use firewalld-cmd use iptables rule?
iptables:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Source: (StackOverflow)
I'm trying to configure firewalld via saltstack state file (on Centos7). I can add services just fine to permanent configuration, but that indeed goes into 'permanent' configuration, not in the running one. So, either a reload is needed or (less optional) add same services to running configuration too.
What I've used to add the service:
public:
firewalld.present:
- name: public
- services:
- http
That works, but just to permanent.
I've tried to add a "watch", but that won't work at all:
firewalld:
service.running:
- watch:
- file: /etc/firewalld/zones/public.xml
Error is:
Comment: The following requisites were not found:
watch:
file: /etc/firewalld/zones/public.xml
So, what can be done? How can I instruct a service reload via a state file?
Source: (StackOverflow)
I'm attempting to control firewalld via the Python dbus module.
I'd like to add an ip address to the trusted zone for both my current runtime as well as my permanent configuration.
Here's the documentation for firewalld's dbus interface:
http://manpages.ubuntu.com/manpages/wily/man5/firewalld.dbus.5.html
What works: The runtime configuration
I'm able to add it to the runtime configuration just fine with this:
def trustIP(ip):
''' firewalld must already be running '''
from dbus import SystemBus
bus = SystemBus()
runtimeProxy = bus.get_object('org.fedoraproject.FirewallD1',
'/org/fedoraproject/FirewallD1')
runtimeProxy.addSource('trusted', ip)
Pretty simple.
What doesn't work: The permanent configuration
Adding it to the permanent configuration has proved to be more difficult. Here's what I've tried so far interactively:
>>> from dbus import SystemBus
>>> bus = SystemBus()
# First I need to find out which object is for the trusted zone...
>>> config = bus.get_object('org.fedoraproject.FirewallD1',
'/org/fedoraproject/FirewallD1/config')
>>> config.getZoneByName('trusted')
dbus.ObjectPath('/org/fedoraproject/FirewallD1/config/zone/7')
>>> permanentProxy = bus.get_object('org.fedoraproject.FirewallD1',
'/org/fedoraproject/FirewallD1/config/zone/7')
# A quick check to make sure I have the right object:
>>> permanentProxy.getShort()
dbus.String(u'Trusted')
# Exactly what I expected, so move on and...
>>> permanentProxy.addSource('aaa.xxx.yyy.zzz') # Actual ip removed...
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
**keywords)
File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
dbus.exceptions.DBusException:
org.freedesktop.DBus.Python.dbus.exceptions.DBusException:
dbus_to_python() takes exactly 1 argument (2 given)
I also tried checking permanentProxy.getDescription(), which returned the description as it should have, and I tried permanentProxy.setDescription('test') which failed with the exact same stack trace as permanentProxy.addSource('aaa.xxx.yyy.zzz').
I would jump to the conclusion that the bug lies in the python dbus module and assume it somehow doesn't handle arguments properly, except for the fact that runtimeProxy.addSource('trusted', ip) involved two arguments and works perfectly. config.getZoneByName('trusted') even has the same signature as permanentProxy.addSource('aaa.xxx.yyy.zzz')`, exactly one string, and works perfectly.
So maybe there's something weird I'm missing? But I don't know what that would be...
More stuff I tried without success
I considered the possibility that maybe addSource is supposed to be called without the string argument at all and maybe curries somehow or something, so I tried this:
>>> permanentProxy.addSource()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
**keywords)
File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
dbus.exceptions.DBusException: org.freedesktop.DBus.Python.TypeError: Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/slip/dbus/service.py", line 123, in reply_handler
result = method(self, *p, **k)
TypeError: addSource() takes at least 2 arguments (2 given)
This is just even weirder now... I have one Traceback within another traceback insisting that I need to pass in at least 2 arguments, but also saying I gave it two arguments (and I actually only gave it one, so how'd it come up with two anyways?)
A few more things I tried without success:
>>> permanentProxy.addSource(dbus_interface='org.fedoraproject.FirewallD1.config.zone')
ERROR:dbus.connection:Unable to set arguments () according to signature u's': <type 'exceptions.TypeError'>: More items found in D-Bus signature than in Python arguments
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
**keywords)
File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 641, in call_blocking
message.append(signature=signature, *args)
TypeError: More items found in D-Bus signature than in Python arguments
>>> permanentProxy.addSource('aaa.xxx.yyy.zzz', dbus_interface='org.fedoraproject.FirewallD1.config.zone')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
**keywords)
File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
dbus.exceptions.DBusException:
org.freedesktop.DBus.Python.dbus.exceptions.DBusException:
dbus_to_python() takes exactly 1 argument (2 given)
>>> from dbus import Interface
>>> Interface(permanentProxy, 'org.fedoraproject.FirewallD1.config.zone').addSource('aaa.xxx.yyy.zzz')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 145, in __call__
**keywords)
File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
dbus.exceptions.DBusException:
org.freedesktop.DBus.Python.dbus.exceptions.DBusException:
dbus_to_python() takes exactly 1 argument (2 given)
Gah!
This really seems like a bug in dbus... somehow it's initially resolving addSource incorrectly and thinking that it needs fewer arguments, but if you give it fewer arguments like it wants, it'll pass that erroneous check, and then it'll properly resolve and fail because your arguments don't match it.
That's my theory anyways. Is someone seeing something I'm not? Is there some way I can work around this bug, if there really is one? IE... is there some kind of internal method I can use on dbus that will force it to call the proper method?
Source: (StackOverflow)
I try to cat file /usr/lib/firewalld/services/tftp.xml in Redhat 7
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>TFTP Client</short>
<description>This option allows you to access Trivial File Transfer Protocol (TFTP) servers. You need the tftp package installed for this option to be useful.</description>
<module name="nf_conntrack_tftp"/>
</service>
Can anyone help me explain what does module tag mean? And what is it using for?
Source: (StackOverflow)
I'm trying to modify a centos firewalld zone file using augeas and the xml lens.
The default public zone file looks like:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
</zone>
and if I load that into augtool I get the following:
# augtool --noload --noautoload --echo
augtool> set /augeas/load/xml/lens "Xml.lns"
augtool> set /augeas/load/xml/incl "/etc/firewalld/zones/public.xml"
augtool> load
augtool> print /files/etc/firewalld/zones/public.xml
/files/etc/firewalld/zones/public.xml
/files/etc/firewalld/zones/public.xml/#declaration
/files/etc/firewalld/zones/public.xml/#declaration/#attribute
/files/etc/firewalld/zones/public.xml/#declaration/#attribute/version = "1.0"
/files/etc/firewalld/zones/public.xml/#declaration/#attribute/encoding = "utf-8"
/files/etc/firewalld/zones/public.xml/zone
/files/etc/firewalld/zones/public.xml/zone/#text[1] = "\n "
/files/etc/firewalld/zones/public.xml/zone/short
/files/etc/firewalld/zones/public.xml/zone/short/#text = "Public"
/files/etc/firewalld/zones/public.xml/zone/#text[2] = " "
/files/etc/firewalld/zones/public.xml/zone/description
/files/etc/firewalld/zones/public.xml/zone/description/#text = "For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted."
/files/etc/firewalld/zones/public.xml/zone/#text[3] = " "
/files/etc/firewalld/zones/public.xml/zone/service[1] = "#empty"
/files/etc/firewalld/zones/public.xml/zone/service[1]/#attribute
/files/etc/firewalld/zones/public.xml/zone/service[1]/#attribute/name = "dhcpv6-client"
/files/etc/firewalld/zones/public.xml/zone/#text[4] = " "
/files/etc/firewalld/zones/public.xml/zone/service[2] = "#empty"
/files/etc/firewalld/zones/public.xml/zone/service[2]/#attribute
I then try
augtool> defnode service /files/etc/firewalld/zones/public.xml/zone/service[attribute/#name="http"]
augtool> set $service "#empty"
augtool> set $service/#attribute/name "http"
augtool> save
and if I now look at the public.xml file, it looks like:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="http"/>
</zone>
Can anyone suggest how I could preserve the indentation before the <service name="http"> entry that I added?
Source: (StackOverflow)
My goal is to automate configuring firewalls on CentOS 7 machines using Python.
The OS comes with firewalld, so that's what I'm using. I looked into it and found that it uses dbus (I've never heard of or dealt with any of this - please correct me if anything I say is incorrect.)
I found this documentation for how to control dbus processes using Python:
http://dbus.freedesktop.org/doc/dbus-python/doc/tutorial.txt
I checked and the version of Python that comes with the OS includes the dbus module, so it seems like a promising start.
That document suggests that I needed to learn more about what firewalld exposes via the dbus interface. So I did some more research and found this:
https://www.mankier.com/5/firewalld.dbus
The first document says I need to start out with a "well-known name". Their example for such a thing was org.freedesktop.NetworkManager. The second document is titled firewalld.dbus, so I figured that was as good a name as any to try since the document doesn't explicitly give a name anywhere else.
The first document also says I need a name for an object path. Their example is /org/freedesktop/NetworkManager. The second document has an object path of /org/fedoraproject/FirewallD1.
I put those together and tried using the first method the first document suggested, SystemBus's get_object():
>>> from dbus import SystemBus
>>> bus = SystemBus()
>>> proxy = bus.get_object('firewalld.dbus', '/org/fedoraproject/FirewallD1')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 241, in get_object
follow_name_owner_changes=follow_name_owner_changes)
File "/usr/lib64/python2.7/site-packages/dbus/proxies.py", line 248, in __init__
self._named_service = conn.activate_name_owner(bus_name)
File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 180, in activate_name_owner
self.start_service_by_name(bus_name)
File "/usr/lib64/python2.7/site-packages/dbus/bus.py", line 278, in start_service_by_name
'su', (bus_name, flags)))
File "/usr/lib64/python2.7/site-packages/dbus/connection.py", line 651, in call_blocking
message, timeout)
dbus.exceptions.DBusException:
org.freedesktop.DBus.Error.ServiceUnknown:
The name firewalld.dbus was not provided by any .service files
I also gave org.fedoraproject.FirewallD1 a try as the first parameter but ended up with a similar error message.
Why are these not working? Is there some way I can discover what the proper names are? It mentions ".service files" at the end of the error message... where would such a file be located?
Edit: Found several ".service files" by using find / -name *.service. One of them is at /usr/lib/systemd/system/firewalld.service... seems pretty promising so I'll check it out.
Edit 2: It's a rather short file... only about 10 lines. One of them says BusName=org.fedoraproject.FirewallD1. So I'm not sure why it said the name was not provided by any .service files... unless it's not using this file for some reason?
Source: (StackOverflow)
I got a doubt while I am writing rules in my virtual checkpoint R77.30 Firewall SMART Dashboard.
I wrote a rule for allowing traffic from 100.0.0.0(source) network to access the Webserver 10.0.0.100(Destination). The computers in the 100.0.0.0 network were able to access the webserver.
But, I wonder how this checkpoint firewall allowed traffic from Webserver to 10.0.0.0 network?? It should only allow only outgoing traffic from 10.0.0.0 network to Webserver but not incoming traffic from Webserver to 10.0.0.0 Network right?
Thanks in advance. :)
Source: (StackOverflow)
Im trying to block facebook using firewalld tables, in centos7 before this version I'm using iptables and block using this command
iptables -A FORWARD -p tcp --dport 443 -m string --string "facebook" --algo bm -j DROP
but now with firewalld can't find a way please help me.
Thanks
Source: (StackOverflow)
I have a Docker host with a tunnel listening on 127.0.0.1. There is a container that sends out traffic. I need to get this traffic into the tunnel.
The Docker host is running CentOS 7.2 and I have made the service inside the Docker container send everything to 172.17.42.1, which is the IP of the docker0 interface.
In firewalld, I have created a docker zone which looks like this:
docker (active)
interfaces: docker0
sources:
services:
ports:
masquerade: yes
forward-ports: port=514:proto=udp:toport=514:toaddr=127.0.0.1
icmp-blocks:
rich rules:
Checking with tcpdump, there is traffic on docker0 on port 514 but there's no traffic on lo on port 514.
What am I doing wrong?
Source: (StackOverflow)
I have installed MongoDB on my CentOS 7.2 VPS and trying to access to the DB via Robomongo from my client. However, when I try to connect the server from the 27017 port, I get "Network is unreachable" error.
I have enabled the firewalld on the server and added an exception for 27017 port.
firewall-cmd --list-all
Result:
I got this result after I've permanently added the exception and reloaded the firewalld via --reload.
When I query the port by using:
firewall-cmd --query-port=27017/tcp
I get a "yes" from the system. However when I try to connect via Robomongo or query the port via a port checker service like http://ping.eu/port-chk/ I get a negative result.
Do you have any suggestions regarding to my case?
Thank you.
Source: (StackOverflow)