Professional Documents
Culture Documents
F20786-02
February 2020
Oracle Legal Notices
This software and related documentation are provided under a license agreement containing restrictions on use and
disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement
or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute,
exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or
decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find
any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of
the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any
programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial
computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental
regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any
operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be
subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S.
Government.
This software or hardware is developed for general use in a variety of information management applications. It is not
developed or intended for use in any inherently dangerous applications, including applications that may create a risk
of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to
take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation
and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous
applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their
respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used
under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD
logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a
registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and
services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all
warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an
applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any
loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as
set forth in an applicable agreement between you and Oracle.
Abstract
Oracle® Linux 8: Configuring the Firewall describes how to set up and configure the firewall service on Oracle Linux 8
systems. This document also provides a brief description of the nftables kernel module and how to migrate existing
iptables and ipv6tables rules to nftables. TCP wrapper functionality is also described.
iii
iv
Preface
Oracle® Linux 8: Configuring the Firewall describes how to secure the network by using firewalld
to implement rules that control traffic that flows to and from Oracle Linux 8 systems. Additionally, it also
describes how to use the nftables framework and TCP wrappers to further control network access to
these systems.
Audience
This document is intended for administrators who need to configure and administer Oracle Linux
networking. It is assumed that readers are familiar with web technologies and have a general
understanding of using the Linux operating system, including knowledge of how to use a text editor such
as emacs or vim, essential commands such as cd, chmod, chown, ls, mkdir, mv, ps, pwd, and rm, and
using the man command to view manual pages.
Document Organization
The document is organized into the following chapters:
• Chapter 1, Configuring a Packet Filtering Firewall describes how to use firewalld to configure packet
filtering.
• Chapter 2, Using the nftables Framework describes how to use the nftables framework to control
network traffic.
• Chapter 3, Using TCP Wrappers to Filter Network Traffic describes how to use TCP wrappers to control
network traffic.
Related Documents
The documentation for this product is available at:
Conventions
The following text conventions are used in this document:
Convention Meaning
boldface Boldface type indicates graphical user interface elements associated with an
action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables for which
you supply particular values.
monospace Monospace type indicates commands within a paragraph, URLs, code in
examples, text that appears on the screen, or text that you enter.
Documentation Accessibility
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website
at
https://www.oracle.com/corporate/accessibility/.
v
Access to Oracle Support
vi
Chapter 1 Configuring a Packet Filtering Firewall
Table of Contents
1.1 About Packet-Filtering Firewalls .................................................................................................... 1
1.2 Firewall Configuration Tools .......................................................................................................... 2
1.3 Controlling the Firewall Service ..................................................................................................... 3
1.4 About Zones and Services ............................................................................................................ 3
1.4.1 Displaying Information About Zones ................................................................................... 3
1.4.2 Displaying Zone Settings ................................................................................................... 4
1.5 Configuring firewalld Zones ........................................................................................................... 4
1.5.1 Controlling Access to Services ........................................................................................... 4
1.5.2 Controlling Access to Ports ................................................................................................ 5
1.5.3 Assigning a Network Interface to a Zone ............................................................................ 5
1.5.4 Changing the Default Zone ................................................................................................ 6
1.5.5 Setting a Default Rule for Controlling Incoming Traffic ......................................................... 6
1.5.6 Managing Incoming Traffic Based on Sources ..................................................................... 6
1.6 Creating Customized Zones for Firewall Implementation ................................................................. 7
1.6.1 Using the firewall-cmd Command ....................................................................................... 7
1.6.2 Using a Zone Configuration File ......................................................................................... 8
This chapter describes the concepts, tools, and methods for configuring the firewall by using packet
filtering. It also provides examples for displaying the firewall settings that enforce network security on a
system.
The Oracle Linux kernel uses the Netfilter feature to provide packet filtering functionality for IPv4 and IPv6
packets.
• A netfilter kernel component consisting of a set of tables in memory for the rules that the kernel
uses to control network packet filtering.
• Utilities to create, maintain, and display the rules that netfilter stores. In Oracle Linux 8, the default
firewall utility is the firewall-cmd, which is provided by the firewalld package.
• The firewalld-cmd utility does not restart the firewall and disrupt established TCP connections.
• firewalld supports dynamic zones, which enable you to implement different sets of firewall rules for
systems such as laptops that can connect to networks with different levels of trust. However, this feature
is not typically used on server systems.
• firewalld supports D-Bus for better integration with services that depend on firewall configuration.
1
Firewall Configuration Tools
To use this tool you must install the firewall-config package first, then launch it by using the same
command as the package name, for example:
# dnf install firewall-config
# firewall-config &
The command opens the configuration tool, as shown in the following figure.
• Cockpit is a browser-based configuration tool that you can also use to perform simple firewall
configurations. See https://docs.oracle.com/en/operating-systems/oracle-linux/8/obe-cockpit-network/
index.html.
2
Controlling the Firewall Service
To ensure that the service starts automatically when the system starts, run the following command after
starting the firewall:
# systemctl enable firewalld
To stop the firewall service and prevent it from automatically starting when the system starts, run the
following command:
# systemctl stop firewalld
# systemctl disable firewalld
To prevent the firewall service from being started by other services or through the firewalld D-Bus
interface, run the following command after disabling the firewall:
# systemctl mask firewalld
Zones are predefined sets of filtering rules that correspond to levels of trust for network access. You can
add to the default filtering rules of a zone by reconfiguring the zone's settings and therefore refine the
zone's control of traffic flow. When you install Oracle Linux, a default zone called public is automatically
assigned to the system.
Firewall rules are applied through services that are assigned to a zone. The service ports are the access
points of network traffic. Services assigned to a zone automatically have their ports opened to receive and
send network packets.
For more information about zones and firewall-related services, see the firewalld.zone(5) and the
firewalld.services(5) manual pages.
3
Displaying Zone Settings
List all the predefined zones that are included in the installation as follows:
# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
You can configure any zone in the list. As you make changes to a particular zone, that zone becomes an
active zone. To identify the active zone, type the following:
# firewall-cmd --get-active-zone
Note
By default, all of the configurations are implemented on the default zone. Note also
that an active zone is not necessarily the default zone. Therefore, you must specify
the zone name in the command to define settings for that specific zone. Otherwise,
the definitions will be applied to the default zone.
Without specifying a zone, the command displays the settings of the default zone. Thus, if you want to list
the settings of the work zone, you would use the following command;
# firewall-cmd --list-all --zone=work
work
target: default
icmp-clock-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Configuring the firewall means setting all or some of a zone settings to specific values to enable the firewall
to control network traffic according to your specifications.
4
Controlling Access to Ports
For example, the following command shows that the work zone has the cockpit, dhcpv6-client,
mdns, samba-client, and ssh services assigned to it:
# firewall-cmd --list-services --zone=work
cockpit dhcpv6-client mdns samba-client ssh
...
To allow access to a new service, use the --add-service service option. Include the --permanent
option to make the rule persistent across reboots.
For example, to add the HTTP and NFS services to the work zone, you would use the following command:
# firewall-cmd [--permanent] --zone=work --add-service=http --add-service=nfs
success
# firewall-cmd --list-services --zone=work
cockpit dhcpv6-client mdns samba-client ssh http nfs
The --list-ports option lists the ports and associated protocols to which you have explicitly allowed
access. However, ports that have been opened as a service are not included in this command's output.
Therefore, when listing ports, the best practice is to use the --list-all option to obtain more complete
information.
Use the --add-port option to allow access to specific ports. Ports must be specified by using the format
port-number/port-type. Port types can be tcp, udp, sctp, or dccp. Ensure that the type and the
network traffic match, for example:
# firewall-cmd [--permanent] --zone=work --add-port=5353/udp --add-port=3689/tcp
success
# firewall-cmd --list-all --zone=work
work
target: default
icmp-clock-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns ssh http nfs
ports: 5353/udp 3689/tcp
...
Similarly, the --remove-port option removes access to a port. Remember to use the --permanent
option if you want to make the change persist.
5
Changing the Default Zone
rules to become operative by assigning the interface to that zone. Thus, you have the flexibility to easily
change the firewall rules that are active on the system simply by reassigning the network interface.
Suppose that you want to activate the firewall configuration of the work zone. You would assign the
interface to the zone as follows:
# firewall-cmd --zone=work --change-interface=enp0s1
success
# firewall-cmd --get-active-zone
work
interfaces: enp0s1
Note
You do not need to use the --permanent option to make the setting persist across
reboots. If you set the zone to be the default zone, as explained in Section 1.5.4,
“Changing the Default Zone”, then the interface reassignment becomes permanent.
• ACCEPT allows all incoming traffic except those you have set to be rejected in another rule.
• REJECT blocks all incoming traffic except those you have allowed in another rule. The source machine is
informed about the rejecion.
• DROP is similar to REJECT but no notice of the rejection is sent to the source machine.
6
Creating Customized Zones for Firewall Implementation
To allow incoming traffic from a sending node, use the following command:
# firewall-cmd --zone=zone-name --add-source=IP-address
# firewall-cmd --runtime-to-permanent
Note that the IP address can include the netmask in CIDR notation, such as 192.0.2.0/24.
In the example, the second command makes the setting permanent. Omit this command if you are setting
a temporary configuration that will be dropped if the system is rebooted.
The following similar syntax is used to set the source-port setting. However, you identify the source port
by specifying the sending port number and the protocol type, for example:
# firewall-cmd --zone=zone-name --add-source-ports=port-number/tcp|udp|sctp|dccp
You can combine different settings to configure the firewall. Specifically, the trusted zone can be
configured to accept HTTP traffic from the 192.0.2.0 network source, as shown in the following example:
# firewall-cmd --zone=trusted --add-source=192.0.2.0/24
# firewall-cmd --zone=trusted --add-service=http
# firewall-cmd --zone=trusted --list-all
trusted (active)
target: ACCEPT
sources: 192.0.2.0/24
services: http
Without the --permanent option, the --get-zones option does not display the created zone.
The --info-zone=zone-name option generates the same output as the --list-all option.
7
Using a Zone Configuration File
After creating the zone, you can add services, ports, assign interfaces, and so on, by using the command
options that are provided in the previous examples:
# firewall-cmd --zone=testzone --add-service=http
Error: INVALID ZONE: testzone
# firewall-cmd --permanent --zone=testzone --add-service=http
success
Ensure that you use the --permanent option when using all of these commands.
When you configure a predefined zone, the configuration file is copied to the /etc/firewalld/zones
directory and the changes are stored in that location. If you use a configuration file to create new zones,
you must also use /etc/firewalld/zones as the working directory.
If you are creating a zone with only minor differences from the settings of predefined zones, copying
an existing configuration file to the working directory is the easiest approach. You can use either of the
following commands:
# cp /etc/firewalld/zones/existing-conf-file.xml new-zone.xml
# cp /usr/lib/firewalld/zones/existing-conf-file.xml /etc/firewalld/zones/new-zone.xml
Then, using a text editor, revise the settings in the new configuration file. The following example shows
what the configuration file of testzone might contain. Specifically, testzone accepts traffic for one
service (SSH) and one port range for the TCP and UDP protocols:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>testzone</short>
<description>Put description here</description
<service name="ssh"/>
<port port="1025-65535" protocol="tcp"/>
<port port="1025-65535" protocol="udp"/>
</zone>
8
Chapter 2 Using the nftables Framework
Table of Contents
2.1 Converting iptables to nftables ...................................................................................................... 9
This chapter describes how to convert iptables and ip6tables to the nftables framework.
The nftables framework is the default network packet filtering framework in Oracle Linux and replaces
the iptables framework. The nftables framework includes packet classification facilities, added
convenience, and improved performance over the iptables framework that was used in previous
releases. For more information, see the Oracle® Linux 8: Release Notes for Oracle Linux 8 for more
details.
Utilities are available to convert filter rules in iptables and ip6tables to their equivalents in the
nftables framework. Choose from one of the following ways.
• Save the rules to a dump file, then use the iptables-restore-translate or ip6tables-
restore-translate command, depending on the type of tables you want to convert.
# iptables-save > /tmp/iptables.dump
# iptables-restore-translate -f /tmp/iptables.dump
translated-rules
9
10
Chapter 3 Using TCP Wrappers to Filter Network Traffic
Table of Contents
3.1 Configuring TCP Wrappers ......................................................................................................... 11
This chapter describes how to control incoming network traffic by using TCP wrappers.
When a remote client attempts to connect to a network service on the system, the wrapper consults the
rules in the configuration files /etc/hosts.allow and /etc/hosts.deny files to determine if access is
permitted.
The wrapper for a service first reads /etc/hosts.allow from top to bottom. If the daemon and client
combination matches an entry in the file, access is allowed. If the wrapper does not find a match in /etc/
hosts.allow, it reads /etc/hosts.deny from top to bottom. If the daemon and client combination
matches and entry in the file, access is denied. If no rules for the daemon and client combination are found
in either file, or if neither file exists, access to the service is allowed.
The wrapper first applies the rules that are specified in /etc/hosts.allow, so these rules take
precedence over the rules specified in /etc/hosts.deny. If a rule that is defined in /etc/
hosts.allow permits access to a service, any rule in /etc/hosts.deny that forbids access to the
same service is ignored.
where daemon_list and client_list are comma-separated lists of daemons and clients, and
the optional command is run when a client tries to access a daemon. You can use the keyword ALL to
represent all daemons or all clients. Subnets can be represented by using the * wildcard, for example
192.168.2.*. Domains can be represented by prefixing the domain name with a period (.), for example
.mydomain.com. The optional deny keyword causes a connection to be denied even for rules specified in
the /etc/hosts.allow file.
• Match all of the clients for scp, sftp, and ssh access (sshd).
sshd : ALL
• Match all clients on the 192.168.2 subnet for FTP access (vsftpd).
vsftpd : 192.168.2.*
• Match all clients in the mydomain.com domain for access to all wrapped services.
11
Configuring TCP Wrappers
ALL : .mydomain.com
• Match all clients for FTP access, and displays the contents of the banner file /etc/banners/vsftpd
(the banner file must have the same name as the daemon).
vsftpd : ALL : banners /etc/banners/
• Match all clients on the 200.182.68 subnet for all wrapped services, and logs all such events. The %c
and %d tokens are expanded to the names of the client and the daemon.
ALL : 200.182.68.* : spawn /usr/bin/echo `date` “Attempt by %c to connect to %d" >> /var/log/tcpwr.log
• Match all clients for scp, sftp, and ssh access, and logs the event as an emerg message, which is
displayed on the console.
sshd : ALL : severity emerg
• Match all clients in the forbid.com domain for scp, sftp, and ssh access, logs the event, and deny
access (even if the rule appears in /etc/hosts.allow).
sshd : .forbid.com : spawn /usr/bin/echo `date` "sshd access denied for %c" >>/var/log/sshd.log : deny
12