I need to set up firewalld on RHEL7 according to CIS.
In 3.6.3 Ensure loopback traffic is configured (Scored) I need to configure the loopback interface to accept traffic and configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8).
Can anyone help me with this.
My current configuration is :
firewall-cmd --permanent --zone=trusted --add-interface=lo
but it is not according to CIS requirements.
The intent of CIS 3.6.3 is to prevent spoofed traffic that is purportedly from 127.0.0.1, coming in to external interfaces such as eth0.
In my setup, all interfaces default to the "drop" zone, so in order to allow all legitimate traffic on loopback that isn't headed for an external interface, I first bind lo to the "trusted" zone, as in your command above:
firewall-cmd --permanent --zone=trusted --add-interface=lo
Then, I add a firewalld rich rule to the "drop" zone, where eth0 is bound, to drop any inbound IPv4 traffic that has a source address of 127.0.0.1 but a destination address that is anything other than 127.0.0.1.
firewall-cmd --zone=drop --add-rich-rule='rule family=ipv4 source address="127.0.0.1" destination not address="127.0.0.1" drop'
I think that this satisfies the intent of CIS 3.6.3, although note that, at least on my setup, it does not satisfy the sample audit script given in the CIS RHEL7 benchmark document. That's because the CIS sample audit script tests specifically for the drop rule being present in the INPUT chain in iptables, whereas firewalld puts my rich rule into a sub-chain called IN_drop_deny.
Related
I have a VPC over EC2 and two Ubuntu 22.04 VMs.
I created a simple straight forward traffic-mirroring session, according to this manual.
But traffic does not gets replicated into destination.
My mirror targets is the interface of vm1
My mirror filters are "all protocols" source+dest CIDR 0.0.0.0/0
My mirror sessions combines both the above mirror-target and mirror-filter, and source as the interface of vm2
On vm2 I use wget in order to produce traffic on that interface.
On vm1 I use tcpdump, but I do not get any traffic mirrored from vm2.
I did not find any way to debug this.
Well,
Looks like I missed that part from Prerequisites 😅
The traffic mirror target instance must allow traffic to UDP port 4789.
I had to allow UDP port 4789 (vxlan) on the targer's security groups.
I created project on GCP.
Then I created VM with Debian 5.10.46-4.
Then I install Nifi 1.14.0.
In properties I see this:
web properties
For security, NiFi will present the UI on 127.0.0.1 and only be accessible through this loopback interface.
Be aware that changing these properties may affect how your instance can be accessed without any restriction.
We recommend configuring HTTPS instead. The administrators guide provides instructions on how to do this.
I open all port in firewall
nifi
Ingress
Apply to all
IP ranges: 0.0.0.0/0
all
Allow
1000
default
Off
I what to work with UI on External IP like https://:8080/nifi/ my VM on GCP.
But I get ERR_CONNECTION_REFUSED
Where is my mistake?
I would change the nifi.properties to make sure that the nifi.web.https.host or nifi.web.https.address is set to 0.0.0.0 and then restart NiFi. Without making this change, then NiFi will only listen on 127.0.0.1, which is done by default.
Also check to make sure that the applicable firewalls (host and GCP) allows traffic over the specific port mentioned for NiFi as necessary.
I enabled all necessary ports for coturn server on my instance from security group. I also configure the turnserver.conf file correctly, but still when I added my turn server on trickleICE, it shows error 701.
Here is my turnserver.conf:
listening-port=3478
# and 5349 for TLS (secure)
tls-listening-port=5349
#alt-listening-port=80
# Require authentication
fingerprint
lt-cred-mech
# Specify the server name and the realm that will be used
# if is your first time configuring, just use the domain as name
server-name=mydomain.com
realm=mydomain.com
# Important:
# Create a test user if you want
# You can remove this user after testing
user=<myusername>:<mypassword>
#min-port=705
#max-port=1000
total-quota=100
stale-nonce=600
external-ip=<my public ip>/<my private ip>
listening-ip=<my private ip>
relay-ip=<my public ip>
Screenshot of ec2 inbound security group:
security-groups
Screenshot of:
TRICLE ICE RESPONSE
Can someone help me with this? When I entered the command
sudo systemctl status coturn
The status is active
screenshot of coturn status
My suggestion is to gather more information on the reasons of the failure.
I'm assuming you're configuring the Trickle ICE application with a turn:IP:port server URL, which allows for unencrypted exchanges with TURN.
This means you can trace on your machine, e.g. using Wireshark, and verify whether the STUN binding requests and TURN Allocate requests are being sent out to the expected TURN server's public IP and port, and whether there are responses to them being received by the browser.
Additional checks you can do is on the TURN server side. With something like netstat -tunapl you can verify that coturn is not only running but also listening on the expected port (which should be 3478 since you left it unspecified).
If all looks as expected, then run a trace on coturn's host while you trigger a "Gather candidates" from the Trickle ICE application. You could use something like ngrep -d any -lqtW byline port 3478 to see the activity and content exchanged.
If coturn doesn't receive anything, then check again the EC2 instance Security Group and ensure you're allowing traffic to port 3478 UDP (and TCP). Double check the EC2 instance's public IP address is what you're using in the Trickle ICE application.
If instead you have more than one network interface assigned to that EC2 instance, then ensure you have a listening-ip configuration item set to the correct private IP address, and an external-ip directive which includes PUBLIC_IP:PRIVATE_IP, where the public IP is the one you're trying to use and the private IP is the one coturn is listening on.
e.g.:
listening-ip: 172.10.10.10
external-ip: 30.30.30.30/172.10.10.10
Then try again. Anyway the information you can gather this way can be used to improve the initial question and get more useful answers.
There may be two parts from your config file that needs to be modified.
set the relay-ip to your private ip address.
external-ip=<my public ip>/<my private ip>
listening-ip=<my private ip>
relay-ip=<my private ip>
In your ec2's security group settings, you have set the inbound rules for IPv6 addresses. You should add 0.0.0.0/0 (for IPv4) to the CIDR blocks field in the inbound rules.
I've got an AWS VPC set up with 3 subnets - 1 public subnet and 2 private. I have an EC2 instance with an associated Elastic Block Store (the EBS contains my website) running in the public subnet, and a MySQL database in the private subnets. The security group attached to the EC2 instance allows inbound HTTP access from any source, and SSH access from my IP address only. The outbound security rule allows all traffic to all destinations. The security group associated with the database allows MySQL/Aurora access only for both inbound and outbound traffic, with the source and destination being the public access security group.
This has all been working perfectly well, but when I came to setting up the NACLs for the subnets I ran into a snag that I can't figure out. If I change the inbound rule on the public subnet's NACL to anything other than 'All Traffic' or 'All TCP', I get an error response from my website: Unable to connect to the database: Connection timed out. 2002. I've tried using every option available and always get this result. I'm also getting an unexpected result from the NACL attached to the private subnets: If I deny all access (i.e. delete all rules other than the default 'deny all' rule) for both inbound and outbound traffic, the website continues to function correctly (provided the inbound rule on the public subnet's NACL is set to 'All Traffic' or 'All TCP').
A similar question has been asked here but the answer was essentially to not bother using NACLs, rather than an explanation of how to use them correctly. I'm studying for an AWS Solutions Architect certification so obviously need to understand their usage and in my real-world example, none of AWS' recommended NACL settings work.
I know this is super late but I found the answer to this because I keep running into the same issue and always try to solve it with the ALL TRAFFIC rule. However, no need to do that anymore; it's answered here. The Stack Overflow answer provides the link to an AWS primary source that actually answers your question.
Briefly, you need to add a Custom TCP Rule to your outbound NACL and add the port range 1024 - 65535. This will allow the clients requesting access through the various ports to receive the data requested. If you do not add this rule, the outbound traffic will not reach the requesting clients. I tested this through ICMP (ping), ssh (22) http (80) and https (443).
Why do the ports need to be added? Apparently, AWS sends out traffic through one of the ports between 1024 and 63535. Specifically, "When a client connects to a server, a random port from the ephemeral port range (1024-63535) becomes the client's source port." (See second link.)
The general convention around ACLs is that because they are stateless, incoming traffic is sent back out through the mandatory corresponding port, which is why most newbies (or non hands on practitioners like me) may miss the "ephemeral ports" part of building custom VPCs.
For what it's worth, I went on to remove all the outgoing ports and left just the ephemeral port range. No outgoing traffic was allowed. It seems like either the ACL still needs those ports listed so it can send traffic requested through those ports. Perhaps the outgoing data, first goes through the appropriate outgoing port and then is routed to the specific ephemeral port to which the client is connected. To verify that the incoming rules still worked, I was able to ssh into an EC2 within a public subnet in the VPC, but was not able ping google.com from same.
The alternative working theory for why outgoing traffic was not allowed is because the incoming and matching outgoing ports are all below 1024-63535. Perhaps that's why the outgoing data is not picked up by that range. I will get around to configuring the various protocol (ssh, http/s, imcp) to higher port numbers,, within the range of the ephemeral ports, to continue to verify this second point.
====== [Edited to add findings ======
As a follow up, I worked on the alternate theory and it is likely that the outgoing traffic was not sent through the ephemeral ports because the enabled ports (22, 80 and 443) do not overlap with the ephemeral port range (1024-63535).
I verified this by reconfiguring my ssh protocol to login through port 2222 by editing my sshd_config file on the EC2 (instructions here. I also reconfigured my http protocol to provide access through port 1888. You also need to edit the config file of your chosen webserver, which in my case was apache thus httpd. (You can extrapolate from this link). For newbies, the config files will be generally found in the etc folder. Be sure to restart each service on the EC2 ([link][8] <-- use convention to restart ssh)
Both of these reconfigured port choices was to ensure overlap with the ephemeral ports. Once I made the changes on the EC2, I then changed the security group inbound rule, removed 22, 80 and 443 and added 1888 and 2222. I then went to the NACL and removed the inbound rules 22, 80 and 443 and added 1888 and 2222. [![inbound][9]][9]For the NACL, I removed the outbound rules 22, 80 and 443 and just left the custom TCP rule and add the ephemeral ports 1024-63535.[![ephemeral onnly][10]][10]
I can ssh using - p 2222 and access the web server through 1888, both of which overlap with ephemeral ports.[![p 1888][11]][11][![p2222][12]][12]
[8]: https://(https://hoststud.com/resources/how-to-start-stop-or-restart-apache-server-on-centos-linux-server.191/
[9]: https://i.stack.imgur.com/65tHH.png
[10]: https://i.stack.imgur.com/GrNHI.png
[11]: https://i.stack.imgur.com/CWIkk.png
[12]: https://i.stack.imgur.com/WnK6f.png
Created an AWS AMI instance.
I can telnet from the instance itself
telnet [Pv4 Public IP] 9200
But not from my pc.
This is my security group
What am I doing wrong?
You can check your Network ACL configurations.
It looks like there is some other firewall in between your PC and server which is blocking you on 9200.
If you can access port 80 via telnet or you're able to SSH in it's likely you have a network ACL in place. If you can not access port 80 via telnet but you can via a browser it's like a local config - maybe AV or a firewall.
EC2 instances use security groups for their firewall
Another test to narrow down the the issue would to see if you could telnet from another instances in the same subenet in the same AZ. Being in the same subnet you should not be affected by a network ACL.
You can have a look at this telnet-to a cloud instance from outside
The solution to problem was "Open the services and make the telnet manual and right click on it and chose start"
As well make sure that the instance is residing in a public VPC
Based on what you've described, there isn't really much else to work with. Your ability to telnet the public IP from the instance implies the server is listening on the external interface and your security group is already set to have the port open to all incoming connections.
Aside from the trivial overlooking of not actually having the instance under the listed security group, the only possibility I can think of now is an active firewall on the instance. In the case of iptables or ufw (which is an interface to iptables), it's trivial to verify whether they are indeed getting in the way:
// List iptables access rules
sudo iptables -L -v
// List access rules via ufw
sudo ufw status
You said: "This is my SG", but...which way? Inbound or outbound?
It can simply be that your host can't reply to your PC.
Try to add a rule which adds outbound TCP ranging from ports 32768 to 65535 (ephemeral ports), so that the telnet server response packets can travel back to your PC.
Otherwise, like the others said, look at one level up, VPC-level (network ACL).
You might have your acceptor process running on 127.0.0.1:9000 which means only local clients can connect. This is not related to your Security Group which could be wide open.
Run lsof -i:9000 if on unix.
If you see something like this under NAME then host IP used to start your acceptor will needs to change from 127.0.0.1 to 0.0.0.0 (and secure via SG/FW).
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 2777 ubuntu 148u IPv6 26856 0t0 TCP localhost:afs3-callback (LISTEN)
A Telnet service is not installed by default on an Amazon Linux AMI.
If you wish to use it, you will need to install it yourself, eg: Install and Setup Telnet on EC2 Amazon Linux or CentOS.
However, these days it is recommended to use ssh instead of telnet because it is more secure. See: Telnet on wikipedia
Just a thought, check firewall of your PC.
Need to ensure your SSH key you generated via IAM and attached to the EC2 at launch is added to the login:
ssh-add -K <yourkeyname>.pem
ssh ubuntu#<yourdns or ip>.com == or == ssh ec2-user#<yourdns or ip>