Using firewalld

Introduction

You may need to run CafêX software in the cloud, if you do be prepared to receive unsolicited SIP & HTTP traffic on port 5060 & 5061 (SIP SPAM) and 8443 (HTTPS SPAM).

Normally your cloud infrastructure provides a firewall and DDoS protection for you but you may want to add extra security to your installation by running firewalld.

IMPORTANT - This is just a guide and is provided 'as is' with no support. We recommend you run this past your own I.T. / Security team and test on a local VM before implementing on a live server. Mis-configuring firewalld can prevent remote access to your server requiring local console access to resolve.

 

CentOS 7 Firewalld configuration

Make sure Firewalld is installed:

yum install firewalld

Make sure interface is added to public zone:

sudo firewall-cmd --zone=public --permanent --change-interface=eno16777984

This can also be set in:

vi /etc/sysconfig/network-scripts/ifcfg-eno16777984

ZONE=public

Make a service scripts for Gateway and Media Broker:

vi /etc/firewalld/services/csdk-mb.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>MB</short>
<description>Service Description for Media Broker Service</description>
<port protocol="udp" port="16000"/>
<port protocol="udp" port="17000-17999"/>
<port protocol="tcp" port="8092"/>
</service>

vi /etc/firewalld/services/csdk-gw.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>GW</short>
<description>Service Description for Gateway Service</description>
<port protocol="tcp" port="8080"/>
<port protocol="tcp" port="8443"/>
<port protocol="tcp" port="9990"/>
<port protocol="tcp" port="9100"/>
<port protocol="tcp" port="9463"/>
<port protocol="tcp" port="9999"/>
<port protocol="tcp" port="5060"/>
<port protocol="udp" port="5060"/>
<port protocol="tcp" port="5061"/>
<port protocol="tcp" port="5080"/>
<port protocol="udp" port="5080"/>
<port protocol="tcp" port="5081"/>
</service>

Reload to see new services:

sudo firewall-cmd --reload

Apply Services to Zones:

sudo firewall-cmd --zone=public --permanent --add-service=csdk-gw
sudo firewall-cmd --zone=public --permanent --add-service=csdk-mb


A Rich Rule is needed to allow accept connections from the server's own source address.
If Clustered, allow access to other Gateway servers in the cluster, so replication and other services can operate without issue.

firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="172.31.250.45" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="172.31.250.46" accept'

Reload and restart Firewall to verify configuration is maintained:

sudo firewall-cmd --reload

sudo systemctl restart network.service
sudo systemctl restart firewalld.service

Verify configuration:

[root@centos72 log]# firewall-cmd --get-active-zones
public
interfaces: eno16777984

[root@centos72 AS]# firewall-cmd --zone=public --list-all
public (default)
interfaces:
sources:
services: csdk-gw csdk-mb dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.31.250.45" accept
rule family="ipv4" source address="172.31.250.46" accept

At this point the Firewalld configuration is complete.

 

Other Useful Configuration, individual Ports rather than Service:

Addition:

sudo firewall-cmd --zone=public --permanent --add-port=8092/tcp
sudo firewall-cmd --zone=public --permanent --add-port=8080/tcp
sudo firewall-cmd --zone=public --permanent --add-port=8443/tcp
sudo firewall-cmd --zone=public --permanent --add-port=9990/tcp
sudo firewall-cmd --zone=public --permanent --add-port=9100/tcp
sudo firewall-cmd --zone=public --permanent --add-port=9463/tcp
sudo firewall-cmd --zone=public --permanent --add-port=9999/tcp

sudo firewall-cmd --zone=public --permanent --add-port=5060/tcp
sudo firewall-cmd --zone=public --permanent --add-port=5060/udp

sudo firewall-cmd --zone=public --permanent --add-port=5061/tcp
sudo firewall-cmd --zone=public --permanent --add-port=5080/tcp
sudo firewall-cmd --zone=public --permanent --add-port=5080/udp
sudo firewall-cmd --zone=public --permanent --add-port=5081/tcp

sudo firewall-cmd --zone=public --permanent --add-port=16000/udp
sudo firewall-cmd --zone=public --permanent --add-port=17000-18000/udp

Removal:

sudo firewall-cmd --zone=public --permanent --remove-port=8092/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=8080/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=8443/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=9990/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=9100/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=9463/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=9999/tcp

sudo firewall-cmd --zone=public --permanent --remove-port=5060/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=5060/udp

sudo firewall-cmd --zone=public --permanent --remove-port=5061/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=5080/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=5080/udp
sudo firewall-cmd --zone=public --permanent --remove-port=5081/tcp

sudo firewall-cmd --zone=public --permanent --remove-port=16000/udp
sudo firewall-cmd --zone=public --permanent --remove-port=17000-18000/udp

List Ports:

sudo firewall-cmd --zone=public --permanent --list-p

Have more questions? Submit a request

Comments

Powered by Zendesk