Help to create a firewalld rule to allow connection between a program and service

Hello,

This is on CentOS 7.7 x86_64.

I have a program that need to connect to a daemon running as a service. The program runs fine with firewalld turned off but I get an error about not being able to connect to the service with the firewall on.

As far as I can tell, the service was set up to accept connections at 192.168.10.27 port 10731. My understanding is that the program uses multicast to find the service.

If I run sudo ss -lnpAinet, I get the 2 entries for the service,

Netid  State   Recv-Q Send-Q Local Address:Port            Peer Address:Port              
udp    UNCONN  0      0      239.255.219.183:10731         *:*      users:(("MyServer64",pid=10225,fd=26))
tcp    LISTEN  0      128    [::ffff:192.168.10.27]:10731  [::]:*   users:(("MyServer64",pid=10225,fd=27))

I can’t even seem to find logfiles to show the connection being blocked. That would be a big help in determining what I need to allow. I have very little experience with firewalld so I need some help to determine what is being blocked and how to configure a rule to allow it.

Thanks,

LMHmedchem

STANDARD BOILER PLATE
CentOS Linux 7.7 is really really really out of date and there are multiple high CVE issues which may occur by keeping this server on the internet. Any help given here to open up more services may not help the security without doing updates to bring the system to at least 7.9 and looking at longer term support from a provider.
END BOILER PLATE

The general rules are going to be:

  1. Start documenting what you are going to do, why you are doing it, and when you did it.
  2. Determine the zone that your system is using.
  3. Add a rule for that zone
  4. Reload the rules
  5. Test the configs
  6. Fix any problems and go back to 3 if needed.
  7. Document the change and close any tickets
$ sudo firewall-cmd --state
running
$ sudo firewall-cmd --get-default-zone
<<some name>>
$ sudo firewall-cmd --list-all --zone=<<some name>>
... some long list
$ sudo firewall-cmd --zone=<<some name>> --add-port=10731/tcp --permanent
$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-all --zone=<<some name>>
... some long list with the port added

Test the changes and see if it works. If the port needs to change

$ sudo firewall-cmd --zone=<<some name>> --remove-port=10731/tcp --permanent
1 Like

[quote=“Stephen J Smoogen, post:2, topic:132131, username:smooge”]
CentOS Linux 7.7 is really really really out of date[/quote]

Sorry, I am actually running 7.9. I am in the middle of moving off of this but I have some things I need to finish first. This computer is generally not connected to the internet as a safety precaution.

Thank you for the instructions. I will be working on that today. I have become a bit lazy understanding firewall implementation as I have generally used something like opensnitch where I get a gui alert about attempted connections. This makes it easy to see what is happening, see the information about the attempted connection, see what is being blocked, etc. All of that is just not as easy to access in the terminal when you haven’t done it very often.

I will post back about progress.

I have this working with,

$ sudo firewall-cmd --zone=drop --add-port=10731/udp --permanent
$ sudo firewall-cmd --reload

I would prefer to allow connections at only one IP and not any udp to port 10731 (if that is what the above does) so I tried to create a rich rule to do that. Because sudo ss -lnpAinet says that the server is using 239.255.219.183:10731 I tried the following rule,

$ sudo firewall-cmd --permanent --zone=drop --add-rich-rule='
  rule family="ipv4"
  destination address="239.255.219.183"
  port protocol="udp" port="10731" accept'
$ sudo firewall-cmd --reload

And this rule works as well. I assume that it is better to use a specific rule instead of just opening a port. Is that correct?

I also need to allow tcp connection to 192.168.10.27:10731 to allow access over my local network. Would the following rule work for that?

$ sudo firewall-cmd --permanent --zone=drop --add-rich-rule='
  rule family="ipv4"
  destination address="192.168.10.27"
  port protocol="tcp" port="10731" accept'
$ sudo firewall-cmd --reload

Thanks for the help, I think I am making progress.

LMHmedchem

I have this working with the following

$ sudo firewall-cmd --zone=drop --add-port=10731/udp --permanent
$ sudo firewall-cmd --reload

Drop is my default zone and I was a bit surprised to see that.

I tried to make a rich rule to open the port at just one specific IP. Since ss -lnpAinet gives 239.255.219.183 as the local address, I tried.

$ sudo firewall-cmd --permanent --zone=drop --add-rich-rule='
  rule family="ipv4"
  source address="239.255.219.183"
  port protocol="udp" port="10731" accept'
$ sudo firewall-cmd --reload

But this doesn’t work. It seems as if the rule should be specifying the destination address. If that is the case I can’t find how to do that.

I would prefer to allow connections to only one local address and not anything at port 10731 (if that is actually what my successful rule does). Also, I will also need to allow tcp connections to this server process at 192.168.10.27:10731 to allow some access over my local network so I will need to learn these rules a bit better.

Where can I see log information about connection attempts that firewalld is blocking?

Thanks,

LMHmedchem

I have this working with,

$ sudo firewall-cmd --zone=drop --add-port=10731/udp --permanent
$ sudo firewall-cmd --reload

I would prefer to allow connections at only one IP and not any udp to port 10731 (if that is what the above does) so I tried to create a rich rule to do that. Because sudo ss -lnpAinet says that the server is using 239.255.219.183:10731 I tried the following rule,

$ sudo firewall-cmd --permanent --zone=drop --add-rich-rule='
  rule family="ipv4"
  destination address="239.255.219.183"
  port protocol="udp" port="10731" accept'
$ sudo firewall-cmd --reload

And this rule works as well. I assume that it is better to use a specific rule instead of just opening a port. Is that correct?

I also need to allow tcp connection to 192.168.10.27:10731 to allow access over my local network. Would the following rule work for that?

$ sudo firewall-cmd --permanent --zone=drop --add-rich-rule='
  rule family="ipv4"
  destination address="192.168.10.27"
  port protocol="tcp" port="10731" accept'
$ sudo firewall-cmd --reload

Thanks for the help, I think I am making progress.

LMHmedchem

firewalld is basically loading and configuring specific ‘tables’ (whatever they are now in nftables or whatever that system uses) on reload and such. It doesn’t log things unless you tell it to. I haven’t done this myself, but this looks like it covers what is needed.

https://www.cyberciti.biz/faq/enable-firewalld-logging-for-denied-packets-on-linux/

So what happened to the 2 other posts that I made?

LMHmedchem

They were false autoflagged as spam. Now they should be online

1 Like