Firewall Policies
Firewall egress filtering may be used to allow or deny traffic leaving a device. This feature allows you to create firewall egress rules, which govern outgoing traffic leaving the device.
Firewall egress filtering extends the firewall/policies endpoint, allowing customization over both incoming (ingress) and outgoing (egress) traffic, thus allowing greater control of the device’s security.
The feature allows you to:
-
Change the default behavior of a firewall policy so it can accept or deny traffic moving between zones.
-
Create, edit and delete firewall policy rules which allow or block specific service traffic based on IP addresses.
-
Configure firewall policy rules through ogcli, Config Shell or the WebUI.
-
Display and inspect rules in a single location in the WebUI.
-
Create symbolic zones HOST and ANY which allow the creation of catch-all firewall policies affecting traffic incoming and outgoing all zones.
Creating Egress Policies in the WebUI
New policies or edits of existing policies are done from the Firewall Policies page. Navigate to Configure > Firewall > Policies, there is now an overview for firewall policies created on the device, as well as an overview page showing firewall policy rules created. To view firewall policy rules, click the drop-down arrow to the right of any policy row.
Egress Policy Details
New policies are created by first clicking on the Add Policy button at the top-right of the Firewall Policies page of the WebUI. New policies can have a user-defined default action, either ACCEPT, CONTINUE, DROP, or REJECT, which describes how traffic moving through the ingress and egress zones will be treated. The ingress and egress zones may be configured as custom zones on the device through the firewall/zone endpoint, or can be symbolic (ANY/HOST) which represent traffic on all interfaces and the host device itself respectively. These default actions are described below.
| Default Action | Outcome |
|---|---|
| ACCEPT | All packets flowing between ingress and egress zones are accepted by default. |
| REJECT | Rejects every packet (a message warns that the connection was rejected and that packets will not be allowed through):ssh: connect to host 10.236.3.7 port 22: Connection refused |
| DROP | Drops every packet (users will not get a message, the connection will hang). |
| CONTINUE | Ongoing packets will be subject to rules in following policies and zones. |
Create a New Firewall Policy
-
Click on the Add Policy button at the top-right of the Firewall Policies page of the WebUI.
-
Complete the Name, Description, Default Action and Policy Priority inputs of the New Policy.
Note: Policy Priority - Policies with negative values are applied before any filtering rules in zones. Policies with positive values are applied after filtering rules in zones. A priority of 0 (zero) cannot be applied.
-
Select the required Ingress and or Egress zones.
-
Click on the Add New Rule button and complete the information; Source and Destination address, also Log Prefix are optional.
-
Click Apply. The new rule is instated.
Editing Policies or Rules
Rules associated with a policy can be edited. When saving their changes after editing, you are prompted to double check their changes using the Confirm Action window, which presents an overview of the policy changes.
Note: Editing a firewall policy or rule may interrupt access to the device.
Configure Egress Policies in the Config Shell
Firewall policies may be created through Config Shell an example is given below:
config: firewall/policy
config(firewall/policy): add incoming
config(firewall/policy incoming): default_action accept
config(firewall/policy incoming): egress_zones
config(firewall/policy incoming egress_zones): add host
config(firewall/policy incoming egress_zones): up
config(firewall/policy incoming): ingress_zones
config(firewall/policy incoming ingress_zones): add any
config(firewall/policy incoming ingress_zones): up
config(firewall/policy incoming): show
Entity firewall/policy item incoming
default_action accept *
description ""
name incoming
priority -1
egress_zones (array)
0 host *
ingress_zones (array)
0 any *
rules (array)
| Policy Configurable Fields | |
|---|---|
| default_action | The default action that is applied to packets that don't match any rule. |
| priority | The priority of the policy dictates when it is applied compared to other policies and zones. Policies with negative priorities are applied before rules in zones; policies with positive priorities are applied after. A priority of 0 is reserved for Rules and is not used for policies. The default value is -1. |
| egress_zones | Traffic directed to the egress zones will be subject to this policy. This was pre-existing but has been expanded to include options for ANY/HOST. |
| ingress_zones | Traffic originating from the ingress zones will be subject to this policy. This was pre-existing but has been expanded to include options for ANY/HOST. |
| rules | A list of rules that specify what happens to specific packets as they pass through the firewall policy. |
Create Rules Under a Policy - Config Shell
The rules that apply to a firewall policy may be created through Config Shell; an example is given below:
config(firewall/policy incoming): rules
config(firewall/policy incoming rules): add
config(firewall/policy incoming rules 0): show
Entity firewall/policy item incoming field rules 0
action "" (required)
destination_address ""
log_prefix ""
priority 0
source_address ""
services (array)
| Rule Configurable Fields | |
|---|---|
| action | The action that will be applied to matching packets. |
| destination_address | The destination address to which this rule will apply. |
| log_prefix | This sets the prefix of the info level log that is sent when this rule is hit. If it is empty, no logs are sent. |
| priority | The priority given to the selected rule. Rules with negative priorities are applied first. The default value is 0. |
| source_address | The source address to which this rule will apply. For multiple source addresses, a separate rule must be created for each address. |
Logging and Debugging Firewall Policies
Some logging and debugging tools are provided for resolving firewall policy issues, as below:
-
List all firewall policies configured on the device:
firewall-cmd --list-all-policies. -
Check the xml files which contain the firewall policy configuration information, under the /etc/firewalld/policies/ directory.
-
Check the journal for firewall related messages:
journalctl -xeu firewalld
Note: firewalld is used to create firewall rules, firewalld is discussed in Interzone Policies and in Firewall Guide.