Firewall Configuration Reference
This article is a Stub. You can help the Sympl Project by expanding it.
Sympl contains an easy to use firewall system based on iptables which protects the server by controlling inbound and outbound connections, comprised of a set of rules as well as automatic whitelist and blacklist configuration.
Configuration changes can be made via SSH or serial/VNC console as the sympl
user, and will take effect immediately.
Basic Firewall Configuration
The default configuration for Sympl should cover the majority of use cases, and caution should be taken when making any changes in case you lock yourself out. If this happens, you can still access the server via the serial or VNC console.
The configuration of the sympl-firewall package is built from a series of files and directories in the /etc/sympl/firewall/
directory, with incoming connections controlled by the files in /etc/sympl/firewall/incoming.d/
and the outgoing connections controlled by the files in /etc/sympl/firewall/outgoing.d/
.
These files are in the format of index_number-service_name_or_number
with the index_number
controlling order of the rules, and the service_name_or_number
as either a service name taken from /etc/services
, a TCP/UDP port number, or one of a few special keywords.
Each of these files can either be empty, or contain a list of hostnames or IP addresses which the rule applies to, one per line.
If hostnames are used in the configuration files rather than IP addresses, they will be translated when the firewall is updated, and the result cached for up to 15 minutes. If the DNS result changes in this period then the result will not update, therefore IP addresses should be used where possible.
Firewall Keywords
Sympl uses a number of specific keywords for a number of non port-related rules, in the incoming.d/
and outgoing.d/
directories.
As with normal service name rules, these can contain a target IP address or hostname, one per line which the rule will apply to.
Keyword | Action |
---|---|
accept
|
Accepts all connections. Uses the iptables ACCEPT target.
|
allow
|
Alias of accept .
|
whitelist
|
Alias of accept .
|
new
|
Permit new connections. |
established
|
Permit traffic from connections which are already established. Uses the iptables ESTABLISHED target.
|
related
|
Accept new connections associated with existing connections, such as DNS queries and FTP transfers. |
reject
|
Reject all connections. Uses the iptables REJECT target. Returns a 'TCP reset' or 'port unreachable' message.
|
blacklist
|
Alias of reject .
|
drop
|
Drops all traffic. Uses the iptables DROP target.
|
ping
|
Permits ICMP echo-request, echo-reply and ttl-exceeded traffic, which allows the server to respond to pings and show up on traceroute tests. |
icmp
|
Permit all ICMP traffic. Applies to IPv4 only. |
icmpv6
|
Permit all ICMP6 traffic. Applies to IPv6 only. |
essential-icmpv6
|
Accept required ICMP traffic for IPv6 to operate. Allows destination-unreachable, packet-too-big, parameter-problem, router-solicitation, router-advertisement, neighbour-solicitation and neighbour-advertisement traffic.
If this rule is removed IPv6 will very likely cease working properly. Applies to IPv6 only. |
dns
|
Accept TCP and UDP connections from port 53 to high-numbered unprivileged ports. Designed to allow replies to DNS queries, but may be removed in favour of related . Applies to incoming connections only.
|
ftp
|
Permit connections on both port 20 (ftp-data) and 21 (ftp-control). |
collector
|
Permit TCP connections on port 1919. |
imager
|
Permit TCP connections on port 5000. |
Detailed definitions for these rules are contained in /usr/share/sympl/firewall/rule.d/
, and new rules can be created in /usr/local/sympl/symbiosis/firewall/rule.d/
if desired.
Firewall Example
Custom Firewall Additions
Blocking and Allowing Hosts and Networks
Blacklisting
Whitelisting
Disabling the Firewall
Configuration Reference
File or Directory | Used For | More |
---|
See also Configuration Reference for other configuration files.