Configuring firewalld for New Installs of Management Console 20.04 or newer¶

As of release 20.04, Management Console was upgraded for use with firewalld. Current versions of Management Console do not configure any firewall settings, but instead leaves firewall configurations in control of the administrator. In earlier versions of Management Console, the installer would enable iptables, create and apply a new set of rules that would allow the Management Console to communicate properly. Therefore, firewall configurations were not required for releases 20.01 or older.

If you you are using a firewall with Management Console on your Linux system, you must follow the recommended instructions that show how to create the rules required for Management Console communications. You must also add additional rules required to meet the requirements of your corporate security policy.

The steps below are instructions for configuring firewalld, grouped by IPv4 and IPv6 environments.

To configure firewalld in IPv4 environment

IPv4 firewalld script

RPM New Installations: To configure firewalld in IPv6 environment

OVA New Installations: To configure firewalld in IPv6 environment

Firewalld default behaviors when enabled

All inbound connections are tested against configured rules that have been applied
All outbound connections are allowed
Rules to allow traffic are added to the default zone. All other traffic will be blocked.

Uninstalling RPM

Uninstalling the Management Console RPM does not completely remove the firewall rules.

New Installs in IPv4 Environment¶

To configure firewalld for Management Console communication in an IPv4 environment perform the following steps:¶

Login to the Management Console host operating system console.
Enable firewalld.

sudo systemctl enable firewalld --now
Get the default zone. If the default zone is trusted it will allow all packets. It is recommended that the default zone is set to public.

sudo firewall-cmd --get-default

If default zone is not public, execute the following commands to set the default zone to public.
```
sudo firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
sudo firewall-cmd --set-default=public
sudo firewall-cmd --reload
```
Get the default zone and assign it to a variable.

def_zone=$(firewall-cmd --get-default)
Set the log (all denied packets logged together).

sudo firewall-cmd --set-log-denied=all
Add an interface.

sudo firewall-cmd --zone=$(echo $def_zone) --change-interface=$(ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}')
Enable required ports.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-port={80,443,22,5172}/tcp
Allow pings.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request} 2>/dev/null
Redirect port 443 to 8443.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-forward-port=port=443:proto=tcp:toport=8443
Enable IP Masquerading.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-masquerade
Redirect Port 80 to 8080.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-forward-port=port=80:proto=tcp:toport=8080

Drop incoming packets to 127/8 from other interfaces other than loopback interface.

sudo firewall-cmd --permanent --new-zone loopback 2>/dev/null
sudo firewall-cmd --permanent --zone=loopback --change-interface=lo 2>/dev/null
sudo firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
sudo firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8

Reload the firewall.

sudo firewall-cmd --reload
Confirm the rules are applied.
1. Check the firewalld status is active.
  sudo systemctl status firewalld
2. Verify all rules are added in firewalld or not, all rules should be applied.
  sudo firewall-cmd --list-all

Firewalld Script for New Installations of Management Console 20.04 or newer Using IPv4¶

HP has provided instructions to create a script that stops the iptables service, and enables firewalld with the required IPv4 rules for Management Console to work correctly.

The script file is created and executed using the following steps:

Copy the script content and save into firewalld.sh

sudo vi firewalld.sh

#!/bin/bash
val1=1
if [ $val1 -eq 1 ]; then
systemctl stop iptables || service iptables stop
systemctl enable firewalld --now
def_zone=$(firewall-cmd --get-default)
if [ $def_zone != "public" ] ; then
    firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
    firewall-cmd --set-default=public
    firewall-cmd --reload
    def_zone=$(firewall-cmd --get-default)
fi
firewall-cmd --set-log-denied=all
firewall-cmd --permanent --zone=$(echo $def_zone) --change-interface=`ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'`
firewall-cmd --zone=$(echo $def_zone) --permanent --add-port={22,443,80,5172}/tcp
firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request}
firewall-cmd --zone=$(echo $def_zone) --permanent --add-forward-port=port=443:proto=tcp:toport=8443
firewall-cmd --zone=$(echo $def_zone) --permanent --add-forward-port=port=80:proto=tcp:toport=8080
firewall-cmd --permanent --new-zone loopback
firewall-cmd --permanent --zone=loopback --change-interface=lo
firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8
firewall-cmd --reload
fi 2> /dev/null

1. Provide permissions for the script to execute.

sudo chmod +x ./firewalld.sh

Run firewalld.sh:

sudo ./firewalld.sh

New Installs in IPv6 Environment¶¶

To configure firewalld for new RPM installation of Management Console allowing communication in an IPv6 environment perform the following steps:¶

Login to the Management Console host operating system console.
Enable firewalld.

sudo systemctl enable firewalld --now
Get the default zone. If the default zone is trusted it will allow all packets. It is recommended that the default zone is set to public.

sudo firewall-cmd --get-default

If default zone is not public, execute the following commands to set the default zone to public.
```
sudo firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
sudo firewall-cmd --set-default=public
sudo firewall-cmd --reload
```
Get the default zone and assign it to a variable.

def_zone=$(firewall-cmd --get-default)
Set the log (all denied packets logged together).

sudo firewall-cmd --set-log-denied=all

Add an interface.

```
sudo firewall-cmd --permanent --zone=$(echo $def_zone) --change-interface=`ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'`
```

Enable required IPv6 ports.
- Open port 443
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=443 protocol=tcp accept'
- Open port 22
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=22 protocol=tcp accept'
- Open port 5172
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=5172 protocol=tcp accept'
- Open port 80
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=80 protocol=tcp accept'
Allow pings.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request} 2>/dev/null
Redirect IPv6 port 443 to 8443.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8443 protocol=tcp port=443'
Redirect IPv6 Port 80 to 8080.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8080 protocol=tcp port=80'

Drop incoming packets to 127/8 from other interfaces other than loopback interface.

sudo firewall-cmd --permanent --new-zone loopback 2>/dev/null
sudo firewall-cmd --permanent --zone=loopback --change-interface=lo 2>/dev/null
sudo firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
sudo firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8

Reload the firewall.

sudo firewall-cmd --reload
Confirm the rules are applied.
1. Check the firewalld status is active.
  sudo systemctl status firewalld
2. Verify all rules are added in firewalld or not, all rules should be applied.
  sudo firewall-cmd --list-all

To configure firewalld for new OVA installation of Management Console allowing communication in an IPv6 environment perform the following steps:¶

PCoIP Management Console OVA comes ready for an IPv4 deployment. When deploying into an IPv6 environment, the firewalld IPv4 rules must be replaced with IPv6 rules. Perform the following steps to ensure Management Console only has IPv6 rules enabled after deploying Management Console OVA in an IPv6 environment.

Login to the Management Console host operating system console.
Close IPv4 22, 443, 80, 5172 ports.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-port={22,443,80,5172}/tcp
Remove IPv4 internal port forwarding from 443 to 8443.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=443:proto=tcp:toport=8443
Remove IPv4 internal port forwarding from 80 to 8080.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=80:proto=tcp:toport=8080
Open IPv6 port 443.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=443 protocol=tcp accept'
Open IPv6 port 22.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=22 protocol=tcp accept'
Open IPv6 port 5172.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=5172 protocol=tcp accept'
Open IPv6 port 80

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=80 protocol=tcp accept'
Redirect IPv6 port 443 to 8443.

` sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-r
Redirect IPv6 port 80 to 8080.

udo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8080 protocol=tcp port=80'
Reload the firewall rules.

Reload firewall rules
Confirm the rules are applied.
1. Check the firewalld status is active.
  sudo systemctl status firewalld
2. Verify all rules are added in firewalld or not, all rules should be applied.
  sudo firewall-cmd --list-all