Configuring firewalld after a Management Console Upgrade¶

In Management Console releases 19.05 through 20.01, installation disabled firewalld, enabled iptables and created rules that allowed Management Console to work as expected. Starting with release 20.04, Management Console upgraded to firewalld, and leaves the firewall configuration in the hands of the local administrator.

If you are upgrading from Management Console release 19.05 through 20.01 to release 20.04 or newer using Management Console RPM, existing firewall configurations can be left intact or if moving to firewalld they will have to be re-applied to the upgraded version of Management Console.

If you decide to use firewalld, the following instructions provide the steps to remove the iptables configuration applied by Management Console and steps to add firewalld rules required by Management Console to operate properly. Additional rules required to comply to your corporate security policy must be added by the administrator.

Upgrade Scenarios discussed in this topic are:

Firewall changes after a RPM Upgrade from Management Console 20.01 or older using IPv4

Firewall changes for RPM Upgrades from Management Console 20.04 to Management Console 20.07 or newer in IPv4 Deployments

Firewalld IPv4 Script

Firewall changes required after an Upgrade from Management Console 20.01 or older to Management Console 20.07 or newer in an IPv6 Deployment

Firewalld Script for IPv6

Firewall changes required after an RPM Upgrade from Management Console 20.04 to Management Console 20.07 or newer in IPv6 Deployment

Firewall changes required after updating a Management Console OVA IPv4 deployment to an IPv6 Deployment

Firewall changes required when changing an existing Management Console IPv4 deployment to an IPv6 Deployment

Upgrades in IPv4 Environments¶

Firewall changes after a RPM Upgrade from Management Console 20.01 or older using IPv4¶

When upgrading from a Management Console 20.01 or older installation using RPM, consideration for all previous installation firewall rules must be considered. The following steps will remove previously installed Management Console iptables IPv4 rules and add firewalld IPv4 rules so Management Console can operate properly in an IPv4 environment.

Login to Management Console host operating system console.
Check iptables status(which should be active).

sudo systemctl status iptables
Check the applied iptables rules.

sudo iptables -L
Remove rule which enabled port 8080.

sudo iptables -D INPUT -p tcp -m state --state NEW --dport 8080 -j ACCEPT
Remove rule which enabled port 8443.

sudo iptables -D INPUT -p tcp -m state --state NEW --dport 8443 -j ACCEPT
Remove rule which enabled port 5172.

sudo iptables -D INPUT -p tcp -m state --state NEW --dport 5172 -j ACCEPT

Remove rule which allowed incoming and outgoing pings.

sudo iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
sudo iptables -D OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -D INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Remove PREROUTING rule.

sudo iptables -t nat -D PREROUTING -i `ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'` -p tcp --dport 443 -j REDIRECT --to-port 8443

Drop incoming packets to 127/8 from other interfaces other than loopback interface.

sudo iptables -D INPUT -i lo -j ACCEPT
sudo iptables -D INPUT -i lo -d 127.0.0.0/8 -j REJECT

Remove outbound traffic rule.

sudo iptables -D OUTPUT -j ACCEPT
Remove logging rule.

sudo iptables -D INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Remove rule which dropped packets not matching any other rule.

sudo iptables -D INPUT -j DROP
sudo iptables -D FORWARD -j REJECT

Save iptables service to save your changes (should show status OK).

sudo service iptables save
Restart iptables to apply your changes.

sudo systemctl restart iptables
Check iptables rules (should not contain rules which Management Console install previously added).

sudo iptables -L
Mask iptables.

sudo systemctl mask iptables
Stop iptables service.

sudo systemctl stop iptables
Unmask firewalld, (should show removed symlink).

sudo systemctl unmask firewalld
Enable firewalld.

sudo systemctl enable firewalld --now
Start firewalld.

sudo systemctl start firewalld
Check firewalld status (should be active).

sudo systemctl status firewalld
1. Get the default zone. If the default zone is trusted it will allow all packets. It is recommended that the default zone is set to public.
  
  sudo firewall-cmd --get-default
  
  If default zone is not public, execute the following commands to set the default zone to public.
  1. sudo firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
  2. sudo firewall-cmd --set-default=public
  3. sudo firewall-cmd --reload
Get the default zone and assign it to a variable.

def_zone=$(firewall-cmd --get-default)
Set the log.(all denied packets logged together)

sudo firewall-cmd --set-log-denied=all
Add an interface.

sudo firewall-cmd --zone=$(echo $def_zone) --change-interface=$(ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}')
Enable required ports.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-port={80,443,22,5172}/tcp
Allow pings.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request} 2>/dev/null
Redirect port 443 to 8443.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-forward-port=port=443:proto=tcp:toport=8443
Enable IP Masquerading.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-masquerade
Redirect Port 80 to 8080.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-forward-port=port=80:proto=tcp:toport=8080

Drop incoming packets to 127/8 from other interfaces other than loopback interface.

sudo firewall-cmd --permanent --new-zone loopback 2>/dev/null
sudo firewall-cmd --permanent --zone=loopback --change-interface=lo 2>/dev/null
sudo firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
sudo firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8

Reload the firewall rules.

sudo firewall-cmd --reload
Confirm the rules are applied.
1. Check the firewalld status is active.
  sudo systemctl status firewalld
2. Verify all rules are added in firewalld, all rules should be applied.
  sudo firewall-cmd --list-all

Firewall changes for RPM Upgrades from Management Console 20.04 to Management Console 20.07 or newer in IPv4 Deployments¶

Upgrading from an operational Management Console 20.04 to Management Console 20.07 or newer in an IPv4 environment does not require any firewalld rule changes.

Confirm iptables service has been disabled

It is a good idea to confirm any previous Management Console iptables installation has been removed if your 20.04 version has been previously upgraded from an older version.

Firewalld IPv4 Script¶

HP has provided instructions to create a script that will apply firewalld rules that allow Management Console to work correctly in an IPv4 environment.

Instructions on creating and executing the script can be found here

Upgrades in IPv6 Environments¶

Firewall changes required after an Upgrade from Management Console 20.01 or older to Management Console 20.07 or newer in an IPv6 Deployment¶

When upgrading from a Management Console 20.01 or older installation using RPM, consideration for previous installation firewall rules must be considered. The following steps will remove previously installed iptables IPv4 rules and add firewalld IPv6 rules so Management Console can operate properly in an IPv6 environment.

Login to Management Console host operating system console.
Check iptables status(which should be active).

sudo systemctl status iptables
Check the applied iptables rules.

sudo iptables -L
Remove rule which enabled port 8080.

sudo iptables -D INPUT -p tcp -m state --state NEW --dport 8080 -j ACCEPT
Remove rule which enabled port 8443.

sudo iptables -D INPUT -p tcp -m state --state NEW --dport 8443 -j ACCEPT
Remove rule which enabled port 5172.

sudo iptables -D INPUT -p tcp -m state --state NEW --dport 5172 -j ACCEPT

Remove rule which allowed incoming and outgoing pings.

sudo iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
sudo iptables -D OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -D INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Remove PREROUTING rule.

sudo iptables -t nat -D PREROUTING -i `ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'` -p tcp --dport 443 -j REDIRECT --to-port 8443

Drop incoming packets to 127/8 from other interfaces other than loopback interface.

sudo iptables -D INPUT -i lo -j ACCEPT
sudo iptables -D INPUT -i lo -d 127.0.0.0/8 -j REJECT

Remove outbound traffic rule.

sudo iptables -D OUTPUT -j ACCEPT
Remove logging rule.

sudo iptables -D INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Remove rule which dropped packets not matching any other rule.

sudo iptables -D INPUT -j DROP
sudo iptables -D FORWARD -j REJECT

Save iptables service to save your changes (should show status OK).

sudo service iptables save
Restart iptables to apply your changes.

sudo systemctl restart iptables
Check iptables rules (should not contain rules which Management Console install previously added).

sudo iptables -L
Mask iptables.

sudo systemctl mask iptables
Stop iptables service.

sudo systemctl stop iptables
Unmask firewalld, (should show removed symlink).

sudo systemctl unmask firewalld
Enable firewalld.

sudo systemctl enable firewalld --now
Start firewalld.

sudo systemctl start firewalld
Check firewalld status (should be active).

sudo systemctl status firewalld
1. Get the default zone. If the default zone is trusted it will allow all packets. It is recommended that the default zone is set to public.
  
  sudo firewall-cmd --get-default
  
  If default zone is not public, execute the following commands to set the default zone to public.
  1. sudo firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
  2. sudo firewall-cmd --set-default=public
  3. sudo firewall-cmd --reload
Get the default zone and assign it to a variable.

def_zone=$(firewall-cmd --get-default)
Set the log.(all denied packets logged together)

sudo firewall-cmd --set-log-denied=all

Add an interface.

sudo firewall-cmd --permanent --zone=$(echo $def_zone) --change-interface=`ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'`

Enable required ports.
Open required ports.
- IPv6 Port 443
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=443 protocol=tcp accept'
- IPv6 Port 22
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=22 protocol=tcp accept'
- IPv6 Port 5172
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=5172 protocol=tcp accept'
- IPv6 Port 80
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=80 protocol=tcp accept'
Allow pings.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request} 2>/dev/null
Redirect port 443 to 8443.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8443 protocol=tcp port=443'
Redirect Port 80 to 8080.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8080 protocol=tcp port=80'

Drop incoming packets to 127/8 from other interfaces other than loopback interface.

sudo firewall-cmd --permanent --new-zone loopback 2>/dev/null
sudo firewall-cmd --permanent --zone=loopback --change-interface=lo 2>/dev/null
sudo firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
sudo firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8

Reload the firewall rules.

sudo firewall-cmd --reload
Confirm the rules are applied.
1. Check the firewalld status is active.
  sudo systemctl status firewalld
2. Verify all rules are added in firewalld, all rules should be applied.
  sudo firewall-cmd --list-all

Firewalld Script for IPv6¶

HP has provided instructions to create a script that removes Management Console iptables rules, stops the iptables service, and enables firewalld with the required rules for Management Console to work correctly in an IPv6 deployment.

The script file is created and executed using the following steps:

Copy the script content and save into firewalld.sh

sudo vi firewalld.sh

#!/bin/bash
val1=1 
if [ $val1 -eq 1 ]; then
systemctl stop iptables || service iptables stop
systemctl enable firewalld --now
def_zone=$(firewall-cmd --get-default)
if [ $def_zone != "public" ] ; then
    firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
    firewall-cmd --set-default=public
    firewall-cmd --reload
    def_zone=$(firewall-cmd --get-default)
fi
firewall-cmd --zone=$(echo $def_zone) --permanent --remove-port={22,443,80,5172}/tcp # Closes 22, 443, 80, 5172 port IPv4 rules
firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=443:proto=tcp:toport=8443  # Removes IPv4 internal port forwarding from 443 to 8443
firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=80:proto=tcp:toport=8080   # Removes IPv4 internal port forwarding from 80 to 8080
firewall-cmd --set-log-denied=all
firewall-cmd --permanent --zone=$(echo $def_zone) --change-interface=`ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'`
firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=443 protocol=tcp accept'                  # Open 443 port IPv6  rules
firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=22 protocol=tcp accept'                   # Open 22 port IPv6  rules
firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=5172 protocol=tcp accept'                 # Open 5172 port IPv6  rules
firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=80 protocol=tcp accept'                   # Open 80 port IPv6  rules
firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request}                                         # Allow icmp ping reply and request
firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8443 protocol=tcp port=443'    # Forward IPv6 443 port to 8443
firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8080 protocol=tcp port=80'     # Forward IPv6 80 port to 8080
firewall-cmd --permanent --new-zone loopback
firewall-cmd --permanent --zone=loopback --change-interface=lo
firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8  # Not removing loopback as some services require loopback address to function properly
firewall-cmd --reload          # Reload the firewall tables
firewall-cmd --list-all
fi 2> /dev/null

Provide permissions for the script to execute.

sudo chmod +x ./firewalld.sh
Run firewalld.sh:

sudo ./firewalld.sh

Firewall changes required after an RPM Upgrade from Management Console 20.04 to Management Console 20.07 or newer in an IPv6 Deployment¶

When upgrading from IPv4 to IPv6, firewalld IPv4 rules must be replaced with IPv6 rules.

Perform the following steps to ensure Management Console only has IPv6 rules enabled after upgrading from an IPv4 environment.

Login to Management Console operating system console using an SSH client (e.g. PuTTY).
Ensure firewalld is enabled.

sudo systemctl enable firewalld --now
Get the default zone. If the default zone is trusted it will allow all packets. It is recommended that the default zone is set to public.

sudo firewall-cmd --get-default

If default zone is not public, execute the following commands to set the default zone to public.
1. sudo firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
2. sudo firewall-cmd --set-default=public
3. sudo firewall-cmd --reload
Get the default zone and assign it to a variable.

def_zone=$(firewall-cmd --get-default)
Close IPv4 ports 22, 443, 80, and 5172.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-port={22,443,80,5172}/tcp
Remove IPv4 internal port forwarding from 443 to 8443.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=443:proto=tcp:toport=8443
Remove IPv4 internal port forwarding from 80 to 8080.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=80:proto=tcp:toport=8080
Set the log. (all denied packets are logged together)

sudo firewall-cmd --set-log-denied=all

Add an interface.

sudo firewall-cmd --permanent --zone=$(echo $def_zone) --change-interface=`ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'`

Open required ports.
- IPv6 Port 443
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=443 protocol=tcp accept'
- IPv6 Port 22
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=22 protocol=tcp accept'
- IPv6 Port 5172
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=5172 protocol=tcp accept'
- IPv6 Port 80
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=80 protocol=tcp accept'
Allow pings.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request} 2>/dev/null
Redirect port 443 to 8443.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8443 protocol=tcp port=443'
Redirect Port 80 to 8080.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8080 protocol=tcp port=80'

Drop incoming packets to 127/8 from other interfaces other than loopback interface.

sudo firewall-cmd --permanent --new-zone loopback 2>/dev/null
sudo firewall-cmd --permanent --zone=loopback --change-interface=lo 2>/dev/null
sudo firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
sudo firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8

Reload the firewall rules.

sudo firewall-cmd --reload
Confirm the rules are applied.
1. Check the firewalld status is active.
  sudo systemctl status firewalld
2. Verify all rules are added in firewalld, all rules should be applied.
  sudo firewall-cmd --list-all

Firewall changes required after updating a Management Console OVA IPv4 deployment to an IPv6 Deployment¶

To use Management Console OVA in an IPv6 environment, the firewall rules for IPv4 should be removed and the IPv6 rules must be added so Management Console can communicate properly.

Once Management Console 20.07 or newer is deployed, log into it's host operating system console and perform the following steps.

Close IPv4 ports 22, 443, 80, and 5172.

sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-port={22,443,80,5172}/tcp
Remove IPv4 internal port forwarding rules.
- From port 443 to 8443.
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=443:proto=tcp:toport=8443
- From port 80 to 8080.
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=80:proto=tcp:toport=8080
Open required IPv6 ports.
- IPv6 Port 443
```
sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=443 protocol=tcp accept'`
```
- IPv6 Port 22
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=22 protocol=tcp accept'
- IPv6 Port 5172
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=5172 protocol=tcp accept'
- IPv6 Port 80
  
  sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=80 protocol=tcp accept'
Redirect required ports.
- Port 443 to 8443
sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8443 protocol=tcp port=443'
- Port 80 to 8080
sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8080 protocol=tcp port=80'
Reload firewall rules.

sudo firewall-cmd --reload
Confirm the rules are applied.
1. Check the firewalld status is active.
  sudo systemctl status firewalld
2. Verify all rules are added in firewalld, all rules should be applied.
  sudo firewall-cmd --list-all