The Operations Manager is equipped with a powerful firewall stack based on leading open source firewalld and nftables tools. The default firewall ruleset is configured with a default-deny policy.
The firewall is based on the concept of configurable Zones. Zones are collection of network interfaces – e.g. by default, a WAN zone with NET1 and Cellular Modem interfaces. Firewall Rules are applied to Zones.
Towards the end of this article are some common examples of using firewall Zones and Rules to selectively control access to the Operations Manager's services.
Note: To access services on the Operations Manager, a user must have both access through the firewall and the appropriate authorization, e.g. via a local user account or remote AAA.
Firewall Rules
There are several kinds of rules and policies that may be applied to Zones. The examples in this article use Permitted Services Rules and Custom Rules.
- Permitted Services Rules allow access to Services for requests arriving on interfaces in the Zone – Services are configurable collections of TCP/UDP port or ports (e.g. TCP port 443 is the Operations Manager's HTTPS service for web UI and REST API access)
- Custom Rules allow the full flexibility of firewalld's rich rule syntax for fine-grained access control and advanced applications
Other types of firewall rules:
- Interzone Policies control how Zones may forward traffic between each other – by default Zones may not forward between each other (note that interfaces in the same Zone may always forward between themselves)
- Port Forwarding Rules use destination NAT (DNAT) requests arriving on interfaces in the Zone to an external Target IP/Port, e.g. a web server running on another host
- Additionally, you can apply source NAT (SNAT) to traffic going out of a Zone by checking the Masquerade Traffic option
Example 1: Disallow WAN Zone access to HTTPS
The default configuration is to allow HTTPS (i.e. the Operations Manager web UI & API) on the WAN Zone. To disallow this:
Note: Ensure you are accessing the Operations Manager via an interface outside the WAN Zone (e.g. NET2 which is the LAN Zone by default) otherwise you will lock yourself out.
- Login to the Operations Manager's web UI as an Administrator user
- Select CONFIGURE > FIREWALL > Management
- Click WAN then Edit Zone
- Scroll down to Permitted Services
- In the right hand column, click – to remove https service
- Any service in the right hand column allows everyone access to this service from this zone.
- Click Apply
Example 2: Permit access to WAN Zone HTTPS from a trusted source network only
When a service is permitted using a Permitted Services Rule, connections to the service in that Zone are permitted regardless of the originating network the connection is coming from. To disallow connections from all but a trusted source network, use Custom Rules instead.
In this example, HTTPS connections from the 10.12.34.0/24 network to the Operation Manager's WAN Zone are permitted, other HTTPS connections on the WAN Zone are disallowed.
Note: Ensure you are accessing the Operations Manager via an interface outside the WAN Zone (e.g. NET2 which is the LAN Zone by default) or from the trusted source network, otherwise you will lock yourself out.
- Login to the Operations Manager's web UI as an Administrator user
- Select CONFIGURE > FIREWALL > Management
- Click WAN then Manage Custom Rules
- Click Add Custom Rule
- In Description enter: Trusted HTTPS
- In Rule Content enter:
rule family=ipv4 source address=10.12.34.0/24 service name=https accept
- Click Apply
- Follow the steps in Example 1 above to remove the HTTPS Permitted Service
Note: If you are still able to access the service outside the source address check the service is no longer listed in the right hand column of the Permitted Services section.
Comments
0 comments
Article is closed for comments.