Introduction
You may need to run Live Assist software in the cloud, if you do be prepared to receive unsolicited SIP & HTTP traffic on port 5060 & 5061 (SIP SPAM) and 8443 (HTTPS SPAM).
Normally your cloud infrastructure provides a firewall and DDoS protection for you but you may want to add extra security to your installation by running firewalld.
IMPORTANT - This is just a guide and is provided 'as is' with no support. We recommend you run this past your own I.T. / Security team and test on a local VM before implementing on a live server. Mis-configuring firewalld can prevent remote access to your server requiring local console access to resolve.
CentOS 7 Firewalld configuration
Make sure Firewalld is installed:
yum install firewalld
Make sure interface is added to public zone:
sudo firewall-cmd --zone=public --permanent --change-interface=eno16777984
This can also be set in:
vi /etc/sysconfig/network-scripts/ifcfg-eno16777984
ZONE=public
Make a service scripts for Gateway and Media Broker:
vi /etc/firewalld/services/csdk-mb.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>MB</short>
<description>Service Description for Media Broker Service</description>
<port protocol="udp" port="16000"/>
<port protocol="udp" port="17000-17999"/>
<port protocol="tcp" port="8092"/>
</service>
vi /etc/firewalld/services/csdk-gw.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>GW</short>
<description>Service Description for Gateway Service</description>
<port protocol="tcp" port="8080"/>
<port protocol="tcp" port="8443"/>
<port protocol="tcp" port="9990"/>
<port protocol="tcp" port="9100"/>
<port protocol="tcp" port="9463"/>
<port protocol="tcp" port="9999"/>
<port protocol="tcp" port="5060"/>
<port protocol="udp" port="5060"/>
<port protocol="tcp" port="5061"/>
<port protocol="tcp" port="5080"/>
<port protocol="udp" port="5080"/>
<port protocol="tcp" port="5081"/>
</service>
Reload to see new services:
sudo firewall-cmd --reload
Apply Services to Zones:
sudo firewall-cmd --zone=public --permanent --add-service=csdk-gw
sudo firewall-cmd --zone=public --permanent --add-service=csdk-mb
A Rich Rule is needed to allow accept connections from the server's own source address.
If Clustered, allow access to other Gateway servers in the cluster, so replication and other services can operate without issue.
firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="172.31.250.45" accept'
firewall-cmd --zone=public --permanent --add-rich-rule='rule family="ipv4" source address="172.31.250.46" accept'
Reload and restart Firewall to verify configuration is maintained:
sudo firewall-cmd --reload
sudo systemctl restart network.service
sudo systemctl restart firewalld.service
Verify configuration:
[root@centos72 log]# firewall-cmd --get-active-zones
public
interfaces: eno16777984
[root@centos72 AS]# firewall-cmd --zone=public --list-all
public (default)
interfaces:
sources:
services: csdk-gw csdk-mb dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="172.31.250.45" accept
rule family="ipv4" source address="172.31.250.46" accept
At this point the Firewalld configuration is complete.
Other Useful Configuration, individual Ports rather than Service:
Addition:
sudo firewall-cmd --zone=public --permanent --add-port=8092/tcp
sudo firewall-cmd --zone=public --permanent --add-port=8080/tcp
sudo firewall-cmd --zone=public --permanent --add-port=8443/tcp
sudo firewall-cmd --zone=public --permanent --add-port=9990/tcp
sudo firewall-cmd --zone=public --permanent --add-port=9100/tcp
sudo firewall-cmd --zone=public --permanent --add-port=9463/tcp
sudo firewall-cmd --zone=public --permanent --add-port=9999/tcp
sudo firewall-cmd --zone=public --permanent --add-port=5060/tcp
sudo firewall-cmd --zone=public --permanent --add-port=5060/udp
sudo firewall-cmd --zone=public --permanent --add-port=5061/tcp
sudo firewall-cmd --zone=public --permanent --add-port=5080/tcp
sudo firewall-cmd --zone=public --permanent --add-port=5080/udp
sudo firewall-cmd --zone=public --permanent --add-port=5081/tcp
sudo firewall-cmd --zone=public --permanent --add-port=16000/udp
sudo firewall-cmd --zone=public --permanent --add-port=17000-18000/udp
Removal:
sudo firewall-cmd --zone=public --permanent --remove-port=8092/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=8080/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=8443/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=9990/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=9100/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=9463/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=9999/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=5060/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=5060/udp
sudo firewall-cmd --zone=public --permanent --remove-port=5061/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=5080/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=5080/udp
sudo firewall-cmd --zone=public --permanent --remove-port=5081/tcp
sudo firewall-cmd --zone=public --permanent --remove-port=16000/udp
sudo firewall-cmd --zone=public --permanent --remove-port=17000-18000/udp
List Ports:
sudo firewall-cmd --zone=public --permanent --list-p
Comments
0 comments
Please sign in to leave a comment.