Discover Centmin Mod today
Register Now

Switch to Shorewall or another more modern firewall than CSF

Discussion in 'Feature Requests & Suggestions' started by jeffwidman, Jan 29, 2016.

  1. jeffwidman

    jeffwidman Active Member

    152
    27
    28
    Dec 3, 2014
    Ratings:
    +51
    Local Time:
    3:14 AM
    I just ran into an issue with CSF.

    I was doing some networking research over the past few days and learned that `iproute2` (called `ip` in CentOS 7) replaces the long deprecated `net-tools` package. I had manually installed the net-tools package quite a while ago for some network debugging. But now that I was switching over to using `ip`, I manually removed the net-tools package from the box.

    However, it turns out that CSF still depends on `ifconfig`, even though `ifconfig` has been deprecated for quite a while. It also turns out that CentOS 7 decided `net-tools` had been deprecated long enough, and quit including it. So it has to be manually installed anyway.

    Can I request switching to another more modern firewall/firewall configuration tool?
    For example, I know a lot of folks are happy with Shorewall--commonly recommended on ServerFault.

    Obviously not an immediate thing as it's a bit of work to switch out, but as a long-term goal project it'd be a nice upgrade.

    Continuing to use a tool (especially security tool) that relies on linux packages that have been deprecated for nearly 7 years (source: net-tools future) is asking for trouble.
     
    Last edited: Jan 29, 2016
    • Like Like x 1
    • Informative Informative x 1
  2. pamamolf

    pamamolf Well-Known Member

    2,522
    231
    63
    May 31, 2014
    Ratings:
    +394
    Local Time:
    1:14 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Csf is easy to use and most people don't ha any issues and a few that has problems can find a ton of tutorials or help everywhere that's why is not easy to use something else without any much better options.

    I don't say to not use what you recommend but i can imagine that most people will reply with that kind of posts :)
     
  3. eva2000

    eva2000 Administrator Staff Member

    29,022
    6,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,776
    Local Time:
    8:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    Unfortunately never used Shorewall vs CSF been using for over 12+yrs.
    The simplest route would be for CSF to update to not depending on net-tools/ifconfig. But really how deprecated is net-tools if CentOS still uses it and it has long time support ? For Redhat and thus CentOS 6.x support ends on November 30, 2020 according to Red Hat Enterprise Linux Life Cycle - Red Hat Customer Portal So net-tools would still be used and supported by Redhat with backported updates until that time I believe ?

    CentOS/Redhat still recommend to install net-tools if needed Manuals/ReleaseNotes/CentOS7 - CentOS Wiki
    edit: okay checking net-tools change log indeed hasn't been updated or hasn't required an update since 2012
    Code:
    rpm -qa --changelog net-tools | head -n10
    * Wed Apr 25 2012 Jiri Popelka <jpopelka@redhat.com> - 1.60-110
    - 'hostname -I' should not depend on name resolution (#786546)
    
    * Thu Aug 25 2011 Jiri Popelka <jpopelka@redhat.com> - 1.60-109
    - Improved netstat_stop_trim.patch to not truncate IPV6 UDP sockets (#732984)
    
    * Tue Jul 26 2011 Jiri Popelka <jpopelka@redhat.com> - 1.60-108
    - patch netstat to separate basename of -p only if it is absolute
      path (in order to make argv[0]="sshd pty/0" display as sshd, and not as /0).
      (#725348)
     
    Last edited: Jan 29, 2016
  4. eva2000

    eva2000 Administrator Staff Member

    29,022
    6,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,776
    Local Time:
    8:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    Shorewall might be a bit too confusing for new folks compared to CSF http://shorewall.net/Introduction.html & http://shorewall.net/configuration_file_basics.htm ?

    @jeffwidman does Shorewall have auto install/config of all detected network interfaces (looks like you have to manually map zone names and interfaces /etc/shorewall/zones and /etc/shorewall/interfaces), auto updating and login failure daemon equivalents to what CSF Firewall has ?

    Looks like for CentOS shorewall yum package is apart of EPEL yum repo so I guess if you setup yum-cron to auto update then you can auto update shorewall

    Nice guide for Shorewall at Linux Configure Firewall Using Shorewall Under RHEL / CentOS though alot of manual configuration in files in a syntax that would make automation alot harder compared to CSF firewall i.e. http://shorewall.net/configuration_file_basics.htm#Pairs

    i.e. for CSF firewall for whitelisting and allowing TCP connections inbound to port 3306 from IP 11.22.33.44 in /etc/csf/csf.allow
    Code:
    tcp|in|d=3306|s=11.22.33.44
    
    or allow ICMP connections inbound for type ping from 44.33.22.11
    Code:
    icmp|in|d=ping|s=44.33.22.11
    
    Also does Shorewall support dynamic IP address whitelisting like CSF Firewall http://centminmod.com/csf_firewall.html#dynamicip ?
     
    Last edited: Jan 29, 2016
    • Informative Informative x 1
  5. jeffwidman

    jeffwidman Active Member

    152
    27
    28
    Dec 3, 2014
    Ratings:
    +51
    Local Time:
    3:14 AM
    Reviving this thread since I've learned a bit more about how firewalls work under the covers...

    One other big thing that CSF is missing because it's so ancient is support for stateful packet inspection in modern IPtables. Makes managing the firewall both more convenient and arguably more secure.

    While shorewall is still solid, CentOS 7 has a built-in firewall called FirewallD that does 90% of what CSF does, without having to install custom software. Under the covers it's just modifying IPtables, just like most other firewall software. But the user experience as a sys admin is very straightforward command line interface to open/close ports, and very easily scripted.

    For the other features that CSF offers, like login failure detection, I'd rather see a dedicated tool like Fail2Ban used. I like the Unix philosophy of one tool per job, as it's easier to use and debug, not to mention generally more polished since the maintainers are focused on the feature, rather than tacking it on as one more thing.

    Anyway, could centminmod switch to firewalld?
     
  6. eva2000

    eva2000 Administrator Staff Member

    29,022
    6,586
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,776
    Local Time:
    8:14 PM
    Nginx 1.13.x
    MariaDB 5.5
    got any materials i can read up on this ? AFAIK, CSF is just a wrapper to iptables like firewalld is to iptables. The heavy lifting is done by iptables itself.

    Centmin Mod 123.09beta01 does have a routine for this but it isn't tested at all as to how firewalld would fair on fully installed Centmin Mod LEMP stack and there's no documentation I have for Centmin Mod users for firewalld, so end user would need to look it up for themselves right now.

    To switch from CSF Firewall to firewalld, it has to be done at initial install time setting persistent config file /etc/centminmod/custom_config.inc variable to
    Code (Text):
    FIREWALLD_DISABLE='n'
    

    relevant lines are lines 129-188 of inc/csfinstall.inc if folks are incline to manually do this on a post initial install server.
     
    Last edited: Jan 26, 2017