4
Stacki Tutorial #2: Disabling Host Firewalls Introduction By default, Stacki installs a host firewall on each backend server, and configures the firewall to allow traffic on the private subnet, and only connections associated with the private subnet on the public subnet. And ssh is allowed anywhere, so you can administer the server. Of course if you have added a network card for eth1 and put it on the public network, this might not be your optimal configuration. What you will learn This short tutorial will focus on disabling the host firewall on backend servers. Specifically, when done with this tutorial, you will be able to: - Disable Firewalls on an installed host. - Disable Firewalls on all installed hosts. - Disable activation of firewalls on an installed host. - Disable activation of firewalls for all installs. While there is a ton more possible, and we touch on several of the other parts of the Stacki command line, in keeping with the goals of this tutorial series we are going to stay lazer focused on disabling the firewall in Stacki, so you have all the information you need about how Stacki manages firewalls and disabling them, and we can keep this tutorial at a reasonable length. What Stacki Does For Host Firewalls Stacki wraps iptables, so that single firewall configuration commands can be used across ma- chines to configure firewalls correctly and consistently. To do this, Stacki presents a command line that you interact with to change firewall configuration by adding rules to iptables. The default configuration is to allow all traffic within the private network, and only allow traffic on the public network that is associated with a private connection. This is a secure and reliable configuration, but may not meet the needs of your organization. The default configuration for CentOS/RHOS 6.X allows SSH into both public and private, while for CentOS/RHOS 7.X allows both SSH and ICMP echo-request/echo-reply. Page 1 www.stacki.com | Stacki Google Group | Stacki GitHub Page

Stacki: Disabling Firewall Tutorial

  • Upload
    stackiq

  • View
    12

  • Download
    0

Embed Size (px)

DESCRIPTION

By default, Stacki installs a host firewall on each backend server, and configures the firewall to allow traffic on the private subnet, and only connections associated with the private subnet on the public subnet. And ssh is allowed anywhere, so you can administer the server.Learn more at www.stacki.com

Citation preview

  • Stacki Tutorial #2: Disabling Host Firewalls

    IntroductionBy default, Stacki installs a host firewall on each backend server, and configures the firewall to allow traffic on the private subnet, and only connections associated with the private subnet on the public subnet. And ssh is allowed anywhere, so you can administer the server.

    Of course if you have added a network card for eth1 and put it on the public network, this might not be your optimal configuration.

    What you will learnThis short tutorial will focus on disabling the host firewall on backend servers. Specifically, when done with this tutorial, you will be able to:

    - Disable Firewalls on an installed host. - Disable Firewalls on all installed hosts. - Disable activation of firewalls on an installed host. - Disable activation of firewalls for all installs.

    While there is a ton more possible, and we touch on several of the other parts of the Stacki command line, in keeping with the goals of this tutorial series we are going to stay lazer focused on disabling the firewall in Stacki, so you have all the information you need about how Stacki manages firewalls and disabling them, and we can keep this tutorial at a reasonable length.

    What Stacki Does For Host FirewallsStacki wraps iptables, so that single firewall configuration commands can be used across ma-chines to configure firewalls correctly and consistently. To do this, Stacki presents a command line that you interact with to change firewall configuration by adding rules to iptables.

    The default configuration is to allow all traffic within the private network, and only allow traffic on the public network that is associated with a private connection. This is a secure and reliable configuration, but may not meet the needs of your organization. The default configuration for CentOS/RHOS 6.X allows SSH into both public and private, while for CentOS/RHOS 7.X allows both SSH and ICMP echo-request/echo-reply.

    Page 1www.stacki.com | Stacki Google Group | Stacki GitHub Page

  • Stop That!The first, and easiest thing to learn is how to disable firewall configuration in Stacki. On the stacki server, type the command:stack list attr attr=firewall

    Will give you the global firewall attribute and its value.

    As you can see, firewalling hosts is turned on by default. The G stands for global, which well talk more about in a bit.

    If that doesnt suit the needs of your environment, turning it off before installing is as simple as setting the global firewall attribute to false:

    This command line (and all set attribute command lines) does not display any results unless there is an error.Once the above command line has been executed, every backend server install that stacki does from that point forward will have firewalls disabled. This includes reinstalls. The only excep-tions to this rule are (a) if youve over-ridden the value for a particular host (see below), and (b) obviously if you ever change the value back to true, firewalls will begin installing again.

    If you prefer to know that you got it right, simply get the value again from stacki:

    As you can see, the global firewall attribute is now set to false. What this means is that on install, iptables will not be configured and run at all.

    If you have already installed your servers and want to disable firewalling, you still can. First follow the steps above to disable the firewall on future installs. Then execute the following on the stacki server:

    CentOS 6.X

    [root@stackidon ~]# stack list attr=firewall

    -------------------- firewall true G

    Page 2www.stacki.com | Stacki Google Group | Stacki GitHub Page

    [root@stackidon ~]# stack set attr attr=firewall value=false

    [root@stackidon ~]# stack list attr | attr=firewall

    -------------------- firewall false G

    [root@stackidon ~]# stack run host backend command=/etc/init.d/iptables stop;chkconfig iptables

    off

  • CentOS 7.X

    In both cases, we are simply visiting each host and stopping iptables, then telling the system to disable iptables so that on future boots it does not start automatically.

    The run command finds all servers that match the host name (for host name discussions, see

    the call-out box at this link), and executes the command on each server.

    Thats it! If youve followed these steps, firewalls should be disabled on all backend nodes, and any new nodes you install will have firewalls disabled by default.

    Disabling the Firewall on a Single ServerOf course, you can disable firewalling on a single system while leaving it in place for all others by using the following command:

    If this is done before the host is installed, thats all you need to do. To disable on a single server do not change the value of the global firewall attribute. That disables for all future installations.

    If the host is already installed, you still need to execute the above command so that if Stacki ever re-installs the host it knows how to treat the firewall, but you also need to stop the already-con-figured firewall from running on the host:

    CentOS 6.X

    CentOS 7.X

    Where you can substitute the hostname for whichever machine needs the firewall disabled in the place of backend-0-0 in the above commands.

    This works because the global value for firewall is a default, and an individually configured value at the host level will over-ride the default. This is the design of Stacki overall, and you will see more of this theme in coming tutorials.

    Page 3www.stacki.com | Stacki Google Group | Stacki GitHub Page

    [root@stackidon ~]# stack run host backend command=systemctl stop iptables:systemctl disable

    iptables

    [root@stackidon ~]# stack set host attr backend-0-0 attr=firewall value=false

    [root@stackidon ~]# stack run host backend-0-0 command=/etc/init.d/iptables stop;chkconfig ipt-ables off

    [root@stackidon ~]# stack run host backend-0-0 command=systemctl stop iptables:systemctl disable

    iptables

  • SummaryHost-based firewalls, and if they are used, tends to be a very local decision. There is no real standard for deployment of host firewalls, many organizations feeling network firewalls provide enough protection, and others not wanting the internal servers locked down so tightly that they cause problems. This tutorial showed you just the tip of the iceberg in terms of firewall configuration. Turning firewall activation on and off is just one of many Stacki commands relevant to firewalls, but if your organization has a policy of not allowing host firewalls, it is the most important. In future installments well cover other firewall functional-ity, so that you can get the most from Stackis functionality.

    Stacki Tutorial #2: Disabling Host Firewalls 2015 StackIQ, Inc. | www.stacki.com

    Page 4www.stacki.com | Stacki Google Group | Stacki GitHub Page


Disabling Windows XP Services

Disabling Windows XP Services

Documents
BQ27541 Hibernate Mode Disabling

BQ27541 Hibernate Mode Disabling

Software
Ivan Illich Disabling Professions

Ivan Illich Disabling Professions

Documents
Automation of your OpenStack Infrastructure with Stacki

Automation of your OpenStack Infrastructure with Stacki

Technology
Enabling and disabling JavaScript

Enabling and disabling JavaScript

Documents
Disabling Our Diagnostic Dilemmas

Disabling Our Diagnostic Dilemmas

Documents
Stacki Overview at StackiFest 2017

Stacki Overview at StackiFest 2017

Software
2000 Duckett d&s Disabling Employment

2000 Duckett d&s Disabling Employment

Documents
IPsec Anti-Replay Window Expanding and Disabling€¦ · IPsec Anti-Replay Window Expanding and Disabling Expanding and Disabling of an Anti-Replay Window for Crypto Maps or Crypto

IPsec Anti-Replay Window Expanding and Disabling€¦ · IPsec Anti-Replay Window Expanding and Disabling Expanding and Disabling of an Anti-Replay Window for Crypto Maps or Crypto

Documents
UML-Kit - PHYTEC · 2016. 12. 7. · 2.2.3 Disabling the Firewall.....20 2.2.4 Configure User Rights for the Serial Interface.....21 2.3 UML-Kit Setup ... one CAN bus interface, and

UML-Kit - PHYTEC · 2016. 12. 7. · 2.2.3 Disabling the Firewall.....20 2.2.4 Configure User Rights for the Serial Interface.....21 2.3 UML-Kit Setup ... one CAN bus interface, and

Documents
X, and Windows - SAP · 4.2 Disabling the Windows Server Firewall on Windows Server 2008 (R2) and Higher ... 6.8 Creating Symbolic Links on Windows Server 2008 (R2)

X, and Windows - SAP · 4.2 Disabling the Windows Server Firewall on Windows Server 2008 (R2) and Higher ... 6.8 Creating Symbolic Links on Windows Server 2008 (R2)

Documents
StackiFest16: Stacki 1600+ Server Journey - Dave Peterson, Salesforce

StackiFest16: Stacki 1600+ Server Journey - Dave Peterson, Salesforce

Software
DISABLING IMAGERY

DISABLING IMAGERY

Documents
StackiFest16: Building a Cluster with Stacki - Greg Bruno

StackiFest16: Building a Cluster with Stacki - Greg Bruno

Software
Enabling or Disabling CEF or dCEF - Cisco · Enabling or Disabling CEF or dCEF ThismodulecontainsinformationaboutCiscoExpressForwardinganddescribestherequiredandoptional

Enabling or Disabling CEF or dCEF - Cisco · Enabling or Disabling CEF or dCEF ThismodulecontainsinformationaboutCiscoExpressForwardinganddescribestherequiredandoptional

Documents
Installing a Cluster of Raspberry Pis with Stacki Ace

Installing a Cluster of Raspberry Pis with Stacki Ace

Technology
How Teradata uses Stacki

How Teradata uses Stacki

Technology
Interrupt Disabling

Interrupt Disabling

Documents
JENIS-JENIS FIREWALL Ada 2 jenis firewall : Software firewall kelebihan software firewall

JENIS-JENIS FIREWALL Ada 2 jenis firewall : Software firewall kelebihan software firewall

Documents
Disabling Security Settings in Acrobat Files

Disabling Security Settings in Acrobat Files

Documents
The UC Learning Center: Disabling Pop Up Blockersblink.ucsd.edu/_files/HR-tab/staff-ed/popup_blocker_guide.pdf · Disabling Pop-up Blockers | 1 The UC Learning Center: Disabling Pop-Up

The UC Learning Center: Disabling Pop Up Blockersblink.ucsd.edu/_files/HR-tab/staff-ed/popup_blocker_guide.pdf · Disabling Pop-up Blockers | 1 The UC Learning Center: Disabling Pop-Up

Documents
Disabling InvokerServlet

Disabling InvokerServlet

Documents
Provisioning with Stacki at NIST

Provisioning with Stacki at NIST

Technology
Stacki at the Seattle Scalability Meetup

Stacki at the Seattle Scalability Meetup

Engineering
Introduction to Stacki - World's fastest Linux server provisioning Tool

Introduction to Stacki - World's fastest Linux server provisioning Tool

Technology
DISABLING BARRIERS – BREAK TO INCLUDE

DISABLING BARRIERS – BREAK TO INCLUDE

Documents
StackiFest 16: Stacki Overview- Anoop Rajendra

StackiFest 16: Stacki Overview- Anoop Rajendra

Software
Windows 7 Firewall. Windows 7 Firewall Topics What is a firewall? What is a firewall? Firewall types Firewall types How a firewall works How a firewall

Windows 7 Firewall. Windows 7 Firewall Topics What is a firewall? What is a firewall? Firewall types Firewall types How a firewall works How a firewall

Documents
Stacki Saves Time

Stacki Saves Time

Technology
Brain Disabling

Brain Disabling

Documents