®
TRA I NING
C H A PT E R 4
Overview
• M a n a g i n g S E L i n u x Port L a b e l i n g (a n d Practice)
M a n a g i n g F i rewa l l d
O bject ives
After c o m p l e t i n g t h i s secti o n students s h o u l d be a b l e t o review f i rewa l l d conce pts a n d
m a n a g e m en t commands covered i n prev i o u s cou rses.
N ote
The firewalld . se rvice a n d ipt ables . se rvice, i p 6 t ables . se rvice, a n d
e b t ables . se rvice services confl i ct w i t h e a c h ot h e r. To p reven t accidentally start i n g
o n e o f t h e * t ables . s e rvice s e rv i ces ( a n d w i p i n g o u t a ny r u n n i n g f i rewa l l config i n
t h e p ro cess), it is g o o d p ractice t o mask t h e m u s i ng systemctl.
firewalld separates a l l i n c o m i n g t raffic into zones, with e a c h zone having its own set of rules.
To c h e c k w h i c h zone to use for a n i n c o m i n g connection, firewalld uses t h i s logic, w h e re t h e
fi rst r u l e t h a t matches wins:
1. I f t h e source address o f a n i n c o m i n g p a c ket matches a sou rce r u l e set u p for a zone, that
pac ket will be routed t h r o u g h t h a t zone.
3. Otherwi se, the default zone i s used. The defa u l t zone i s not a sepa rate zone; i nstead, it
poi nts to o n e of t h e other zones defined o n t h e system.
t ru s t ed A l low a l l i n co m i n g t ra ffic.
90 R H254- R H E L 7-en-1-20140711
M a n a g i ng f i rewa l l d
M a n a g i n g fi rewa l l d
f i r ewalld can be m a n a ged i n t h ree ways:
In most cases, e d i t i n g the conf i g uration fi les d i rect l y i s not recommended, but it c a n be usef u l to
copy configurations i n this way when using confi g ura t i o n m a n agement tools.
f i r ewall - cmd is i nstal led a s part of the m a i n firewal/d p a c ka ge. f i r ewall - cmd can perfor m
the s a me a c t i o n s a s fi rewal l - config.
R H 25 4- R H E L7-en-1-20140711 91
C h a pter 4. N etwork Port Secu rity
92 R H 25 4- R H EL 7 - e n -1-20140711
-
M a n a g i n g f i rewa l l d
-
fi rewa l l - c m d exa m p l e
T h e fo l l owi n g exa m p l es s h ow t h e defa u lt z o n e b e i n g s e t to d m z , a l l t raffic com i n g from t h e
- 1 9 2 . 168 . a . 0 / 2 4 n etwork b e i n g a s s i g n e d t o t h e in t e r nal zone, a n d t h e network p o rts for
mysql b e i n g o p e n e d o n the i n t e r nal zone.
-
[ r oot@s e r v e rX -]# firewall - cmd - - set - default - zone=dmz
[ r oo t @s e r v e rx -]# firewall - cmd - - permanent - - zone=in t e rnal - - ad d - source=192 . 168 . 0 . 0/24
I
[ r oo t @s e r v e rX -]# firewall - cmd - - pe rmanent - - zone=in t e rnal - - add - s e rvice=mysql
- [ root@serverx -]# firewall - cmd - - reload
....___ _ ���-�-��� � - - - -· ���
-
R Refe re n ces
firewall - cmd(1), fir ewall - config(1 ) , firewalld (1 ), f i r ewalld . zone(5), a n d
f i r ewalld . zones(5) m a n pages
-
- RH254-RH E L 7 - en -1 -20140711 93
-
P ra c t i ce : C o n f i g u r i n g a F i rewa l l
-
G u i d e d exe rc i se
-
-··-----
r�achines
I n t h i s l a b, you w i l l confi g u re a b a s i c fi rewa l l d fi rewa l l .
-
Outcomes:
A fi rewa l l config u red o n se rve rX to a l low h t t ps t raffic from yo u r d e s k t opX system.
As p a rt of a n ongoing p roj ect to t ra c k t h e d e s i g n ated caffe i n ated bevera g e fetc her of t h e d ay,
you have b e e n tasked with confi g u r i n g a basic web server a n d fi rewa l l o n yo u r serverX syste m . -
• U nt i l y o u r i n -house web d eve l o p e rs co m p l ete the act u a l a p p l ication, the web server s h o u l d
se rve a p l a c e h o l d e r p a g e w i t h t h e text COF FEE ! .
-
connections.
D 1 .1 . -
[ st udent@serverX -] $ sudo systemctl s t a t u s firewalld . se rvice
I
-
- - --- -·
--- - - - �-� --
·
-
- - - - -- - - -
---1
� -------- - - --- -
0 2.1 .
[ s t u d e n t@ s e r v e r x -] $ s u d o y u m install h t t pd mod_ssl l -
j
- _ ___ J
94 R H254- R H E L 7 - e n -1 -20140711 -
-
G u i d e d exercise
-
-
D 5. Confi g u re t h e f i rewa l l d d a e m o n o n se rverX to route a l l t raffic t h ro u g h the dmz zone by
d e fa u lt.
D 5.1 .
-
I [ s t u d e n t@se r v e r X - ] $ s u d o firewall - cmd - - set - default - zone=dmz
D 6.1 .
[ s t u d e n t@ s e r v e r x - ] $ sudo firewall - cmd - - permanent - - zone=wo r k - - add
-
sou rce=172 . 25 . X . 0/24
D 7.1 .
[ s t u d e n t@ s e r v e r X - ] $ sudo firewall - cmd - - permanent - - zone=wo r k - - add
- se rvice=h t t p s
D 8. Activate t h e c h a n g es to y o u r fi rewa l l .
�
-
·
D 8 .1 .
I [ s t u d e n t @s e r v e r - ] $ sudo firewall - cmd - - reload
i
-
-
D 9.1 . [ s t u d e n t@ s e r v e r X - ] $ sudo firewall - cmd - - get - default - zone
dmz
-
D 9.2.
[ s t u d e n t@ s e r v e r x - ] $ sudo firewall - cmd - - get - ac t ive - zones
dmz
i n t e r face s : e t h 0
-
wo r k
s o u r c e s : 1 7 2 . 2 5 . X . 0/24
ROL
-
s o u r c e s : 1 7 2 . 2 5 . 0 . 252/32
-
R H254- R H E L 7-e n -1 -20140711 95
-
-
D 9.3.
[ s t u d e n t@se rverX - ] $ sudo firewall - cmd - - zone=wo r k - - li s t - all
wo r k
i n t e rfaces : -
s o u r ce s : 172 . 2 5 . X . 0/24
s e r vices : d h c pv6 - c l i e n t h t t p s i p p - clie n t s s h
po r t s :
-
m a s q u e rade : no
fo rwa r d - po r t s :
icmp - bloc k s :
r i c h r ul e s : -
D 1 0.1 .
[ s t u d e n t@de s k t o pX - ] $ curl h t t p : //serve rX . example . com
c u r l : ( 7 ) Failed c o n n e c t to s e rve rX . examp l e . com : B e ; No route to hos t
-
D 1 0.2.
[ s t u d e n t@de s k t o pX - ] $ curl - k h t t p s : //serverX . example . com
COFFEE ! -
96 R H254- R H E L 7 - e n -1 -20140711 -
-
-
M a n a g i n g R i c h R u l es
-
....
M a n a g i n g R i c h R u l es
- O bject ives
After com p l et i n g t h i s sect i o n , st u d e nts s h o u l d b e a b l e t o config u re m o re com p l ex fi rewa l l
confi g u ra t i o n s u s i n g fi rewa l l d ' s s u p port f o r " r i c h l a n g u a g e r u l es."
.....
R i c h r u l es c o n ce pts
- A p a rt f ro m t h e reg u l a r zones a n d se rvices sy n t a x t h a t firewalld offe rs, a d m i n i st rators have
two other options for a d d i ng fi rewa l l r u les: direct rules and rich rules.
- D i rect r u l e s
D i rect r u l es a l l ow a n a d m i n i strator to i n sert h a n d -coded { i p , ip6 , e b } t ables r u l es i nto
t h e zones m a n a g e d by firewalld. W h i l e powerf u l , a n d expos i n g fea t u res of t h e k e r n e l
- net filt e r s u b syst e m not e x p o s e d t h ro u g h ot h e r m e a n s , t h ese r u l es c a n be h a rd to m a n ag e.
D i rect r u l es a l so offer l ess f l e x i b i l ity t h a n sta n d a rd r u l es a n d rich r u l es. Config u r i n g d i rect
r u l e s is not cove red in t h i s cou rse, but d o c u m e ntation i s ava i l a b l e in the firewall - cmd(1 )
-
a n d firewalld . d i r e c t (S) m a n pages for t h ose a d m i n i st rators w h o a re a l re a d y fa m i l i a r with
{ ip , ip6 , e b } t ables syntax.
[ r oot@s e r v e rx - ) # firewall - cmd - - direct - - pe rmanent - - add - chain ipv4 raw blacklist
-
[ r oo t @ s e r v e r X - ] # firewall - cmd - - direct - - permanent - - ad d - rule ipv4 raw PREROUTING 0 - s
192 . 168 . 0 . 0/24 - j blacklist
[ r oo t @s e r v e rx - ] # firewall - cmd - - direct - - pe rmanent - - ad d - rule ipv4 raw blacklist 0 - m
- limit - - limit 1/min - j LOG - - log - p refix " blacklisted "
[ r oo t @ s e r v e r X - ] # firewall - cmd - - direct - - pe rmanent - - ad d - rule ipv4 raw blacklist 1 - j
DROP
Rich rules
firewalld rich rules g i ve a d m i n i st rators a n e x p ressive l a n g u a g e i n w h i c h to e x p ress c u stom
- fi rewa l l r u les t h a t a re not covered by t h e b a s i c f i r ewalld syntax; for exa m p l e, to only a l l ow
c o n n e c t i o n s to a service from a s i n g l e I P a d d ress, i nstead of a l l I P a d d resses routed t h ro u g h a
zone.
-
r u le
[ so u r c e ]
[ destination ]
-
s e r v i c e l po r t l p ro t ocol l icmp - bloc k l mas q u e r a d e l fo rwa r d - p o r t
[ lo g ]
[ au d i t ]
[ ac c e p t l r ej e c t l d r o p ]
-
-
RH254- R H E L 7 - e n -1 -201 40711 97
-
C h a pter 4. Network Port Sec u r ity
N ot e
For t h e f u l l ava i l a b l e syntax fo r r i c h ru les, cons u l t t h e f i r ewalld . r ic hlanguage(5)
m a n page.
R u l e o rd e r i n g
O n ce m u l t i ple ru les h ave been added to a zone (or the fi rewa l l in genera l ) , the orde r i n g of rules
c a n h ave a big effect o n h ow the fi rewa l l beh aves.
In a l l cases, the fi rst match w i l l w i n . If a pac ket h a s not been m atc hed by a n y r u le in a zone, it w i l l
typi c a l l y b e den ied, b u t zones m i g h t have a d ifferent defa u lt; f o r exa m p le, t h e t ru s t e d zone w i l l
accept a ny u n m atched packet. Also, after matching a l o g g i n g r u le, a pa cket w i l l conti n ue to be
p rocessed a s n o r m a l .
Te st i n g a n d d e b u g g i n g
To m a ke test i n g a nd debu g g i n g easier, a l m ost all r u les can be a d ded to the runtime conf i g u ration
w i t h a t i meout. The m o ment the r u l e w i t h a t i meout is added to the f i rewa l l , the ti mer starts
c o u n t i n g down for t h at ru le. O nce the t i mer for a r u le has rea c hed zero seconds, t h at ru le i s
removed from the runtime config u ra t i o n .
U s i n g ti meouts can b e a n i n c red i b l y u sef u l toot w h i le work i n g o n a rem ote f i rewa l ls , espec i a l ly
when test i n g m o re c o m p l icated r u le sets. If a ru le works, the a d m i n istrator c a n add it a g a i n ,
b u t with t h e - pe rmanent option (o r at least w i t h o ut a ti meout). I f the r u l e does n o t work
-
a s i nten ded, maybe even l oc k i n g the a d m i nistrator out of the system , it w i l l be removed
a utomatica l l y, a l lowing the a d m i n i st rator to conti n ue his o r her work.
Wo r k i n g with r i c h ru l es
f i r ewall - cmd h a s four options for working with rich rules. A l l of t hese options c a n be u sed i n
c o m b i n a t i o n w i t h the reg u l a r - - pe rman e n t o r - - zone=<ZONE> options.
Wo r k i n g w i t h r i c h r u l es
-
Option Explanation
- - r emove - r ich - R e m ove <RULE> to t h e s p e c i f i e d z o n e, o r t h e defa u l t z o n e if
r u le = ' <RULE> ' no zone is specified.
-
- - q u e r y - rich - Q u e ry if <RULE> has b e e n a d d e d to t h e specified zone, o r t h e
r u le= ' <RULE> ' d e fa u lt zone if no zo n e i s s p e c i f i e d . Ret u rns 0 if t h e r u l e i s
p resent. ot h e rw i se 1 .
- - li s t - rich - r u les O u t p uts a l l r i c h r u l es for t h e s p e c i f i e d zone, o r t h e d e fa u l t
z o n e if n o z o n e i s s p e c i f i e d .
R i c h r u l e s exa m p l e s
S o m e exa m p l es o f r i c h r u l es:
. !--���--- ----- ------- � -- - - --------- . - --- . . �-- ----��--� - - ------- - --,
[ r o o t @ s e r v e r X - ] # firewall - cmd - - pe rmanent - - zone=class room - - add - rich - rule= ' rule
family=ipv4 source add ress=192 . 168 . 0 . 11/32 rej ec t '
i
- L___����-��- �--���
I
- --�
-- - ·· - -��
-
- ·---- -- - ·------�- - --------- -- -��
---"��---
�
-- -
[ r o o t @ s e r v e r X - ] # firewall - cmd - - add - r ic h - r ule= ' rule se rvice name=ft p limit value=2/m
accept '
/
; [ r o o t @ s e r v e r X - ] # firewall - cmd - - permanent - - add - rich - rule= ' r ule protocol value=esp
- drop '
' ---�-� ----------- - --- -------- ----
N ote
-
Accept a l l TCP p a c kets on po rts 7900, u p to a n d i n c l u d i n g port 7905, i n the vnc z o n e for t h e
-
192 . 168 . 1 . 0 / 2 4 s u bnet.
-
-
Log g i n g w i t h r i c h ru l es
W h e n d e b u g g i n g , or m o n itori n g , a fi rewa l l , it c a n be u s ef u l to have a l o g of a ccepted or rej ected
con nections. f i r ewalld can acco m p l i s h this in two ways: by l o g g i n g to syslog, o r by s e n d i n g
messages to t h e ke r n e l a u d i t s u bsystem, m a n a g e d by auditd.
-
I log [ p refix= " <PREFIX TEXT> " [ level=<LOGLEVEL > ] [ limit v al u e = " <RATE/DURA TION> " ] -
I
<DURATION> c a n be o n e of s for seco n d s , m for m i n u tes, h for h o u rs, o r d for d ays. Fo r exa m p l e,
limit valu e=3/m w i l l l i m i t t h e l og messages to a m a x i m u m of t h ree p e r m i n ute.
I
The basic syntax for l o g g i n g to the a ud i t s u bsyst e m i s :
Logg i n g exa m p l e s
S o m e exa m p l es of l o g g i n g u s i n g rich r u l es:
I
-
[ r oot@s e r v e r x - ] # firewall - cmd - - permanent - - zone=wor k - - ad d - ric h - rule= ' rule se rvice
I name= " ss h " log prefix= " ssh " level= " no t ice " limit value= " 3/m" accept
L--- �����-' -
I
1
· [ r oot@s e r v e r x - ] # firewall - cmd - - add - ric h - r u le= ' rule family=ipv6 source
add ress= " 2001 : d bS : : /64" service name= " d n s " audit limit value= " l/ h " r e j e c t '
-
_ t imeout=300
New 1 Pv6 c o n n e c t i o n s from the s u b net 2001 : d b 8 : : /64 in the defa u lt zone to D N S a re
rej ected for t h e next five m i n utes, a n d rejected con n e ct i o n s a re l o g g e d to t h e audit system
with a m a x i m u m of one m essage per h o u r.
-
R Refe re n ces
firewalld . richlanguage(5), firewall - cmd(1 ) , a n d firewalld . d i r e c t ( 5 ) m a n -
pages
-
-
.. P ra ct i ce : W r i t i n g C u st o m R u l es
-
G u i d ed exe rc ise
I n t h i s l a b , y o u wi l l c o n fi g u re yo u r se rve rX syst e m t o a l low c o n n ecti o n s t o a ( new) h t t p servi ce,
- but o n l y from d e s k t o pX, and with a rate- l i m i t e d log m essage.
-
Machines:
�-·--- .
Outcomes:
Custom fi rewa l l r u l e s t h a t config u re rate- l i m ited l o g g i n g for specific c o n n ections.
[ student@serverX
D 1. Fi rst i n sta l l , start, a n d e n a b l e h t t pd .
..--·----- -- -- --� - --- �- - ��-- --- ��-
- D 1 .1 .
- ] $ sudo yum install h t t pd
I [ student@serverX
-
��� - -�
- - ---- - - -- ---
[student@serverx
-
D 2 .1 . Per m a n e n t l y c reate t h e n e w f i rewa l l r u l e.
: [ student@serverX
-
D 2.2. Activate t h e c h a n g es to yo u r f i re wa l l .
r--- - -- �---- --- - - ----�- -- � - ---
- -----� -- �-- ·�- - --� - - - � ---.
!
i .
-] $ sudo f J. r ewall - cmd - - reload
-
- -�
-
-
....
D 2 .4. Fro m your d e s k t opX syste m, use c u r l to con nect to the h t t pd service r u n n i n g
o n se rve rx.
-
-
D 2.5. I nspect t h e o u t p u t of y o u r r u n n i n g t ail com m a n d on se rve rx. Yo u s h o u l d see
a messa ge for t h e new connection l i ke this:
-
-
Masq uera d i n g a n d Po rt Forwa rd i n g
M a s q u e ra d i n g a n d Po rt Fo rwa rd i n g
O bjectives
After com pleting this sect i o n , students s h o u l d be a b l e to desc r i be a n d i m p lement Network
A d d ress Tra n s l a t i o n ( N AT ) .
M a s q u e ra d i n g
W i t h masquerading, a system w i l l fo rward pa c kets that a re not d i rectly a d d ressed to i tself to
the i ntended rec i p ient, w h i le c h a n g i n g the source address of t he p a c kets t h at go t h ro u g h to its
own p u b l i c IP a d d ress. W hen a n swers to t h ose p a c kets come i n , the f i rewa l l w i l l then m o d i fy t h e
dest i n at i o n a d d ress to the a d d ress of the o r i g i n a l h ost, a n d sen d t he packet o n . T h i s i s u s u a l l y
u sed o n the edge of a network to p rovide I nternet access to a n internal netwo rk. M a s q uera d i n g is
a fo rm of Network Address Translation ( N AT).
I m po rt a n t
M a s q uera d i n g c a n o n l y b e u sed with I Pv4, not with I Pv6.
Firewall
I nternal I P: 1 0 . 0 . 0 . 1
External I P: 1 . 2 . 3 . 4
An exa m p le of how m a s q uera d i n g works based on the netwo rk layout described i n Figure 4 . 1 : A
sample network layout for NA T.
-
the fi rewa l l ) , stores a refere nce to this c o n n e c t i o n in its con nect i o n state t a b l e, then passes
it to a ro uter on the I nter n et based o n its rout i n g t a b l e.
T h i s wi l l masq u e ra d e a ny p a c kets sent to t h e fi rewa l l from c l i e nts defi n e d i n t h e sou rces for that
zone (both inte rfaces and s u b nets) t h a t a re n ot a d d ressed to t h e fi rewa l l itse l f.
-
[ r oot@se rve rX - ] # firewall - cmd - - permanent - - zone=<ZONE> - - add - ric h - r ule= ' rule -
Po rt fo rwa rd i n g
A n ot h e r fo rm of N AT i s port forwarding. With port forward i n g , t raffic to a s i n g l e port i s forwa rded
-
e i t h e r to a d i fferent port o n the same m a c h i n e, o r to a port on a d i fferent m a c h i ne. T h i s
m e c h a n i s m i s typica l l y used to " h i d e" a se rve r b e h i n d a n ot h e r m a c h i n e, o r to p rov i d e a ccess to a
service on a n a lternate p ort.
-
' I m p o rta nt
When a port forwa rd i s confi g u red to forwa rd p a c kets to a d i fferent m a c h i ne, a ny
re p l ies from t h a t m a c h i n e wi l l n o rm a l l y be sent d i rect l y to t h e orig i n a l c l i e nt from t h a t
-
Port forwa rd i n g
-
1 ·---�-�-�-
-
1
L
[ r oo t @s e r v e r X - ] # firewall - cmd - - permanent - - zone=public - - add - forward -
port =po r t =513 : p roto=tcp : toport =132 : toadd r=192 . 168 . 0 . 254
_
-
To g a i n m o re control over port forwa rd i n g r u l es, t h e fo l l owi n g syntax c a n be u s e d w i t h rich r u l es:
I
- forwa r d - p o r t p o r t =<PORTNUM> p r o t ocol= tcp l udp [ t o - po r t =<PORTNUM> ] [ t o - ad d r =<ADDRESS> ]
-
R Refe re n ce s
firewalld . ric hlan g u age(5) a n d f i r ewall - cmd(1) m a n pages
-
-
RH254-RH E L 7 - e n -1 -201 40711 105
-
-
P ra ct i ce : Fo rwa rd i n g a Po rt
G u i d e d exe rc i s e
-
I n t h i s l a b, you w i l l confi g u re yo u r se rve rx system t o forwa rd a req u est t o port 443 / t c p from
d e s k t opX to port 2 2 / t c p .
�Fi*
-
Machines:--
--
-
O utcomes:
C u stom fi rewa l l r u l es that config u re a port forwa rd . -
-
[ s t u d e n t@ s e r v e r X - ] $ sudo firewall - cmd - - permanent - - ad d - rich - rule
' rule family=ipv4 source add ress=172 . 25 . X . 10/32 fo rward - port port=443
protocol=tcp t o - port=22 '
-
-
!
.
[ s t u d e n t@se rverx - ] $ sudo firewall - cmd - - reload
-�- · -· -·-- � �
· --- - - · - ---
- --·· ·- . --
can ' t be e s t ab l i s h e d .
ECDSA key f i n g e r p r i n t is XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX : XX .
Are you s u r e you wan t t o c o n t i n ue c o n n e c t i n g ( ye s / n o ) ? yes
-
s t u de n t@ s e r v e rX . example . com ' s passwo r d : s t udent
-
-
M a n a g i n g S E L i n u x Port L a b e l i n g
M a n a g i n g S E L i n u x Po rt L a b e l i n g
- O bj e c t i ves
A f t e r c o m p l et i n g t h i s sect i o n , s t u d e nts s h o u l d b e a b l e to e n s u re n etwork p o r t s have t h e correct
S E L i n u x type so that services a re a b l e to b i n d to them .
...
S E L i n u x p o rt l a b e l i n g
-
S E L i n u x does m o re t h a n j u st f i l e a n d process l a be l i n g . N etwork t raffic i s a l so t i g h t l y e n forced
by the S E L i n u x p o l i cy. One of the methods t h a t S E L i n u x uses for contro l l i n g network t raffic
i s l a b e l i n g network ports; for exa m p l e, i n t h e t argeted p o l i cy, port 22/TCP h a s the l a be l
s s h_po r t_t associated w i t h i t .
M a n a g i n g S E L i n u x p o rt l a b e l i n g
W h e n ever a n a d m i n istrator d e c i d e s to r u n a service o n a n o n sta n d a rd port, t h e re i s a h i g h
c h a n c e t h a t S E L i n u x p o r t l a b e l s w i l l n e e d t o be u pdated. I n s o m e cases, t h e t a r g e t e d pol icy h a s
....
a l re a d y l a b e l ed t h e p o r t w i t h a t y p e t h a t c a n b e u s e d ; f o r exa m p l e, s i n c e p o r t 8008/TCP i s ofte n
u s e d for web a p p l ications, t h a t p o rt is a l re a d y l a be l e d w i t h h t t p_po rt_t, t h e defa u l t port type
for the w e b server.
-
List i n g p o rt l a b e l s
To get a n overview of a l l t h e c u rrent p o r t l a be l ass i g n m e nts, a d m i n i st rators c a n use t h e po r t
-
s u b c o m m a n d o f t h e semanage c o m m a n d . T h e - 1 option w i l l l i st a l l c u rrent assi g n m e nts, i n t h e
for m :
- I
! port_label_ t tcp l udp comma, sepa ra t ed, list, o f, por ts
E xa m p l e o u t p ut:
-
[ r o o t @ s e r v e rx - ] # semanage p o r t -1
-
R H 2 5 4- R H E L7-en-1 -201 40711 1 07
-
-
M a n a g i n g port l a be l s
semanage c a n a l so b e u s e d to a s s i g n n e w p o r t l a b e l s, re m ove port l a b e l s, o r m o d ify e x i st i n g
-
o n es.
I m p o rta nt -
I
[ root@se rve rx - ] # semanage port - a - t port_label - p tcp l udp PORTNUMBER
< .,�,,_
� N ote -
Removi n g port l a be l s -
M od ifyi n g port b i n d i n g s
-
I f a n a d m i n i st rator h a s a c c i d e n ta l l y a s s i g n e d t h e wrong t y p e to a port, o r req u i re m e nts have
c h a ng e d , it's poss i b l e to m o d i fy t h e l a b e l associated with a po rt. This is a m o re eff i c i e n t p rocess
t h a n removi n g the old b i n d i n g and a d d i n g a new o n e. M o d i fications req u i re the - m o pt i o n .
-
108 R H 2 5 4 - R H E L 7 - e n - 1 - 2 01 4 07 11 -
-
-
M a n a g i n g S E L i n u x port l a b e l i n g
lLJ
ir R l Refe re n ces
semanage(8), semanage - po r t (8), * _selinux(8), a n d sys t em - config
selinux(8) m a n pages
-
-
-
P ra ct i ce : M a n a g i n g S E L i n u x Po rt L a b e l i n g
G u i d e d exe rc i se
-
r•"•
I n t h i s l a b, you w i l l confi g u re yo u r se rve rX system to a l low h t t p access on a nonsta n d a rd port.
Machines:�
-
Outcomes: -
l
-
[ s t u d e n t@ s e r v e r x - ] $ l a b selinuxpo r t setup
i
One of your d eve l opers has a l ready confi g u red the a p p l i c a t i o n o n yo u r se rve rx. But. n ot -
-
-
G u i d e d exercise
I
-
D 3.1 .
1.·
[ s t u d e n t @ s e r v e r x - ] $ c u r l h t t p : // s e r v e rx . e x am p l e . co m : s z
Hello
____-____-_________________�-_________________
____
___ _Jll
-
- D 4.1 .
[ s t u d e n t @d e s k t o pX - ] $ c u r l h t t p : //se rve rX . example . com : s z
c u r l : ( 7 ) Failed t o c o n n e c t to s e r v e rX . e x ample . c om : 82 ; No r o u t e to h o s t
-
That e r r o r m e a n s you st i l l ca n ' t conn ect from d e s k t opX. Ta ke a m i n ute to t h i n k
u p s o m e p roba b l e c a u ses f o r t h i s fa i l u re.
-
D 5. O n your se rverx syst e m , open u p port 82/TCP o n your fi rewa l l .
I
-
-
D 7. O n yo u r d e s k t opX syst e m , r u n t h e c o m m a n d lab selinuxpo r t g rade to ve rify y o u r
work.
-
R H 254- R H E L 7-en-1 -201 40711 111
-
-
D 7.1 .
[ s t u d e n t@d e s ktopX - ] $ lab selinuxport g r ade
Te s t i n g h t t p acc e s s over p o r t 8 2 . . . PASS
-·
-
-
L a b : N etwo r k Po rt S e c u rity
-
L a b : N etwo r k Po rt S e c u rity
..
-
Pe rfo r m a n ce c h e c k l i st
I n t h i s l a b, you w i l l c o n fi g u re a c u stom fi rewa l l z o n e, service, a n d a c u stom S E L i n u x port type.
�#+MW
Machines�
-
Outcomes:
A n S S H D service l i ste n i n g on both t h e reg u l a r p o rt 2 2 /TCP, as we l l a s t h e new n o nsta n d a rd port
- 999/TCP, p rotected t h ro u g h a c u stom fi rewa l l zone and a c u stom fi rewa l l servi ce.
-
After e n s u r i n g s s h d l i stens on t h ese ports, you w i l l n e e d to u pdate t h e fi rewa l l o n se rve rX a s
we l l . U s e t h e fo l l ow i n g c riteria w h e n confi g u r i n g t h e fi rewa l l :
Solution
-
O utcomes:
A n S S H D service l i ste n i n g o n both the reg u l a r port 22/TCP, a s we l l a s the new n o n sta n d a rd p o rt
-
999/TCP, p rotected t h ro u g h a c u stom fi rewa l l zone a n d a c u stom f i rewa l l service.
I
ii [ s t u d e n t @ s e r v e r X - ] $ lab c u s t o m - sshd setup i
i
·� · ===-- �- · - - - ������ - -- - · - · _.,,J
S i nce some of your co-workers sometimes have to use yo u r se rverx m a c h i n e from a network -
that b l ocks outgoing a ccess to port 22 /TCP, you have decided to bind yo u r sshd d a e m o n to t h e
n o n sta n d a rd p o r t 999/TCP. T h e s s h d d a e m o n s h o u l d a l so sti l l b e ava i l a b l e over t h e sta n d a rd
port 22/TCP. The lab c u s t om - s s h d s e t u p script has a l re a d y confi g u re d t h e s s h d d a e m o n -
Afte r e n s u r i n g sshd l iste n s on t h ese p o rts, you w i l l need to u pd ate t h e fi rewa l l on s e rverx as
we l l . Use t h e fo l l ow i n g criteria w h e n confi g u r i n g t h e fi rewa l l :
-
After yo u have com p l eted yo u r work, you ca n run t h e com m a n d lab c u s t om - sshd g r ade on
yo u r d e s k t opX m a c h i n e to verify yo u r work.
.. ..
1. Ve rify t h a t sshd is indeed l i ste n i n g o n both port 22/TCP a nd port 999/TCP. I f not.
i nvest igate a n d fix. -
1 .1 . U s e s s t o f i n d a l l t h e ports w h e re s s h d is l iste n i n g .
-
[ s t u d e n t@se rve rx - ] $ sudo ss - t ulpn I g r e p sshd
tcp LISTEN 0 128 * : 22
u s e r s : ( ( " s s h d " , 4864 , 3 ) )
tcp L I STEN 0 128 : : : 22 -
-
1 .2. T h e previous o u t p u t i n d icates t h a t s s h d is o n l y b o u n d to port 22/TCP. Resta rt t h e
s s h d . se rvice service a n d c h e c k t h e sta t u s o u t p u t .
-
-
Solution
�-
-
tcp L I STEN 0 128 * : 9 99 *.*
u s e r s : ( ( " s s h d " , 4864 , 3 } }
I
3.1 . A d d t h e po rt.
-
[ s t u d e n t @ s e r v e r X - ] $ sudo firewall - cmd - - permanent - - zone=wo r k - - add - port=999/
i tcp
!
-
4.1 .
[ s t u d en t @d e s k t o pX - ] $ lab custom - sshd g rade
-·
-.
116 R H 25 4- R H E L 7 - e n -1 -20140711
-
Solution
S u m m a ry
-
M a n a g i n g F i rewa l l d
I n t h i s sect i o n , stude nts reviewed fi rewa l l d con cepts a n d m a n a g e m e n t c o m m a n d s
- covered i n p revious cou rses.
M a n a g i n g R i c h R u l es
-
I n t h i s s e ct i o n , stu d e nts l e a r n e d h o w to confi g u re more com p l ex firewa l l config u ra t i o n s
u s i n g fi rewa l l d ' s s u p port for " r i c h l a n g u a g e r u l es."
-
M a s q u e ra d i n g a n d Port Fo rward i n g
I n t h i s s e ct i o n , stude nts l e a rned h o w to d e s c r i b e a n d i m p l e m e n t N etwo r k A d d ress
Tra n s l a t i o n ( N AT).
-
M a n a g i n g S E L i n u x Port L a be l i n g
I n t h i s sect i o n , students l e a r n e d h o w t o e n s u re network p o rts h a ve t h e correct S E L i n u x
t y p e so t h a t se rvices a re a b l e to b i n d to t h e m .
....
-
118
red h at ®
®
TRAINING
C H A PT E R 5
Overview
• C o n f i g u re unbound to a c t a s a s e c u re l o c a l c a c h i n g
n a mese rver.
D N S Co n c e pt s
-
O bject ives -
Afte r co m p leti n g t h i s sect i o n , stu d ents s h o u l d b e a b l e to:
T h e Do m a i n N a m e Syste m -
T h e Domain Name System (DNS) i s a h i e ra rc h i c a l n a m i n g system that se rves a s a d i rectory of
n etworked hosts a n d resou rces. I nfo rmation in t h e d i rectory m a ps network n a mes to data a n d is
m a i nta i n e d in l o g ica l e n t ries known as resou rce records. The D N S h i e ra rchy b e g i n s w i t h t h e root -
d o m a i n 1 1 • 1 1 at t h e t o p a n d branches dow nwa rd to m u l t i p l e next-level d o m a i n s.
"
E a c h level of t h e D N S h i e ra rchy is d e l i neated by t h e 1 1 • 1 1 i n d o m a i n n a m es, w i t h 1 1 . a s t h e top
-
leve l . Domains s u c h a s com, n e t , and o r g occupy t h e second l evel of t h e h i e ra rchy and d o m a i n s
s u c h as example . c o m a n d redhat . c o m occ u py t h e t h i rd l evel a n d so o n .
-
W h e n wo r k i n g with D N S, it i s i m portant to c l a rify some o f t h e c o m m o n terms used to refer t o t h e
st r u c t u re o f t h e D N S h i e ra rc hy, s u c h a s domain, s u bdomain, a n d zone.
Domain -
A top-level domain (TLD) i s a d o m a i n t h a t has o n l y one c o m p o n e nt. Generic TLDs (gTLDs) were
ori g i n a l l y o rg a n i zed by t h e m e, a n d i n c l u d e . com, . e d u , . n e t , etc. Country code TLDs (ccTLDs) -
Subdomain -
Zone
A zone is t h e portion of a d o m a i n for w h i c h a p a r t i c u l a r n a mese rver is d i re c t l y res p o n s i b l e, -
A n atomy of D N S l ooku ps
W h e n a syste m n e e d s to p e rfo rm n a m e reso l ut i o n u s i n g a D N S server, it beg i n s by s e n d i n g
-
q u e ri es to t h e se rvers l i sted i n / e t c / r esolv . c o n f i n order, u n t i l it g e t s a res ponse o r r u n s o u t
of se rve rs. The host o r dig com m a n d s can b e u s e d to m a n u a l l y look u p D N S n a m es.
When t h e query a rrives at a DNS server, t h e server fi rst d ete r m i n es whet h e r the i nfo r m a t i o n
b e i n g q u e ried res ides i n a zone t h a t it is a u t h o ritative for. I f t h e server is a n a ut h o rity for the
-
120 R H 25 4- R H E L 7 - e n -1 -20140711 -
-
D N S reso u rce records
zone t h at the n a m e o r a d d ress being q u eried b e l o n g s to, then the s e rver res p o n d s to the c l ie n t
with t h e i nf o r m a t i o n contained i n its l oca l z o n e f i l e. T h i s t y p e of res p o n se i s referred to as a n
authoritative answer (aa), s i n ce t h e server p rovi d i ng t h e response i s a u th o ritative for the data
p rovi d e d . A u t horitative a n swers from a n a meserver have t h e aa f l a g t u r n e d o n i n t h e header of
the DNS response.
Upon recei v i n g t h e refe rra l , the DNS server w i l l t h e n p e rform a nother iterative q u ery to the
TLD a u t horitative n a meserver it was refe rred to. Depe n d i n g o n whether t here are f u rther
rem a i n i n g delegations i n t h e name b e i n g q ue r i e d , t h i s a u t horitative n a m eserver will either send
a n a u t h o ritative a n swer o r yet a nother refe rra l . T h i s continues until an a u t h o ritative server i s
reac h e d a n d res p o n d s w i t h a n a u t horitative a n swer.
Field n a m e Content
owne r - name The n a m e for t h i s res o u rce record.
TTL The Time To Live of the res o u rce record in seconds. T h i s spec ifies how
l ong t h i s resou rce rec o rd s h o u l d be cached by DNS resolvers.
class The " c lass" of the record, a l m ost a l ways I N ( " I nternet").
-
[ s t u d e n t@se r v e r x ] $ host - v -t A example . com
-
QUESTION SECTION :
; example . com . IN A
j
-
; ; ANSWER SECTION :
example . com . 86400 I N A 172 . 25 . 254 . 254
-
Recieved 9 6 bytes f r om 1 7 2 . 25 . 254 . 254#53 in 1 ms
· ��- ·-.-. ·- -- ______
QUESTION SECTI O N :
; a . root - servers . net . I N AAAA
-
; ; ANSWER SECTION :
a . r o o t - s e r ve r s . ne t . 604800 I N AAAA 2001 : 503 : ba3e : : 2 : 30
C N A M E (ca n o n i c a l n a m e) record s
-
A CNAME resou rce record a l i a ses o n e n a m e to a n other n a m e (t h e canonical name), w h i c h s h o u l d
h a ve A o r AAAA records.
-
W h e n a D N S res o l ve r receives a CNAME record in res ponse to a q u e ry, i t w i l l reissue the q u e ry
u s i n g t h e c a n o n i c a l n a m e i n stead of t h e orig i n a l n a m e.
exte r n a l to t h e zone:
-
www - dev . example . com . I N CNAME lab . example . com .
www . example . com . I N CNAME www . re d hat . com .
I
-- -- -- - - - -- - - ---
· -
· ·· - · - - - -- - - - ��---� J
-
CNAME records a re u sefu l , b u t s h o u l d b e u sed w i t h some ca re. I n g e n e ra l , p o i n t i n g a CNAME
records to other CNAME records s h o u l d b e avo i d e d fo r effic i e n cy and f ra g i l ity rea sons a n d to
avo i d creat i n g a CNAME l o o p by accident. The c h a i n of CNAME record m u st e n d in A a n d /o r AAAA
-
-
-
; ; QUESTION SECT I ON :
; ip a - c a . s e r ve r 0 . example . com . I N A
-
; ; ANSWER SECT I O N :
i pa - ca . s e r ve r 0 . example . com . 86400 I N CNAME s e rve r 0 . example . c om .
- s e r ve r 0 . example . c om . 86400 I N A 172 . 2 5 . 0 . 11
PTR records code t h e I P a d d ress i n a speci a l format t h a t acts l i ke a host n a me. For 1 Pv4
- a d d resses, the a d d ress i s reve rsed , m ost specific part fi rst. a n d the res u l t i s t reated a s a host
in a s u bd o m a i n of the speci a l d o m a i n i n -a d d r. a r p a . Fo r 1 Pv 6 a d d resses, the a d d ress i s s p l i t i nto
s u b d o m a i n s on n i b b l e b o u n d a ries (every hexadeci m a l d i g it) and set u p a s a s u b d o m a i n of t h e
- spec i a l d o m a i n i p6.arpa, as s e e n i n t h e fo l l owi n g exa m p l e. W h i l e t h i s syntax may s e e m stra n ge,
it m a kes it s i m p l e r for DNS a d m i n i st rators to d e l egate res p o n s i b i l ity for ra nges of a d d resses to
other D N S a d m i n i st rators.
-
QUESTION SECT I ON :
-
; 10 . 0 . 25 . 172 . in - add r . a r p a . I N PTR
; ; ANSWER SECT I ON :
10 . 0 . 2 5 . 17 2 . in - ad d r . a r pa . 86400 I N PTR d e s k t o p0 . e x ample . com .
-
; ; QUESTION SECTION :
- ; 0 . 3 . 0 . 0 . 2 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . e . 3 . a . b . 3 . 0 . 5 . 0 . 1 . 0 . 0 . 2 . ip6 . a r p a . I N PTR
; ; ANSWER SECT I ON :
0 . 3 . 0 . 0 . 2 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . e . 3 . a . b . 3 . 0 . 5 . 0 . 1 . 0 . 0 . 2 . i p6 . a r p a . 86400 I N PTR
- a . r o o t - s e rve r s . ne t .
....
-
; ; QUESTI ON SECTION :
; example . com . I N NS
-
; ; ANSWER SECTION :
example . c om . 86400 I N NS clas s r oom . example . com .
-
-
SOA (st a rt of a u t h o rity) records
A n SOA reco rd p rovi des i nfo r m a t i o n a bout how a D N S zone works.
-
There w i l l be exa c t l y one SOA record for a zone. I t specifies w h i c h of the z o n e ' s n a m e servers is
t h e p r i m a ry o n e (the master), i nfo r m a t i o n on how seco n d a ry (slave) name servers s h o u l d u pd ate
t h e i r copy of the i nfor ma ti o n , and the zone's m a n a g e m e n t contact. Its data f i e l d conta i n s t h e
-
fo l l ow i n g e l e m e nts:
-
-
- QUEST I O N SECT I O N :
; example . com . I N SOA
; ; ANSWER SECT I O N :
-
example . c om . 86400 I N SOA class room . example . com . r o o t . clas s r oom . e x ample . com . 2013091600
3600 300 604800 60
M X ( m a i l exc h a n g e) records
-
A n MX reco rd maps a d o m a i n n a m e to a mail exchange w h i c h w i l l accept e m a i l for that n a me.
The data for this record type is a p refere n c e n u m be r ( l owest p refer re d ) used to dete r m i n e t h e
-
o r d e r i n w h i c h to p i c k betwe e n m u l t i p l e M X records, a n d a h o s t n a m e f o r a m a i l exc h a n g e f o r t h a t
n a m e.
-
QUESTION SECTION :
- ; example . c om . I N MX
; ; ANSWER SECT I O N :
example . com . 86400 I N MX 10 c l a s s room . example . com .
-
-
TXT (text) record s
A TXT record is u s e d to m a p a n a m e to a r b itrary h u m a n - rea d a b l e text.
-
TXT records a re c o m m o n l y used to s u p p l y data used by Sender Policy Framework (SPF),
DomainKeys Identified Mail (DKIM), Domain-based Message Authentication, Reporting and
Conformance (DMARC), a n d so o n .
-
- QUEST I O N SECTION :
; lwn . n e t . I N TXT
; ; ANSWER SECT I O N :
lwn . n e t . 28619 I N TXT " v= s pf1 ip4 : 7 2 . 5 1 . 34 . 34 ip4 : 7 0 . 33 . 254 . 29 - all "
S RV (service) records
-
A n SRV record i s u s e d to locate t h e h osts which s u pport a particu l a r service for a d o m a i n .
-
RH254- R H E L 7 - e n -1-20140711 125
...
-
I,I!'
flag s : q r aa rd r a ; QUERY : 1 , ANSWER : 1 , AUTHORITY : 1 , ADDITIONA L : 3
-
QUESTION SECTI O N :
; _ldap . _t c p . s e r ve r 0 . example . com . I N S RV
I
; ; ANSWER SECTION :
'.1
_ldap . _t c p . s e r ve r 0 . example . com . 86400 I N SRV 0 100 389 s e rv e r 0 . example . com .
�����-���-�
Received 154 bytes f r om 1 7 2 . 2 5 . 254 . 254#53 i n 0 ms -
-
-
-
Refe re n ce s
h o s t ( 1 ) a n d dig(1 ) m a n p a g es
-
-
Quiz -
Pu rpose Reso u rc e re c o rd t y p e
-
Conta i n s a u t h o r i t a t i ve i nfo r m a t i o n fo r a z o n e,
-
s u c h a s t h e e m a i l co ntact a n d seve ra l va l u es t h at
confi g u re i nteract i o n s betwe e n s l ave a n d m a ster
DNS se rvers. -
-
M a ps h ost n a mes to 1 Pv4 a d d resses.
-
I d e n t i f i es t h e a u t h o r i t a t i ve n a m ese rve rs for a
zone.
-
h ost n a mes.
-
-
Quiz
A l i a s es a n a m e to a ca n o n i c a l n a m e.
U s ed to p u b l i s h a r b i t ra ry h u ma n - rea d a b l e text.
C o m m o n l y used fo r S P F, D K I M , a n d D M A R C .
S o l ut i o n
-
z o n e.
I d e nt i f i e s t h e m a i l exc h a n g es res p o n s i b l e fo r MX -
accept i n g e m a i l s for a d o m a i n .
-
-
A l i a ses a n a m e to a ca n o n ica l n a me. CNAME
-
-
·-
C o n f i g u ri n g a C a c h i n g N a m es e rve r
-
O bj e ct ives
-
Afte r co m p l e t i n g t h i s sect i o n , st u d e nts s h o u l d b e a b l e to confi g u re a s e c u re, ca c h i n g n a mese rver
u s i n g the u n bound DNS server.
-
Ca c h i n g n a m ese rve rs a n d D N SS EC
-
C a c h i n g n a mese rver
Cac h i n g n a m eservers store D N S q u e ry res u lts in a loca l c a c h e and removes resou rce records
from the cache w h e n t h e i r TTLs e x p i re. I t i s c o m m o n to set up cach i n g n a m ese rve rs to perform
- q u e ries o n beha l f of c l i e nts o n t h e local n etwork. This g re a t l y i m p roves t h e effic i e n c y of
D N S n a m e reso l u t i o n s by red u c i n g D N S t raffic a c ross the I nternet. As the cache g rows, D N S
perfo r m a n ce i m p roves a s t h e ca c h i n g n a m es e rver a n swers m o re a n d m o re c l i e n t q u e r i es from its
- local c a c h e.
D N S S EC va l idation
-
Given t h e state less n a t u re of U D P, D N S t ra n sactions a re p ro n e to s p oofi n g a n d ta m p e r i n g .
Cac h i n g n a m eservers h a v e h isto rica l l y b e e n favo red t a rg ets of atta ckers l o o k i n g to red i rect o r
h i j a c k network t raffic. T h i s is often a c h ieved by e x p l o it i n g v u l n e ra b i l ities i n D N S server softwa re
- to fool a D N S server i nto accept i n g a n d p o p u l a t i n g m a l i c i o u s data i nto its cache, a tec h n i q u e
com m o n l y referred to as cache poisoning. O n c e t h e atta cker s u cceeds i n poiso n i n g a D N S
se rve r ' s cache, t h ey effect ive l y c o m p ro m i s e t h e D N S d a t a received by t h e n u merous c l ients
- u t i l i z i n g t h e cach i n g name service o n t h e DNS server and c a n conseq u e n t l y red i rect o r h ij a c k the
c l i e n t s ' n etwork t raffic.
- C o n fi g u ri n g a n d a d m i n i ste r i n g unbound a s a ca c h i n g
n a m eserve r
- Severa l p a c kages a re ava i l a b l e for config u r i n g a cach i n g n a m ese rver, i n c l u d i n g bind, dnsmasq,
a n d unbound. I n t h i s exa m p l e, p l ea s e fo l l ow a l o n g w h i l e t h e i n st r u ctor d e m o nstrates t h e
confi g u ra t i o n a n d a d m i n istra t i o n of unbound a s a secu re, cac h i n g n a m ese rver w i t h D N S S E C
-
va l i d at i o n e n a b l e d .
Config u r i n g u n b o u n d
- To confi g u re u n b o u n d a s a s e c u re, cac h i n g n a m eserver:
1. I n sta l l unbound.
-
As root, i n sta l l t h e u n bo u n d p a c kage.
-
I [ r oo t @ s e r v e r x - ] # y u m ins t all - y unbound
-,
R H 25 4- R H E L 7-en-1 -201 40711 131
-
-
-
3. Config u re t h e n etwo r k i n te rface to l i sten o n .
I i n t e rface : 0 . 0 . 0 . 0
I
-
By defa u lt, unbound refuses recu rs ive q u e ries from a l l c l i e nts. In the se rve r c l a u s e of -
I
-
5. Confi g u re fo rwa rd i n g .
fo rwa r d - zone :
11 • 11
n ame : -
I
I
�
domain - n s e c u r e : example . com
-
-
-
record for the key signing key (KSK) of the zone u s i n g dig and i n p u t it a s the va l u e for t h e
- t ru s t - anchor option.
t r u s t - a n c ho r : " example . com . 3600 IN D NSKEY 257 3 8 AwEAAawt 7 H p l I 5M8GGAsx uyCyj F01
- +QlcgVN11CRZ4vP 6 6 q b DCX0BnSh Z11BGb / / 4 z SG/8mmBHi r L2 F Lg+mVu I I x i g
+ i roZYj h4iTKVOhv2hZf t R wy r Q H K++qXvCCWN 3 k i51RG/e8R4kOEV71 r Z80gQvPWx 6 F 9 1 q r oqOPpcf
7 P P x i p p e H O n + P x n P 0 h py Lyo1mx 1 r P s / c M p L 3 j OMufGP+L JYh+fBU7 l t 0
sP 5 i 0 9 Ha J P r u zyZM L9BPt pv8ZAdQhwtXVG0+Mn ET2qT/1+Tlj pxZn6ye e g F RCFRHBj Mo6 ii R J n UWra/
- k l k r g E n 2Q+BXGTOMTTKQdYz40xYEa1z 7 a p u 3 a09dYNBM= "
-
[ r oot@se r v e r X - ] # unbound - checkconf
u n b o u n d - c h e c k c o n f : n o e r r o r s in / e t c / u n bo u n d / u n b o u n d . co n f
1 0. Resta rt u n b o u n d . se rvice.
-
D u m p i n g a n d loa d i n g u n bound c a c h e
A d m i n istrators of c a c h i n g n a m ese rve rs n e e d to d u m p o u t cache data w h e n t ro u b l es h oot i n g
-
D N S issu es, s u c h a s t h ose res u l t i n g f rom sta l e resou rce records. W i t h a n unbound D N S server,
t h e c ache c a n be d u m pe d by r u n n i n g t h e u n bound - co n t rol ut i l ity i n conj u n ct i o n with t h e
d ump_cache s u b c o m m a n d .
-
-
RH254-RH EL 7 -en -1 -20140711 133
-
-
-
[ r oo t @ s e r v e r x - ] # unbound - cont rol load_cache < dump . ou t
ok
-
F l u s h i n g u n bound c a c h e
A d m i n i s t rators of cach i n g n a meservers a l so need to p u rge outdated res o u rce reco rds from
c a c h e from time to t i m e. E r ro n e o u s and o utdated resou rce record s i n c a c h e w i l l keep t h e i r -
a utomatica l l y u pdate forwa rd er sett i n g s i n u nbound's confi g u ration f i l e to point to the new D N S
se rvers. T h e u s e o f t h e d n ssec - t rigge r tool i n conj u n c t i o n w i t h u n bound is most l y u s e f u l for
s e c u re D N S name reso l ut i o n on roa m i n g c l ie n t m a c h i nes. -
R R e fe re n ces -
-
-
-
P ra ct i ce : Co nf i g u r i n g u n b o u n d a s a C a c h i n g
N a m es e rve r
-
G u i d ed exe rc ise
-
- Reso u rces:
Files: /etc/u n bo u nd/u n bo u n d .conf
-
Machines: d e s kt o p X
• se rve r X
-
Outcomes:
T h e u n bound service e n a b l e d and confi g u red as a ca c h i n g n a m eserver o n se rverX to l i st e n on
i nterface 172 . 25 . X . 11 and to accept c o n n ections from 1 7 2 . 25 . X . 0/24. Rec u rsive q u e ries a re
-
forwa rded to 172 . 25 . 254 . 2 54. T h e example . com z o n e is exem pted from D N S S EC va l i d a t i o n .
i
-
-
D 2. E n a b l e and sta rt the u n bound servi ce.
-
R H 2 5 4- R H E L 7-en-1 -20140711 135
-
-
[
t h e se rve r c l a u se o f / e t c / u n bo u n d / u nbou nd . conf.
-
i n t e r face : 172 . 2 5 . X . 11
I
t h e se rve r c l a u se o f / e t c / u n bo u n d / u n bou n d . conf.
D 3.4. Fo rwa rd a l l q u eries to 172 . 25 . 254 . 254 by adding a forwa r d - zone c l a use to
t h e end of t h e /etc/u nbou n d / u n b o u nd . conf fi l e. -
fo rwa r d - z o n e :
n ame : -
[ r o o t @ s e r v e r X - ] # unbound - checkconf
-
u n b o u n d - c h e c k c o n f : no e r r o r s i n / e t c / u n b o u n d / u n b o u n d . c o n f
-
[ ro o t @s e r v e r X - ] # firewall - cmd - - permanent - - add - se rvice=dns
success
[ r oot@s e r v e r x - ] # firewall - cmd - - reload
success -
-
-
G u i d e d exercise
-
-
[ s t u d e n t@d e s k t opX - ] $ dig @serverX . example . com A desktopX . example . com
[ s t u d e n t@d e s k t opX - ] $ dig @se rverX . example . com A se rverX . e xample . com
-
s e r v e r X . example . com . 86364 IN A 172 . 2 5 . X . 11
-
D 7.4. O n s e rve rx. d u m p out t h e c a c h e a g a i n . You s h o u l d see t h e q u e r i e d records i n
t h e c a c h e.
-
-
-