How do I configure a firewall for my Preseem element?

This article covers how to setup the firewall on the Preseem element to block access to services such as SSH.

Preseem strongly recommends that customers have a firewall to limit access to the management interfaces. This limits the possibility of remote compromise and the risk associated with brute force attacks which are rampant against SSH servers. The firewall functionality can occur in an upstream router or can be done directly on the Preseem box as described in this article.

The Preseem software itself exposes no listening ports to the Internet however system services such as SSH and the Cockpit web UI are available to remote addresses by default.

Since Preseem runs on top of Fedora, the standard Fedora firewall management tools can be used to configure a local firewall. The firewall is managed by firewalld.

Start and Enable Firewalld

In order to control firewall rules, firewalld must be running and should be enabled such that it starts on the next reboot.

systemctl enable firewalld

systemctl start firewalld

Recommended Exceptions

Should Preseem support need to help perform an upgrade or investigate problems, it is greatly helpful to have SSH access to the Preseem element. To make this easy, all Preseem support activities are sourced from the following IP addresses:

35.199.29.237
35.197.73.77

Configure the Firewall Rules

Firewalld operates with the concepts of zones and services. In this example we will add a new zone called "trusted" and add the SSH and Cockpit services to that zone.

Note that in addition to the Preseem IPs listed above, this example also allows a single management subnet (192.168.0.0/24). Since the source of internal management traffic is deployment specific, please adjust as required.

firewall-cmd --zone="trusted" --add-source 35.199.29.237/32
firewall-cmd --zone="trusted" --add-source 35.197.73.77/32
firewall-cmd --zone="trusted" --add-source 192.168.0.0/24
firewall-cmd --zone="trusted" --add-service ssh
firewall-cmd --zone="trusted" --add-service cockpit

You can list the current zones and their services with this command:

firewall-cmd --list-all-zones

The FedoraServer zone likely still has ssh added to it.  Here is how to remove that service from the default zone:

firewall-cmd --zone="FedoraServer" --remove-service ssh

Test and Save

After making the above changes, test that your management IP addresses can use the SSH and cockpit services. Also, check from a non-whitelisted IP to ensure that access is blocked. If you have problems, you can either connect on console or reboot the device to gain access again. Once you are comfortable that everything is working, the configuration can be saved with the following command:

firewall-cmd --runtime-to-permanent

Note: If the command above is not executed, the firewall configuration will not be restored on reboot.