This article covers how to setup the firewall on the Preseem element to block access to services such as SSH.
The Preseem software itself exposes no listening ports to the Internet however system services such as SSH or the Cockpit web UI are available to remote addresses by default. Preseem strongly recommends limiting access to these services to a set of safe addresses to reduce the risk in the event that one of these services have a remote vulnerability. This also greatly reduces the risk of password guessing attacks which are rampant against SSH servers.
Since Preseem runs on top of Fedora, the standard Fedora firewall management tools can be used to configure a local firewall. The firewall is managed by firewalld.
Start and Enable Firewalld
In order to control firewall rules, firewalld must be running and should be enabled such that it starts on the next reboot.
systemctl enable firewalld
systemctl start firewalld
Should Preseem support need to help perform an upgrade or investigate problems, it is greatly helpful to have SSH access to the Preseem element. To make this easy, all Preseem support activities are sourced from the following IP addresses:
Configure the Firewall Rules
Firewalld operates with the concepts of zones and services. In this example we will add a new zone called "trusted" and add the SSH and Cockpit services to that zone. We also allow the Preseem support addresses and one internal subnet (192.168.0.0/24).
firewall-cmd --zone="trusted" --add-source 184.108.40.206/32
firewall-cmd --zone="trusted" --add-source 220.127.116.11/32
firewall-cmd --zone="trusted" --add-source 192.168.0.0/24
firewall-cmd --zone="trusted" --add-service ssh
firewall-cmd --zone="trusted" --add-service cockpit
You can list the current zones and their services with this command:
The FedoraServer zone likely still has ssh added to it. Here is how to remove that service from the default zone:
firewall-cmd --zone="FedoraServer" --remove-service ssh
Test and Save
After making the above changes, test that your management IP addresses can use the SSH and cockpit services. Also, check from a non-whitelisted IP to ensure that access is blocked. If you have problems, you can either connect on console or reboot the device to gain access again. Once you are comfortable that everything is working, the configuration can be saved with the following command:
Note: If the command above is not executed, the firewall configuration will not be restored on reboot.