Hi,

I need some help about finding a solution for "protecting" a network (or maybe 2 networks).

I have a server with 3 network connections :
- Lan DATA
- Lan S
- Lan M

For the Lan DATA, I don't want to have firewalling enabled because run many service
For Lan S : OPEN ONLY communication from/to some IP and VEEAM ports
For Lan M : block all INPUT and permit ONLY OUTPUT on some port (icmp, ncpa (nagios), snmp, ntp )

This server is a production server, I don't want to cut some network connection from Lan DATA.

So, what is the best firewall solution (iptable, ufxw, shorewall, firewalld) for implement this ?
Actual distro : CentOS 8

best regards

Unless you have a reason not to, use the default one that comes with the distro.

On CentOS 8 that's firewalld - though of course CentOS 8 went EOL at the end of 2021, so you should migrate to AlmaLinux or Rocky Linux.

Relevant documentation:
https://firewalld.org/documentation/howto/open-a-port-or-service.html
https://firewalld.org/documentation/zone/predefined-zones.html

Is LAN DATA exposed to the Internet, as in allowing inbound connections? Or any of them for that matter.

The Lan Data is not connected to internet, run behind a SDWAN and firewalls
The idea here is to protect specific/dedicated networks

My "problem" with firewalld is that he try to reproduce the same functionnality that Windows firewall with zone specification.
And the zone affectation to a network card is not managed by firewalld but by network-manager or ifcfg script and I don't like that.

I've not yet had to setup zones/similar, so may not comprehend things fully/correctly, but as firewalld is a frontend/wrapper around nftables, my expectation is/was that the zones functionality would simply be a way to abstract nftables configuration into something easier to manage/understand.

Given nftables rules can filter by interface name and/or ip ranges, I'm not sure what the issue is or why Network Manager might need to enter into things - maybe if it were a laptop connecting to different networks that might be relevant, but not for a server that's going to have fixed connections on known subnets?

Protection for a network is not done at a server (external access to the server would be required, and put your entire network at risk). Protection for a network is done at a security device that acts as the gateway for the network. (Internet on one side, DMZ, internal, and secured networks on the inside) so that it can filter and restrict ALL traffic between the wild and the inside networks.

So, to really do the job, you need to dedicate a device for this purpose.
Astaro used to allow you to download their security appliance software to install on your own iron, but since they were purchased by SOPHOS I am not sure that is available. Luckily there are some excellent firewall and security Linux distributions that might serve.
All you really need is such a distribution, and a small, mini, or Single Board computer that can run that distribution and has at least three NIC interfaces (4 would be even better). Of course for a VERY simple case, no exported services to the internet, you only need TWO interfaces because you are only protecting a single internal network.

1 members found this post helpful.

Why I talk about NetworkManager :
https://firewalld.org/documentation/...d-sources.html

I resume :

I have a server (monitoring server) on a private network (not connected to internet).
On this server, I have 3 network connection :
- The main LAN
- A vlan for backup
- A vlan for manage other servers (ILO, ...)

I just want to have my monitoring server not be a dangerous spot for my vlans

By reading comment here, I like I cannot secure my mgmt network : with a solution where I can setup : "this is network card connected to my mgmt network, the server can only ping, connect to ncpa tcp port, connect to snmp port, ... "

If for a reason, my server have a problem, I must be sure that it will not propagate the problem on other network.

The general way is to close everything (ports) and open only what you need. Isn't it enough for you, is it?
(if you are paranoid you can associate different ports to your services, not the default ones)

1 members found this post helpful.

Is not enough, example : this server run ntp, smtp server, ... but only for my main LAN, other vlan must don"t know theses services

I will take a other example : backup on a windows server act as a file server

connection 1 : lan data
connection 2 : lan backup

do you accept that a virus use the lan backup for propagate, hope that answer is NO.
solution : open only for the backup solution and block other port (ex : SMB)

Since the advice you're getting here is 'not enough' for you, I'd suggest you hire a consultant.

Security isn't a one-size-fits-all thing, and one set of firewall rules is NOT going to take care of other things on your network, just on the server itself.

If you want your entire network to go through that one server, then proxy ALL your traffic through that one server, and enjoy the nightmare of administration you will have created. You put a firewall between the outside and inside. You put anti-virus on your systems on the network, and practice good security on your server itself. You're not going to put one set of firewall rules on one server, and have it magically do everything on your entire network....it doesn't work that way.

OK

I don't know how to explain my idea...

We know your idea, and we are telling you that it doesn't work that way. Either you run ALL your traffic through one server and apply rules for everything (including virus scans), or you don't.

Again, security is a PROCESS, and there isn't a "set up one server and it does everything" solution. While you CAN set up such things, it's not worth it...it becomes an administrative nightmare very quickly. You need to put a firewall between you and the outside world, and apply good security to it, and it's best to also implement some sort of intrusion detection system too (like snort). If you need a web-filter, put the proxy server between the internal LAN's and the firewall. Internal LAN devices *ALL* need to have anti-virus on them, along with whatever firewall rules you see fit.

You need to also consider that you can do this sort of network/port filtering at the router/switch level as well. Whatever solutions you have are going to need maintenance, changing (new devices? removing devices?), etc., and you need to think about how much work and effort you're going to need to put in later. Having your LAN-M going to one set of switches, and LAN-S to another lets you isolate things nicely, limit ports, and do other such things. Both of them can feed into the core routers, which go out from there.

If you're talking about lots of devices in a corporate environment, it is well worth the money to hire a professional network person to lay something out.

I don't talking about outside world (internet).
I don't want a web filter

I just have one server who are connected to multiple network have a firewall for secondary network because theses secondary network are not data network.
One secondary network are for saving data (backup) and the other network is a management network (mgmt network).

My server act as a monitoring server (nagios/cacti) and I monitore the mgmt network (LAN M).

LAN S and L M are 2 different VLAN

And that's I know that is a nightmare to manage what port are open or closed that I want a solution where I can activate rules only for the network card where my LAN M is connected.

Yes, put a firewall device between the server and the LAN M is a idea.

probably draw something.
A general firewall can be configured (for example) to reach port XX only from ip YY.
In such cases only YY will be allowed to use the service running on port XX.

1 members found this post helpful.