Saturday, April 11, 2015

CentOS 7, Zimbra 8.6 and FirewallD

I just installed Zimbra 8.6 on a fresh CentOS 7. It seems that CentOS 7 uses FirewallD service by default instead of the old iptables and iptables6 scripts in /etc/init.d directory. Nevertheless I don't like when I see that someone recommends some critical security services/protections to be just turned off. Those services are there for a reason, and turning them off sounds to me like the old bad recommendation of chmod'ing everything to 777 when something didn't work. Anyway, I didn't turn off SELinux and Zimbra works as expected. What I needed is to configure FirewallD to allow access to mail services from the Internet. Turns out it isn't so hard as everything is already provided. Basically, the following services have to be enabled in your zone:
  • dns
  • https
  • imaps
  • smtp
To permanently enable each of the aforementioned services, use the following command:
firewall-cmd --permanent --add-service <service>
Note that the given command doesn't activate access to the service until you restart FirewallD. Anyway, that's it.

As a final note, I didn't allow access to admin port 7171. The reason is that I'm not so comfortable with allowing Internet wide access to admin console. To access admin console, I'm going to use ssh tunneling. Basically, I'll forward local port 7171, over ssh, to port 7171 on loopback interface of mail server. In case you are unlike me, and don't have problems with allowing access to that port, use the following command:
firewall-cmd --permanent --add-port=7171/tcp
Again, don't forget to restart FirewallD after issuing the given command.

3 comments:

Michal Ludvig said...

Better way for those not keen to learn yet another pointless wrapper around iptables:

yum remove firewalld
yum install iptables-services
vim /etc/sysconfig/iptables
systemctl enable iptables

You're welcome ;)

Astronomy Geek said...

Just a quick comment. Instead of "smtp" use "smtps" , I imagine most of us are using smtp with encryption these days.

Cheers.

peace said...

hi,

for the people who does not want any access from the internet to the admin console . but if we want having only an access internally to the admin console port we have to add the local ip address .

for the people who want this :

With firewalld, you can use Rich Rules.

firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="7071" accept'
firewall-cmd --reload

thanks.

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive