Configuring firewalld for New Installs of Management Console 20.04 or newer

As of release 20.04, Management Console was upgraded for use with firewalld. Current versions of Management Console do not configure any firewall settings, but instead leaves firewall configurations in control of the administrator. In earlier versions of Management Console, the installer would enable iptables, create and apply a new set of rules that would allow the Management Console to communicate properly. Therefore, firewall configurations were not required for releases 20.01 or older.

If you you are using a firewall with Management Console on your Linux system, you must follow the recommended instructions that show how to create the rules required for Management Console communications. You must also add additional rules required to meet the requirements of your corporate security policy.

The steps below are instructions for configuring firewalld, grouped by IPv4 and IPv6 environments.

To configure firewalld in IPv4 environment

IPv4 firewalld script

RPM New Installations: To configure firewalld in IPv6 environment

OVA New Installations: To configure firewalld in IPv6 environment

Firewalld default behaviours when enabled

  • All inbound connections are tested against configured rules that have been applied

  • All outbound connections are allowed

  • Rules to allow traffic are added to the default zone. All other traffic will be blocked.

Uninstalling RPM

Uninstalling the Management Console RPM does not completely remove the firewall rules.

New Installs in IPv4 Environment

To configure firewalld for Management Console communication in an IPv4 environment perform the following steps:

  1. Login to the Management Console host operating system console.

  2. Enable firewalld.

    sudo systemctl enable firewalld --now

  3. Get the default zone. If the default zone is trusted it will allow all packets. It is recommended that the default zone is set to public.

    sudo firewall-cmd --get-default

    If default zone is not public, execute the following commands to set the default zone to public.

    sudo firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
    sudo firewall-cmd --set-default=public
    sudo firewall-cmd --reload
    
  4. Get the default zone and assign it to a variable.

    def_zone=$(firewall-cmd --get-default)

  5. Set the log (all denied packets logged together).

    sudo firewall-cmd --set-log-denied=all

  6. Add an interface.

    sudo firewall-cmd --zone=$(echo $def_zone) --change-interface=$(ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}')

  7. Enable required ports.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-port={80,443,22,5172}/tcp

  8. Allow pings.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request} 2>/dev/null

  9. Redirect port 443 to 8443.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-forward-port=port=443:proto=tcp:toport=8443

  10. Enable IP Masquerading.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-masquerade

  11. Redirect Port 80 to 8080.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-forward-port=port=80:proto=tcp:toport=8080

  12. Drop incoming packets to 127/8 from other interfaces other than loopback interface.

    sudo firewall-cmd --permanent --new-zone loopback 2>/dev/null
    sudo firewall-cmd --permanent --zone=loopback --change-interface=lo 2>/dev/null
    sudo firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
    sudo firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8
    
  13. Reload the firewall.

    sudo firewall-cmd --reload

  14. Confirm the rules are applied.

    1. Check the firewalld status is active.
      sudo systemctl status firewalld
      Firewalld Active Status

    2. Verify all rules are added in firewalld or not, all rules should be applied.
      sudo firewall-cmd --list-all
      Firewalld Listed Rules

Firewalld Script for New Installations of Management Console 20.04 or newer Using IPv4

Teradici has provided instructions to create a script that stops the iptables service, and enables firewalld with the required IPv4 rules for Management Console to work correctly.

The script file is created and executed using the following steps:

  1. Copy the script content and save into firewalld.sh

    sudo vi firewalld.sh

    #!/bin/bash
    val1=1
    if [ $val1 -eq 1 ]; then
    systemctl stop iptables || service iptables stop
    systemctl enable firewalld --now
    def_zone=$(firewall-cmd --get-default)
    if [ $def_zone != "public" ] ; then
        firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
        firewall-cmd --set-default=public
        firewall-cmd --reload
        def_zone=$(firewall-cmd --get-default)
    fi
    firewall-cmd --set-log-denied=all
    firewall-cmd --permanent --zone=$(echo $def_zone) --change-interface=`ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'`
    firewall-cmd --zone=$(echo $def_zone) --permanent --add-port={22,443,80,5172}/tcp
    firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request}
    firewall-cmd --zone=$(echo $def_zone) --permanent --add-forward-port=port=443:proto=tcp:toport=8443
    firewall-cmd --zone=$(echo $def_zone) --permanent --add-forward-port=port=80:proto=tcp:toport=8080
    firewall-cmd --permanent --new-zone loopback
    firewall-cmd --permanent --zone=loopback --change-interface=lo
    firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
    firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8
    firewall-cmd --reload
    fi 2> /dev/null
    
    1. Provide permissions for the script to execute.

    sudo chmod +x ./firewalld.sh

  2. Run firewalld.sh:

    sudo ./firewalld.sh

New Installs in IPv6 Environment¶

To configure firewalld for new RPM installation of Management Console allowing communication in an IPv6 environment perform the following steps:

  1. Login to the Management Console host operating system console.

  2. Enable firewalld.

    sudo systemctl enable firewalld --now

  3. Get the default zone. If the default zone is trusted it will allow all packets. It is recommended that the default zone is set to public.

    sudo firewall-cmd --get-default

    If default zone is not public, execute the following commands to set the default zone to public.

    sudo firewall-cmd --permanent --zone=trusted --remove-service=pcoip-agent
    sudo firewall-cmd --set-default=public
    sudo firewall-cmd --reload
    
  4. Get the default zone and assign it to a variable.

    def_zone=$(firewall-cmd --get-default)

  5. Set the log (all denied packets logged together).

    sudo firewall-cmd --set-log-denied=all

  6. Add an interface.

    ```
    sudo firewall-cmd --permanent --zone=$(echo $def_zone) --change-interface=`ip addr show | grep "state UP" | head -1 | awk -F': ' '{print $2}'`
    ```
    
  7. Enable required IPv6 ports.

    • Open port 443

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=443 protocol=tcp accept'

    • Open port 22

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=22 protocol=tcp accept'

    • Open port 5172

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=5172 protocol=tcp accept'

    • Open port 80

      sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=80 protocol=tcp accept'

  8. Allow pings.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-icmp-block={echo-reply,echo-request} 2>/dev/null

  9. Redirect IPv6 port 443 to 8443.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8443 protocol=tcp port=443'

  10. Redirect IPv6 Port 80 to 8080.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8080 protocol=tcp port=80'

  11. Drop incoming packets to 127/8 from other interfaces other than loopback interface.

    sudo firewall-cmd --permanent --new-zone loopback 2>/dev/null
    sudo firewall-cmd --permanent --zone=loopback --change-interface=lo 2>/dev/null
    sudo firewall-cmd --zone=loopback --permanent --set-target=ACCEPT
    sudo firewall-cmd --zone=loopback --permanent --add-source=127.0.0.0/8
    
  12. Reload the firewall.

    sudo firewall-cmd --reload

  13. Confirm the rules are applied.

    1. Check the firewalld status is active.
      sudo systemctl status firewalld
      Firewalld Active Status

    2. Verify all rules are added in firewalld or not, all rules should be applied.
      sudo firewall-cmd --list-all
      Firewalld Listed Rules

To configure firewalld for new OVA installation of Management Console allowing communication in an IPv6 environment perform the following steps:

PCoIP Management Console OVA comes ready for an IPv4 deployment. When deploying into an IPv6 environment, the firewalld IPv4 rules must be replaced with IPv6 rules. Perform the following steps to ensure Management Console only has IPv6 rules enabled after deploying Management Console OVA in an IPv6 environment.

  1. Login to the Management Console host operating system console.

  2. Close IPv4 22, 443, 80, 5172 ports.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-port={22,443,80,5172}/tcp

  3. Remove IPv4 internal port forwarding from 443 to 8443.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=443:proto=tcp:toport=8443

  4. Remove IPv4 internal port forwarding from 80 to 8080.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --remove-forward-port=port=80:proto=tcp:toport=8080

  5. Open IPv6 port 443.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=443 protocol=tcp accept'

  6. Open IPv6 port 22.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=22 protocol=tcp accept'

  7. Open IPv6 port 5172.

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=5172 protocol=tcp accept'

  8. Open IPv6 port 80

    sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 port port=80 protocol=tcp accept'

  9. Redirect IPv6 port 443 to 8443.

    ` sudo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-r

  10. Redirect IPv6 port 80 to 8080.

    udo firewall-cmd --zone=$(echo $def_zone) --permanent --add-rich-rule='rule family=ipv6 forward-port to-port=8080 protocol=tcp port=80'

  11. Reload the firewall rules.

    Reload firewall rules

  12. Confirm the rules are applied.

    1. Check the firewalld status is active.
      sudo systemctl status firewalld
      Firewalld Active Status

    2. Verify all rules are added in firewalld or not, all rules should be applied.
      sudo firewall-cmd --list-all
      Firewalld Listed Rules