CentOS 8.x firewalld rich rules

From Notes_Wiki

Home > CentOS > CentOS 8.x > System Administration > firewalld > Rich rules

Rich rule processing order

Once multiple rules are in place they will be processed in a certain order. Port forwarding and masquerading rules will be applied first, followed by any logging rules, then any allow rules, and finally any deny rules. A packet will use the first rule it applies to in this order, if it does not match a rule it will hit the default deny.


Basics of rich rules

  • Allow httpd connection. The rule will be add to default zone 
    firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept'
    

    firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent


  • Reject httpd connection. 
    firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" reject'


  • Add rich rule to specific zone 
    firewall-cmd --zone=home --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept'


  • To list the rich rules 
    firewall-cmd --permanent --zone=home --list-rich-rule


  • Remove rich rule 
    firewall-cmd --zone=home --remove-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept --permanent


  • Rich rules can also be used to rate limit traffic, here we limit incoming SSH connections to 10 per minute. 
    firewall-cmd --permanent --add-rich-rule='rule service name=ssh limit value=10/m accept'



Some examples for Rich Rule

  • Allowing traffic from the range 10.0.0.0/24 into only 192.168.0.10/32 through TCP ports 8080 through to 8090. 
    firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 destination address=192.168.0.10/32 port port=8080-8090 protocol=tcp accept' success


  • In this instance we can specify a specific source address within the test zone rather than the whole zone. 
    firewall-cmd --permanent --zone=testing --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 forward-port port=22 protocol=tcp to-port=2222 to-addr=10.0.0.10'


Masquerading with Rich rules

  • To check if IP masquerading is enabled 
    firewall-cmd --zone=public --query-masquerade


  • To enable IP masquerading 
    firewall-cmd --zone=public --add-masquerade


  • In this example any packet sent to addresses defined in the zone ‘testing’ will be masqueraded 
    firewall-cmd --permanent --zone=home --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 masquerade'


Some test cases

  • Allow Telnet connection only from 192.168.1.50/32. Limit this connection one per minute. Drop Telnet connection from remaining hosts 
    firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.50/32 service name=telnet limit value=1/m accept'


  • Allow SSH connection from network 192.168.1.0/24. Log each access with "SSH Access" prefix" 
    firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 service name=ssh log prefix="SSH Access" level= "notice" accept'


  • Allow FTP connection only from 192.168.1.2/24. Reject FTP connections from remaining systems 
    firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.2/32 port port=21 protocol=tcp  accept'


  • Reject ping requests from all hosts with error message. 
    firewall-cmd --add-rich-rule='rule protocol value=icmp reject'


Rich rules timeout option

  • For testing and debugging purpose we can use --timeout option which will remove the rule automatically after the specified time. For examples Following rule will be automatically removed after 60 seconds 
    firewall-cmd --add-rich-rule=’rule protocol value=”icmp” reject’ --timeout=60


Rich Rule Log Command

  • Log httpd acess 
    firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.1.50/32" service name="http" log prefix="httpd_" level="debug" accept'
    You can check logs in "/var/log/messages"


Refer:


Steps contributed by Pavan Ponamala


Rate limiting connections

There is article on rate limiting connections via rich rule using recent module at Rocky_9.x_Rate_limiting_connections_to_apache#Rate_limit_incoming_connections_using_iptables_recent_module


Home > CentOS > CentOS 8.x > System Administration > firewalld > Rich rules

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=CentOS_8.x_firewalld_rich_rules&oldid=8159"